Embodiments presented herein relate to methods, a client node, a compute node, a key management node, computer programs, and a computer program product for verifying setup of encryption of a block of data.
In communications networks, there may be a challenge to obtain good performance and capacity for a given communications protocol, its parameters and the physical environment in which the communications network is deployed.
For example, one parameter in providing good performance and capacity for a given communications protocol in a communications network is the ability to provide secure communications and secure data storage.
Currently, some computational cloud platforms provide secure storage via a Linux Unified key setup (LUKS) volume encryption process running on a compute node. The compute node itself can be secured using concepts like Trusted Compute Pools and Trusted Platform Modules.
Trusted Platform Modules based technologies can be used to increase security in computational cloud platform environments. One drawback is that these technologies do not provide transparency to the end-users (as represented by client nodes). Particularly, there is currently very limited (or even non-existing) means for the end user to obtain any kind of proof that data stored on an encrypted volume storage actually is encrypted. The encryption is performed by the compute node before the data is sent to a storage node. Nor is any proof provided that the compute node is secured with a TPM and that a trusted boot has been performed.
Hence, there is still a need for an improved handling of encryption of a block of data.
An object of embodiments herein is to provide efficient setup for encryption of a block of data.
According to a first aspect there is presented a method for verifying setup of encryption of a block of data. The method is performed by a client node. The method comprises obtaining an indication to encrypt the block of data. The method comprises providing a first message to a compute node indicating a setup request of a block storage volume, V, to be encrypted, wherein the first message comprises a nonce, N. The method comprises obtaining a second message from the compute node, wherein the second message comprises the nonce, N, arid provides validation that a key management node has taken part in setup of the encryption of the block of data and a cryptographic measurement of the compute node, including evidence that the compute node is in a trusted state according to the key management node.
According to a second aspect there is presented a client node for verifying setup of encryption of a block of data. The client node comprises processing circuitry. The processing circuitry is configured to cause the client node to obtain an indication to encrypt the block of data. The processing circuitry is configured to cause the client node to provide a first message to a compute node indicating a setup request of a block storage volume, V, to be encrypted, wherein the first message comprises a nonce, N. The processing circuitry is configured to cause the client node to obtain a second message from the compute node, wherein the second message comprises the nonce, N, and provides validation that a key management node has taken part in setup of the encryption of the block of data and a cryptographic measurement of the compute node, including evidence that the compute node is in a trusted state according to the key management node.
According to a third aspect there is presented a client node for verifying setup of encryption of a block of data. The client node comprises processing circuitry. The client node comprises a computer program product. The computer program product stores instructions that, when executed by the processing circuitry, causes the client node to perform a set of operations, or steps. The operations comprise providing a first message to a compute node indicating a setup request of a block storage volume, V, to be encrypted, wherein the first message comprises a nonce, N. The operations comprise obtaining a second message from the compute node, wherein the second message comprises the nonce, N, and provides validation that a key management node has taken part in setup of the encryption of the block of data and a cryptographic measurement of the compute node, including evidence that the compute node is in a trusted state according to the key management node.
According to a fourth aspect there is presented a client node for verifying setup of encryption of a block of data. The client node comprises an obtain module configured to obtain an indication to encrypt the block of data. The client node comprises a provide module configured to provide a first message to a compute node indicating a setup request of a block storage volume, V, to be encrypted, wherein the first message comprises a nonce, N. The obtain module is further configured to obtain a second message from the compute node, wherein the second message comprises the nonce, N, and provides validation that a key management node has taken part in setup of the encryption of the block of data and a cryptographic measurement of the compute node, including evidence that the compute node is in a trusted state according to the key management node.
According to a fifth aspect there is presented a computer program for verifying setup of encryption of a block of data, the computer program comprising computer program code which, when run on processing circuitry of a client node, causes the client node to perform a method according to the first aspect.
According to a sixth aspect there is presented a method for verifying setup of encryption of a block of data. The method is performed by a compute node. The method comprises obtaining a first message from a client node, wherein the first message indicates a setup request of a block storage volume, V, to be encrypted, and wherein the first message comprises a nonce, N. The method comprises providing a third message to a key management node, wherein the third message comprises the nonce, N, a unique data storage identity of the block storage volume, V, to be encrypted, and a unique user identity of the client node. The method comprises obtaining a fourth message from the key management node, wherein the fourth message comprises the nonce, N, and an encrypted data storage key, In X. The method comprises providing a second message to the client node, wherein the second message comprises the nonce, N, and provides validation that the key management node has taken part in setup of the encryption of the block of data and a cryptographic measurement of the compute node, including evidence that the compute node is in a trusted state according to the key management node.
According to a seventh aspect there is presented a compute node for verifying setup of encryption of a block of data. The compute node comprises processing circuitry. The processing circuitry is configured to cause the compute node to obtain a first message from a client node, wherein the first message indicates a setup request of a block storage volume, V, to be encrypted, and wherein the first message comprises a nonce, N. The processing circuitry is configured to cause the compute node to provide a third message to a key management node, wherein the third message comprises the nonce, N, a unique data storage identity of the block storage volume, V, to be encrypted, and a unique user identity of the client node. The processing circuitry is configured to cause the compute node to obtain a fourth message from the key management node, wherein the fourth message comprises the nonce, N, and an encrypted data storage key, UVX. The processing circuitry is configured to cause the compute node to provide a second message to the client node, wherein the second message comprises the nonce, N, and provides validation that the key management node has taken part in setup of the encryption of the block of data and a cryptographic measurement of the compute node, including evidence that the compute node is in a trusted state according to the key management node.
According to an eighth aspect there is presented a compute node for verifying setup of encryption of a block of data. The compute node comprises processing circuitry. The compute node comprises a computer program product. The computer program product stores instructions that, when executed by the processing circuitry, causes the compute node to perform a set of operations, or steps. The operations comprise obtaining a first message from a client node, wherein the first message indicates a setup request of a block storage volume, V, to be encrypted, and wherein the first message comprises a nonce, N. The operations comprise providing a third message to a key management node, wherein the third message comprises the nonce, N, a unique data storage identity of the block storage volume, V, to he encrypted, and a unique user identity of the client node. The operations comprise obtaining a fourth message from the key management node, wherein the fourth message comprises the nonce, N, and an encrypted data storage key, UVX. The operations comprise providing a second message to the client node, wherein the second message comprises the nonce, N, and provides validation that the key management node has taken part in setup of the encryption of the block of data and a cryptographic measurement of the compute node, including evidence that the compute node is in a trusted state according to the key management node.
According to a ninth aspect there is presented a compute node for verifying setup of encryption of a block of data. The compute node comprises an obtain module configured to obtain a first message from a client node, wherein the first message indicates a setup request of a block storage volume, V, to be encrypted, and wherein the first message comprises a nonce, N. The compute node comprises a provide module configured to provide a third message to a key management node, wherein the third message comprises the nonce, N, a unique data storage identity of the block storage volume, V, to be encrypted, and a unique user identity of the client node. The obtain module is further configured to obtain a fourth message from the key management node, wherein the fourth message comprises the nonce, N, and an encrypted data storage key, UVX. The provide module is further configured to provide a second message to the client node, wherein the second message comprises the nonce, N, and provides validation that the key management node has taken part in setup of the encryption of the block of data and a cryptographic measurement of the compute node, including evidence that the compute node is in a trusted state according to the key management node.
According to a tenth aspect there is presented a computer program for verifying setup of encryption of a block of data, the computer program comprising computer program code which, when run on processing circuitry of a compute node, causes the compute node to perform a method according to the sixth aspect.
According to an eleventh aspect there is presented a method for verifying setup of encryption of a block of data. The method is performed by a key management node. The method comprises obtaining a third message from a compute node, wherein the third message comprises a nonce, N, of a client node, a unique data storage identity of a block storage volume, V, to be encrypted, and a unique user identity of the client node. The method comprises providing a fourth message to the compute node, wherein the fourth message comprises the nonce, N, and an encrypted data storage key, UVX.
According to a twelfth aspect there is presented a key management node for verifying setup of encryption of a block of data. The key management node comprises processing circuitry. The processing circuitry is configured to cause the key management node to obtain a third message from a compute node, wherein the third message comprises a nonce, N, of a client node, a unique data storage identity of a block storage volume, V, to be encrypted, and a unique user identity of the client node The processing circuitry is configured to cause the key management node to provide a fourth message to the compute node, wherein the fourth message comprises the nonce, N, and an encrypted data storage key, UVX.
According to a thirteenth aspect there is presented a key management node for verifying setup of encryption of a block of data. The key management node comprises processing circuitry. The key management node comprises a computer program product. The computer program product stores instructions that, when executed by the processing circuitry, causes the key management node to perform a set of operations, or steps. The operations comprise obtaining a third message from a compute node, wherein the third message comprises a nonce, N, of a client node, a unique data storage identity of a block storage volume, V, to be encrypted, and a unique user identity of the client node. The operations comprise providing a fourth message to the compute node, wherein the fourth message comprises the nonce, N, and an encrypted data storage key, UVX.
According to a fourteenth aspect there is presented a key management node for verifying setup of encryption of a block of data. The key management node comprises an obtain module configured to obtain a third message from a compute node, wherein the third message comprises a nonce, N, of a client node, a unique data storage identity of a block storage volume, V, to be encrypted, and a unique user identity of the client node. The key management node comprises a provide module configured to provide a fourth message to the compute node, wherein the fourth message comprises the nonce, N, and an encrypted data storage key, UVX.
According to a fifteenth aspect there is presented a computer program for verifying setup of encryption of a block of data, the computer program comprising computer program code which, when run on processing circuitry of a key management node, causes the key management node to perform a method according to the eleventh aspect.
According to a sixteenth aspect there is presented a computer program product comprising a computer program according to at least one of the fifth aspect, the tenth aspect, and the fifteenth aspect, and a computer readable storage medium on which the computer program is stored. The computer readable storage medium can be a non-transitory computer readable storage medium.
Advantageously these methods, this client node, this compute node, this key management node, these computer programs, and this computer program product provide efficient setup for encryption of a block of data.
Advantageously, the client node (and hence the end-user) will receive a proof that the compute node has been in communication with the key management node to obtain the storage key of the client node and that an encrypted volume has been attached.
Advantageously, the client node (and hence the end-user) can receive information of PCR register content on the compute node on which the encryption is performed, which makes it possible for the client node to analyze these values and compare them with whitelists.
Advantageously, this enables an encrypted volume to only be attached on an approved and trusted compute node.
Advantageously, this provides a secure distribution of volume encryption keys where the key is distributed encrypted to secure compute nodes.
It is to be noted that any feature of the first, second, third, fourth, fifth, sixth seventh, eight, ninth, tenth, eleventh, twelfth, thirteenth, fourteenth, fifteenth and sixteenth aspects may be applied to any other aspect, wherever appropriate. Likewise, any advantage of the first aspect may equally apply to the second, third, fourth, fifth, sixth, seventh., eight, ninth, tenth, eleventh, twelfth, thirteenth, fourteenth, fifteenth, and/or sixteenth aspect, respectively, and vice versa. Other objectives, features and advantages of the enclosed embodiments will be apparent from the following detailed disclosure, from the attached dependent claims as well as from the drawings.
Generally, all terms used in the claims are to be interpreted according to their ordinary meaning in the technical field, unless explicitly defined otherwise herein. All references to “a/an/the element, apparatus, component, means, step, etc.” are to he interpreted openly as referring to at least one instance of the element, apparatus, component, means, step, etc., unless explicitly stated otherwise. The steps of any method disclosed herein do not have to be performed in the exact order disclosed, unless explicitly stated.
The inventive concept is now described, by way of example, with reference to the accompanying drawings, in which:
The inventive concept will now be described more fully hereinafter with reference to the accompanying drawings, in which certain embodiments of the inventive concept are shown. This inventive concept may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided by way of example so that this disclosure will be thorough and complete, and will fully convey the scope of the inventive concept to those skilled in the art. Like numbers refer to like elements throughout the description. Any step or feature illustrated by dashed lines should be regarded as optional.
The client node 200 may be a wireless device, a mobile station, a mobile phone, a handset, a wireless local loop phone, a user equipment (UE), a mobile equipment, a smartphone, a laptop computer, a tablet computer, a wireless modem, or a sensor device. It may also be a more stationary device such as a telematics unit embedded in or attachable to a vehicle, such as a car, truck, bus, boat, train, airplane and flying drone. The client node 200 may also for example be embedded in or attachable to a domestic appliance, such as in white goods, door locks, surveillance and alarm equipment and autonomous vacuum cleaners and grass cutters. The client node 200 may also be embedded in or attachable telematics units for robots and 3D printers used for industrial purposes or for domestic support functions. Other examples of where the client node 200 may be incorporated or added to is in public service equipment, such as street lamps, surveillance cameras, entrance admittance equipment for public transport. The client node 200 may in other words be or be implemented in equipment which is able to utilize the wireless connectivity to the communications network 100. Further examples of such client nodes 200 are equipment used in healthcare and in payment terminals, e.g. payment terminals for credit cards.
It is assumed that the client node 200 has a need to securely store encrypted data.
The embodiments disclosed herein therefore relate to mechanisms for verifying setup of encryption of a block of data. In order to obtain such mechanisms there is provided a client node 200, a method performed by the client node 200, a computer program product comprising code, for example in the form of a computer program, that when run on processing circuitry of the client node 200, causes the client node 200 to perform the method. In order to obtain such mechanisms there is further provided a compute node 300, a method performed by the compute node 300, and a computer program product comprising code, for example in the form of a computer program, that when run on processing circuitry of the compute node 300, causes the compute node 300 to perform the method. In order to obtain such mechanisms there is further provided a key management node 400, a method performed by the key management node 400, and a computer program product comprising code, for example in the form of a computer program, that when run on processing circuitry of the key management node 400, causes the key management node 400 to perform the method.
Reference is now made to
S202: The client node 200 obtains an indication to encrypt the block of data. Even if encryption of the block of data always is enabled, this in itself defines an indirect indication that the block of data is to he encrypted.
S204: The client node 200 provides a first message to a compute node 300. The first message indicates a setup request of a block storage 130 volume, V, to be encrypted. The first message comprises a nonce, N. The nonce, N, could be a cryptographic nonce, a timestamp, etc.
S206: The client node 200 obtains a second message from the compute node 300. The second message comprises the nonce, N, and provides validation that a key management node 400 has taken part in setup of the encryption of the block of data and a cryptographic measurement of the compute node 300, including evidence that the compute node 300 is in a trusted state according to the key management node 400.
In this respect, the block of data may not necessary be available at the client node 200 when the setup of encryption of the block of data is made, but could, for example, become available once proof of an encrypted block storage volume has been validated (as in step S206). Further, the block storage 130 that is attached to the instance of the client node 200 on the compute node 300 can be used to securely store the block of data onto the encrypted block storage 130. Further, the block of data stored by the instance may not be explicatively available at the client node 200, but rather that the client node 200 indicates the block of data to be protected. Further, the herein disclosed embodiments are not limited to any particular size of the block of data, and neither are the herein disclosed embodiments limited to any particular size of the volume. In this respect, once encrypted, the block storage 130 volume, V, may be defined as an encrypted storage volume for the block of data.
Reference is now made to
S302: The compute node 300 obtains a first message from the client node 200. As disclosed above with reference to step S204, the first message indicates a setup request of a block storage 130 volume, V, to be encrypted, and comprises a nonce, N.
S316: The compute node 300 provides a third message to a key management node 400. The third message comprises the nonce, N, a unique data storage identity of the block storage 130 volume, V, to be encrypted, and a unique user identity of the client node 200.
S318: The compute node 300 obtains a fourth message from the key management node 400. The fourth message comprises the nonce, N, and an encrypted data storage key, UVX.
S336: The compute node 300 provides a second message to the client node 200. As disclosed above with reference to step S206, the second message comprises the nonce, N, and provides validation that the key management node 400 has taken part in setup of the encryption of the block of data and a cryptographic measurement of the compute node 300, including evidence that the compute node 300 is in a trusted state according to the key management node 400.
Reference is now made to
S402: The key management node 400 obtains a third message from a compute node 300. As disclosed above with reference to step S316, the third message comprises a nonce, N, of a client node 200, a unique data storage identity of a block storage 130 volume, V, to be encrypted, and a unique user identity of the client node 200.
S418: The key management node 400 provides a fourth message to the compute node 300. As disclosed above with reference to step S318, the third message comprises the nonce, N, and an encrypted data storage key, UVX.
By using RSA encryption keys in arid the TPM on a compute node 300, proof can be provided to the client device 200 that an encrypted block storage 130 volume, V; is setup on a secure compute node 300.
Proof, in form of signed receipt, is made available to the client device 200 both at the front-end as well as on the encrypted volume itself.
When attaching an encrypted volume, the key management node 300 can obtain a proof that it is a trusted compute node 300 in an authorized state that requests the volume encryption key of a specific client node 200 for a given volume.
Storage of secured volume encryption keys in, possibly unsecure, database makes it possible to avoid unnecessary calls to TPM and the key management node 400 in many re-initialization cases.
An ordinary bind key in combination with NV-RAM data sealed to specific PCR-states and/or protected with a PCR dependent pass-phrase gives the possibility to remotely seal data.
Embodiments relating to further details of verifying setup of encryption of a block of data as performed by the client node 200, the compute node 300, and the key management node 400 will now be disclosed.
Reference is now made to
S100: The client node 200 obtains an indication to encrypt the block of data, as in step S202.
S101: For an initial volume encryption setup, client node 200 generates nonce N, which is to be used as proof that encryption of the block of data has indeed been setup.
S102: The client node 200 signs a first message, where the signed first message is denoted M1, including the nonce. The first message is signed with a private encryption key (such as a private RSA key) of the client node 200. In addition to N, the first message can also include additional information such as a specific platform configuration (PCR) list for a trusted platform module (TPM) quote, and optional a unique volume identity, VId. Hence, according to an embodiment the first message is digitally signed using a private encryption key of the client node 200 before being provided to the compute node 300 as a digitally signed message M1.
S103: The client node 200 encrypts AP with a public encryption key such as a public RSA key, where RSA is short for Rivest-Shamir-Adleman) of the key management node 400, where the encrypted first message is denoted M2. Hence, according to an embodiment the digitally signed message M1 is encrypted using a public key of the key management node 400 before being provided to the compute node 300 as an encrypted message M2.
S104: The client node 200 sends M2 as part of volume attach, VA, to the compute node 300. The compute node 300 thus obtains M2 from the client node 200. If M2 is not included in the attach message then this indicates that volume encryption already may have been setup and the client node 200 does not request any proof, alternatively volume encryption is not used for the specific volume. The message M2 can be mandatory for a new block of data to be encrypted, i.e. where encryption has not yet been setup. Hence, according to an embodiment the first message is provided to the compute node (300) as part of a volume attach, VA, message. Step S104 may be performed as part of above disclosed step S204. Step S104 may be performed as part of above disclosed step S302.
S105: The compute node 300 checks the VA and may find M2, indicating a setup request of an encrypted block storage 130 volume, V.
S106: The compute node 300 retrieves the block storage 130 volume, V, from a block storage node. Hence, according to an embodiment the compute node 300, in a step S106a, retrieves the block storage 130 volume, V, from a block storage node. In case M2 was not included in the VA message then the block storage 130 volume, V, will be checked if it already is encrypted. Hence, according to an embodiment the compute node 300, in a step S106b, and in a case the first message has not been digitally signed using a private encryption key of the client node 200 and not encrypted using a public key of a key management node 400, verifies whether the block storage 130 volume, V, has already been encrypted or riot.
S107: Prior continuing with volume encryption, the compute node 300 checks its TPM PCR register(s) to ensure that trusted boot has been performed. Hence, according to an embodiment the compute node 300, in a step S308, verifies with the PCR that a trusted boot of the compute node 300 has been performed.
S108: If not already available, the compute node 300 creates a non migratable TPM based bind key, which public part is denoted PKBind, as well as associated certification information. An encryption key, B, is read from TPM Non-Volatile Random Access Memory (NV-RAM), which is bound to a trusted PCR state of the TPM. The encryption key B is created, such as with a random value, at trusted boot if not already existing. The trusted state may include a passphrase that is used to extend a PCR register prior defining the NV-RAM space. An alternative to using the encryption key, B, for PCR-dependency is to let PKBind be dependent on the trusted PCR state.
S109: The compute node 300 creates BX=Hash(VId|UId|PKBind|B), where Hash(x) is a hash function of the parameter x. In turn, BX will be encrypted, E(BX), where the encrypted message is denoted E1, with the public encryption key of the key management node 400. Hence, according to an embodiment the compute node 300, in a step S310, generates an encrypted message E1 of BX using a public encryption key of the key management node 400, where BX=Hash(VId|UId|PKBind|B), where VId is a unique identity of the block storage 130 volume, V, where UId is the unique identity of the client node 300, where PKBind is a non-migratable TPM based bind key.
S110a, S110b: The compute node 300 makes a Quote2 request. This can be required to provide proof to the key management node 400 that a trusted compute node 300, in an approved PCR state, is requesting the volume encryption key, UV, of the client node 200. The Quote2 request can make use of NQ=Hash(E1, PKBind, M2 (if existing), UId and VId). Denote the quote response QResp. If M2 is included in the VA, then a second quote request will be made at a later stage in order to provide proof to the client node 200 that an encrypted volume has been initiated. The Quote2 in Step S110a, S110b can be replaced by a CertifyKey command, generating a Certify-KeyInfo certification of PKBind and using Hash(E1, M2 (if existing), UId and VId) as nonce. Hence, according to an embodiment, where the first message is Obtained as a signed and encrypted message, M2, the compute node 300, in a step S312, provides a Quote2 request, QReq, comprising NQ=Hash(E1, PKBind, M2, UId, VId) to the TPM 120; and in return, in a step S314, obtains a response, QResp, to the Quote2 request from the TPM 120.
S111: The compute node 300 sends QResp, E1, PKBind, UId and VId and, in the initial case, M2 to the key management node 400, which thus obtains this information. Hence, according to an embodiment the third message provided to the key management node 400 comprises QResp, E1, PKBind, UId and VId (and, optionally, M2). Step S111 may be performed as part of above disclosed step S316. Step S111 maybe performed as part of above disclosed step S402.
S112: The key management node 400 will, when existing, decrypt M2 in order to obtain the nonce, N. The key management node 400 will also verify QResp to ensure that a trusted compute node 300 is requesting UV. When verifying QResp, the key management node 400 will validate NQ by determining the same hash, i.e., Hash(E1, PKBind, M2 (if existing), UId and VId,), and compare the result to QResp. The key management node 400 can now compare the hash of the PCR contents from QResp with a white list to make sure that UV is only distributed to an approved and trusted compute node 300. Validation of NQ will also bind the received E1, PKBind, M2 (if existing), UId and VId to the platform state proofed by QResp. Hence, according to an embodiment, and where the third message comprises an encrypted message M2 originating from the client node 200, the key management node 400 is configured to, in a step S404, verify QResp, by determining NQ=Hash(E1, M2, PKBind, UId, VId) and comparing the result thereof to QResp.
S113: The key management node 400, if M2 was included, retrieves the public encryption key, denoted UPUB, of the client node 200 is retrieved from the user identification node 140 to verify M1. Hence, according to an embodiment, and where the third message comprises an encrypted message M2 originating from the client node 200, the key management node 400 is configured to, in a step S406, verify with a user identification node 140, the encrypted message M2 using a public encryption key, UPUB, of the client node 200.
S114: The key management node 400, where applicable, verifies the signature of M1. If VId was included in M2, the key management node 400 also compares VId with VId as sent from the client node 300 in step S111. Hence, according to an embodiment, and where the third message comprises a digitally signed message M1 originating from the client node 200, the key management node 400 is configured to, in a step S408, verify the digitally signed message M1.
S115: If not existing, the key management node 400 will create a unique user encryption key, denoted UK, which will be a root key for the client node 200, used to derive other encryption keys. Hence, according to an embodiment the key management node 400 is configured to, in a step S410, generate a root encryption key, UK, for the client node 200.
S116: The key management node 400 assigns a specific volume encryption key, denoted UV, derived from UK and, in relevant cases, VId. UV is derived such that it later can be recreated for the client ode 200 when verifying a QResp message and that it is unique for the volume. Hence, according to an embodiment the key management node 400 is configured to, in a step S412, assign a volume encryption key, UV, derived from UK, such that UV is re-creatable for the client node (200) when verifying a QResp message and that UV is unique for the block storage 130 volume, V, to be encrypted.
S117: The key management node 400 decrypts E1, obtains BX and determines UVX=BX ⊕ UV, where ⊕ denotes bit-wise XOR. Hence, according to an embodiment the key management node 400 is configured to, in a step S414, determine UVX=BX⊕UV between BX and UV.
S118: The key management node 400 uses PKBind to encrypt UVX, in relevant cases VId, UId and optional N when M2 was included, encrypted message E(UVX, VId, UId, N), denoted E2. Hence, according to an embodiment the key management node 400 is configured to, in a step S416, generate an encrypted message E2 of UVX using PKBind.
S119: The key management node 400 provides E2 to the compute node 300. Hence, according to an embodiment the fourth message provided to the compute node 300 comprises the encrypted message E2, of UVX, where PKBind has been used to encrypt UVX, and where UVX=BX⊕UV, where ⊕ denotes bit-wise XOR (i.e., exclusive disjunction, or exclusive or) between BX and UV, and where UV is a volume encryption key. Step S119 may be performed as part of above disclosed step S318. Step S119 may be performed as part of above disclosed step S418.
S120a, S120b: The compute node 300 unbinds E2 in the TPM and obtains UVX, and in relevant cases VId, UId, and optional the nonce N. If available in a database, then steps S110-S119 need not to be performed as long as the same compute node 300 is used and no update of boot software reflected in above used trust bounded PCR-registers or re-initialization of encryption keys has been performed on the compute node 300. Also, since, in relevant cases VId and UId are included in E2, a sanity check can be made when E2 is read from the database to match it to a client node 200 and, in relevant cases, volume. In the case where the same encryption key is re-used for different volumes for the same client node 200, this encryption key also be picked from the database directly, if existing and up to date, thus without any of steps S110-S119 being performed. An alternative mechanism to securely store UV locally is be to use TPM seal. Hence, according to an embodiment the compute node 300 is configured to, in a step S320, decrypt the encrypted message E2 to obtain UVX. E2 maybe stored in a database for future use, with an index derived as Hash(BX). Hence, according to an embodiment the compute node 300 is configured to, in a step S322, store the encrypted message E2 with an index set to Hash(BX).
S121: The compute node 300 uses B, read from TPM NV-RAM, to calculate BX=Hash(VId|UId|PKBind|B) and can then calculate UV=BX ⊕ UVX. Hence, according to an embodiment the compute node 300 is configured to, in a step S324, obtain an encryption key B bound to a trusted PCR state of the TPM 120; and, in a step S326, determine UV=BX ⊕UVX, where BX=Hash(VId|UId|PKBind|B).
S122a, S122b: The compute node 300, in case of an initial volume encryption setup, makes a second TPM quote request, using N as nonce, to the TPM and receives a response comprising a hash of selected PCR contents, Common Alerting Protocol (CAP) version information (optionally), and an Attestation Identity Key (AIK) signature, which covers the data received in the response, as well as the nonce N. Hence, according to an embodiment the compute node 300 is configured to, in a step S328, provide a further Quote2 request, QReq,2, comprising the nonce, N, to the TPM 120; and, in a step S330, obtain a further response, QResp2, to the further Quote2 request from the TPM 120, wherein the further response, QResp,2, comprises receipt content, R, the receipt content comprising a cryptographic hash of a trusted PCR content, and signed by the AIK.
S123a, S123b: The compute node 300 initiates encrypted volume, using UV, and writes the receipt contents, denoted R, onto the volume. The receipt contents, R, can also be provided to the client node 200. The receipt contents R can comprise the nonce, N, a hash of selected PCR contents, CAP version information (optionally), AIK signature, AIK public encryption key and an AIK public encryption key certificate. Hence, according to an embodiment the compute node 300 is configured to, in a step S332, initiate encryption of the block storage 130 volume, V, to be encrypted; and, in a step S334, provide the receipt content, R, to the block storage 130 volume, V.
S124: With R written on the block storage 130 volume, V, it can be possible for the running instance on the compute node 300, when the block storage 130 volume, V, has been attach to it, to read and validate the contents R. This provides proof that a setup of an encrypted volume has been initiated and that the setup is performed on a trusted compute node 300, in a state approved by the key management node 400. With N, the client node 200 can verify that the key management node 400 has been used. Inclusion of the nonce, N, blocks a replay attack. The receipt contents, R, with its PCR contents, provides the client device 200 means for verifying the boot state of the compute node 300 and the values can be compared with a white list. Hence, according to an embodiment the second message further comprises a receipt content, R, the receipt content comprising a cryptographic hash of trusted PCR content, signed by an Step S124 may be performed as part of above disclosed step S206. Step S124 may be performed as part of above disclosed step S336.
Particularly, the processing circuitry 210 is configured to cause the client node 200 to perform a set of operations, or steps, S100, S104, S124, S202, S204, S206, as disclosed above. For example, the storage medium 230 may store the set of operations, and the processing circuitry 210 may be configured to retrieve the set of operations from the storage medium 230 to cause the client node 200 to perform the set of operations. The set of operations may be provided as a set of executable instructions. Thus the processing circuitry 210 is thereby arranged to execute methods as herein disclosed.
The storage medium 230 may also comprise persistent storage, which, for example, can be any single one or combination of magnetic memory, optical memory, solid state memory or even remotely mounted memory.
The client node 200 may further comprise a communications interface 220 for communications with at least the compute node 300. As such the communications interface 220 may comprise one or more transmitters and receivers, comprising analogue and digital components.
The processing circuitry 210 controls the general operation of the client node 200 e.g. by sending data and control signals to the communications interface 220 arid the storage medium 230, by receiving data and reports from the communications interface 220, and by retrieving data and instructions from the storage medium 230. Other components, as well as the related functionality, of the client node 200 are omitted in order not to obscure the concepts presented herein.
Particularly, the processing circuitry 310 is configured to cause the compute node 300 to perform a set of operations, or steps, S104, S106a, S106b, S107, S109, S110a, S110b, S111, S119, S120a, S120b, S121a, S121b, S122a, S122b, S123a, 123b, S124, S302-S336, as disclosed above. For example, the storage medium 330 may store the set of operations, and the processing circuitry 310 may be configured to retrieve the set of operations from the storage medium 330 to cause the compute node 300 to perform the set of operations. The set of operations may be provided as a set of executable instructions. Thus the processing circuitry 310 is thereby arranged to execute methods as herein disclosed.
The storage medium 330 may also comprise persistent storage, which, for example, can he any single one or combination of magnetic memory, optical memory, solid state memory or even remotely mounted memory.
The compute node 300 may further comprise a communications interface 320 for communications at least with the client node 200 and the key management node 400. As such the communications interface 320 may comprise one or more transmitters and receivers, comprising analogue and digital components.
The processing circuitry 310 controls the general operation of the compute node 300 e.g. by sending data and control signals to the communications interface 320 and the storage medium 330, by receiving data and reports from the communications interface 320, and by retrieving data and instructions from the storage medium 330. Other components, as well as the related functionality, of the compute node 300 are omitted in order not to obscure the concepts presented herein.
Particularly, the processing circuitry 410 is configured to cause the key management node 400 to perform a set of operations, or steps, S111-S119, S402-S418, as disclosed above. For example, the storage medium 430 may store the set of operations, and the processing circuitry 410 may be configured to retrieve the set of operations from the storage medium 430 to cause the key management node 400 to perform the set of operations. The set of operations may be provided as a set of executable instructions. Thus the processing circuitry 410 is thereby arranged to execute methods as herein disclosed.
The storage medium 430 may also comprise persistent storage, which, for example, can be any single one or combination of magnetic memory, optical memory, solid state memory or even remotely mounted memory.
The key management node 400 may further comprise a communications interface 320 for communications at least with the compute node 300 and the user identification node 140. As such the communications interface 320 may comprise one or more transmitters and receivers, comprising analogue and digital components.
The processing circuitry 410 controls the general operation of the key management node 400 e.g. by sending data and control signals to the communications interface 320 and the storage medium 430, by receiving data and reports from the communications interface 420, and by retrieving data and instructions from the storage medium 430. Other components, as well as the related functionality, of the key management node 400 are omitted in order not to obscure the concepts presented herein.
In the example of
The inventive concept has mainly been described above with reference to a few embodiments. However, as is readily appreciated by a person skilled in the art, other embodiments than the ones disclosed above are equally possible within the scope of the inventive concept, as defined by the appended patent claims.
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/EP2015/077211 | 11/20/2015 | WO | 00 |