Patent Grant
9026805
Data protection has been provided in numerous ways. Many designs for data protection have involved the encryption of data such as sensitive information, passwords, secrets, and so on. An application programming interface (API) or library may be provided on a computer to handle encryption for applications thereon. A simple API might have functions such as protect() and unprotect() with appropriate parameters for incoming data to be protected or unprotected, outgoing unprotected or protected data, keys, group identifiers, etc. As an example, the Windows (TM) operating system has included the DPAPI (TM) (data protection API), for use by application software.
In response to the need to share secure information among users and to provide group-level data protection and access control, data protection facilities such as DPAPI need to be extended to allow groups of related machines or users to share protected data. Distributed Key Management (DKM) services have been used to allow sharing of keys and other grouping functionality. Specifically, a DKM service might provide cryptographic key management services for secure data sharing for distributed applications (for example, as a supplement to the Windows (TM) DPAPI). Some DKM systems may be specifically designed for data centers and cloud services, as well as customer compute clusters and distributed applications. Moreover, like DPAPI, a DKM service might automatically handle key rollover and expiration for users. Some DKM services may use access control lists (ACLs), for example lists of user network identities, to control access to keys for encrypted data.
While there have been many DKM systems available, such systems have relied on software as the basis for security. That is, encryption, key management, key generation, and so forth, have been performed by operating system code, application code, etc., using general purpose central processing units (CPUs) and memory. Techniques discussed below relate to using a hardware security component known as a Trusted Platform Module (TPM) to provide a hybrid hardware-software approach for software-level distributed key management.
The following summary is included only to introduce some concepts discussed in the Detailed Description below. This Summary is not comprehensive and is not intended to delineate the scope of the claimed subject matter, which is set forth by the claims presented at the end.
Described herein are techniques for distributed key management (DKM) in cooperation with Trusted Platform Modules (TPMs). The use of TPMs strengthens the storage and processing security surrounding management of distributed keys. DKM-managed secret keys are not persistently stored in clear form. In effect, the TPMs of participating DKM nodes provide security for DKM keys, and a DKM key, once decrypted with a TPM, is available to be used from memory for ordinary cryptographic operations to encrypt and decrypt user data. TPM public keys can be used to determine the set of trusted nodes to which TPM-encrypted secret keys can be distributed.
Many of the attendant features will be explained below with reference to the following detailed description considered in connection with the accompanying drawings.
The present description will be better understood from the following detailed description read in light of the accompanying drawings, wherein like reference numerals are used to designate like parts in the accompanying description.
Embodiments discussed below relate to protecting and distributing secrets in a network environment using hardware-rooted keys for software-level distributed key management. This approach may provide protection above that of a software-only approach, yet may avoid the need for burdensome and costly hardware security modules (HSMs). Some embodiments may provide protection that is superior to software-only protection for protecting secrets against hardware theft and insider attacks. Other embodiments may avoid expenses and administrative overhead associated with hardware-only encryption solutions.
The following description will begin with a discussion of TPMs. An architecture for DKM-based storage using a TPM will be explained, followed by description of a TPM-rooted key hierarchy for protecting access to DKM keys. Methods of implementing and using the key hierarchy in a DKM-TPM system will then be covered.
The TPM 102 may have been manufactured according to any past or future versions of the TPM Specification, which is published and available elsewhere. The TPM 102 is capable of both generating and storing cryptographic keys. The TPM 102 may also have functions for sealing, binding, measurement, and other functions, all described in detail elsewhere. A cryptographic processor 108 may have components such as a key generator 110 to generate public-private key pairs, a hash generator 112, and other components such as an encryption-decryption and signature engine 114. The TPM 102 also has non-volatile persistent memory 116 as well as dynamic versatile memory 118. The persistent memory 116 stores an endorsement key (EK) and a storage root key (SRK) (generated by a key generator 110), which may be burned into the TPM 102 at the time of production (when the TPM is manufactured). The versatile memory 118 stores platform configuration registers (PCR), attestation identity keys (AIK), storage keys, and the like.
As will be explained, because some implementations of TPMs are slow (for instance, hundreds of milliseconds for cryptographic operations), the TPMs are used to safeguard distributed DKM keys (keys managed by a DKM service or system), and the DKM keys are then used for encrypting and decrypting user data. In other words, TPM devices on clients are used to protect DKM keys, and decrypted DKM keys are then stored in ordinary host memory, for instance memory 106, from where they are used by the host processor, for instance CPU 104, to perform encryption and decryption. In this way, a DKM key can be used by the relatively fast processor and memory of the DKM node. Moreover, after being initially generated and secured, a DKM key is present in clear form in the main memory of a DKM node that used its TPM to decrypt or unseal the DKM key only during the cryptographic operation. Over the long-term, DKM keys are stored in encrypted form as encrypted by TPM-based keys. Another performance enhancing but still secure approach is to have the operating system, such as Windows™, locally encrypt the TPM-decrypted DKM key while stored in main memory 106.
Returning to the client platform 140, 142, a cryptographic API (CAPI) module or a Cryptographic Next Generation (CNG) component 148 handles application level encryption and decryption (e.g., a DP API library). That is, cryptographic processing for DKM is done in software using CNG module 148 or the like. This may provide reasonable performance that is equivalent to a full-software solution such as DKM for Active Directory™ (DKM-AD). As mentioned, for some implementations, TPM-based cryptography has poor performance (several hundred milliseconds for a 2048-bit RSA private key operation) and may have incompatible padding formats. A key storage provider or a module with equivalent functionality (TPM KSP 146) is used to store keys outside the TSM. This embodiment does not assume or require the presence of a proper TPM KSP, but employs the TPM KSP concept when referring to the cryptographic functionality expected from a TPM.
The DKM storage 145 contains DKM group metadata such as group names, access control information, and cryptography policy, as well as DKM group data. Each DKM group contains group cryptographic policy and encrypted DKM group keys. In short, the DKM storage 145 is a shared resource (a server or a group of synchronized servers). Note that the DKM keys are conceptually encrypted with a key stored in TPM. In practice, there will be a key hierarchy, described later, in view of possible poor TPM cryptographic processing performance. An intermediate key will be sealed to a TPM key (which TPM key to use can vary), and the intermediate key will be used to encrypt DKM keys using the CNG component 148. Cryptographic operations with DKM keys will be carried out with CNG component 148. Note that the DKM storage 145 can be server-based, stored at DKM clients and DKM servers, or stored only by DKM clients in peer-to-peer fashion.
A DKM client may also have a client DKM storage 172 to store TPM-encrypted DKM keys. The client DKM storage 172, storing encrypted DKM keys, may reside locally either in a persisted storage or in memory as a client-side cache. The client DKM storage 172 may not be relied on for long-term DKM key storage, but rather may be used as a local cache to reduce network communications and computation. Known cache maintenance algorithms may be used to purge stale data. This embodiment uses the local file system as DKM storage.
Long-term DKM storage is maintained on the DKM server 170. A DKM server component 174 handles communication with DKM clients. The TLS (transport layer security) protocol may be used by the client DKM-TMP 144 and the DKM server component 174 as an authentication protocol. The TLS protocol is used to create a mutually authenticated secure session using private keys and certificates rooted in their respective TPMs. For network communication, HTTPS (hypertext transport protocol secure) can be used as a network communication protocol data exchange between the client DKM-TPM 144 and the DKM server module 174. While HTTPS is convenient, any other communication protocol can be used. Instead of TLS, TPM keys may be used to secure the network payload between the client DKM-TPM 144 and the server DKM-TPM 174, or between DKM servers.
Note that because DKM keys are stored as encrypted by one or more TPM public keys 176, there is no confidentiality requirement for an external storage used to house DKM storage 178. The external storage is trusted to store the information a DKM server presents, and to return the complete information a DKM server requests. The external storage might be shared among multiple DKM servers.
If multiple DKM servers are used, a synchronization mechanism between DKM servers will be used. If the server storage (DKM storage 178) uses an external database, e.g., SQL Server™, the synchronization can be performed by that external storage. Where a DKM server is mentioned herein as storing a DKM key or the like, this is deemed to include both physical storage by the DKM server, as well as storage by accessing an external storage service such as a database, network file system, etc.
A private TLS key (TLSK 208), signing key (SK 210), and wrapping key (WK 212) are protected by the SRK 204. These keys are stored in local file systems or other non-volatile storage and are loaded into a TPM as required. The corresponding public keys are signed by the AIK 206. This allows any machine, given EK-pub as the basis of trust, to validate AIK-pub, TLSK-pub, SK-pub, and WK-pub. The TLS key-pair is not essential for this embodiment, as explained above.
The DKM key (DKMK) 214 can be a symmetric key or a public-private key-pair. DKMK 214 contents are treated as an opaque blob by the TPM. Note that the DKMK 214 (private or secret) is encrypted with WK-pub (WK 212), and signed by SK-private when stored outside the DKM process/service and when transmitted over any network. The TPM protection of a DKMK is independent from security properties of the networking session through which it is transmitted. For instance, if there is a mutually authenticated TLS session based on TPM keys between two nodes, the DKMK is still encrypted and signed by WK-pub and SK-private. This separation allows off-TPM storage of DKMK (in-memory and on-disk key), and use of any network communication protocol.
The DKM server 170 also stores a list of authorized TPM public keys 234. Each entry is a signed public EK: SignKs(EK-pub). The list of authorized TPM public keys 234 is a list of signed TPM public keys (public EKs) that can acquire a DKM key. The signature key is one or more of the keys in the authorized server public key list 232. The authorized server public key list 232 also contains keys of the form: SignKs(EK-pub). This list of signed TPM public keys (EK-pub) contains keys of hosts that can act as DKM servers. The signature key is one or more of the keys in the same authorized server public key list 232. Note that multiple DKM servers are not required. However, in a distributed embodiment, a second DKM server 236 may synchronize with the first DKM server 170 by exchanging the appropriate lists of keys, as well as corresponding group policies 238. Note also that a DKM client 238 may exchange, as needed, various DPM-TPM information 240, including sealed DKM keys, authorized server public keys, and policy. The policy may include DKM policy 238A as well as configuration policy 238B.
Regarding the authorized server public key list 232, this list constitutes the root of trust in the entire system. The list of authorized server public keys 232 is verified by one of the public keys in the same list. In effect, this is a distributed self-signed public key list, similar to the trusted roots in a traditional PKI (public key infrastructure) deployment. Typically, upon initial deployment, this list might have only a few (or just one) public key, signed by all the corresponding private keys, and the list is updated by an online synchronization protocol or other means. Note that clients would also need the same list, so the synchronization (or trusted root discovery) protocol may be the same between both client-server and server-server. Note also that this list is signed but not sealed. Thus, the entire list is portable across nodes and can be copied verbatim.
Regarding the root of trust, in another embodiment a small set of master servers as the root of trust. This master set uses one member's TPM signing keys to certify and authorize an ‘authorized server (TPM) public keys’ list and an ‘authorized (client) TPM public keys’ list. This option minimizes the root of trust to a small set of machines (rather than all servers) and complies with the separation-of-duties security design principle while maintaining flexibility of adding and removing DKM server and client machines.
Regarding the list of authorized TPM public keys 234, this list contains endorsement public keys that identify corresponding TPMs. The list is signed by one or more of the keys on the authorized server public key list 232. The authorized list of TPM public keys 234 is used by DKM servers to determine if a requesting DKM node (e.g., a DKM client or DKM server) is authorized to receive a particular DKM key. If the requestor's public key is in this list, the server responds back with the sealed blob of the requested DKM key with the requestor's TPM wrapping key, and signs the response with the server's private key. If a node is in the list of authorized server public keys 232, then the node does not need to be in the list of authorized TPM public keys 234. If a node is in the list of authorized TPM public keys 234, the node is authorized to receive DKM keys. This list of authorized TPM public keys 234 is signed but not sealed. Thus, the entire list is portable across nodes and can be copied verbatim.
Concerning the list of sealed DKM keys 230, the sealing is performed with the TPM wrapping key of the server storing the list. This prevents the list from being moved from one node to another, but in some implementations may require a formal distributed storage that provides fault tolerance. Thus, each server must have a local copy of the entire list of sealed DKM keys 230. The sealed key list can also be signed by one or more of the authorized server keys. However, since the list is sealed to one node, the additional signatures may be of little use. Thus, the sealed list can be signed with only the local node's TPM signing key. This ensures that when the list is read from a persisted storage, the list is not modified.
At step 258, a group container is created with the default policy obtained from the DKM library and a default policy file from step 259, and at step 260 a group policy and DKM key are generated. The DKM policy contains the set of cryptographic algorithms DKM clients and servers use to protect data, the current DKM key to use in protect operations, and DKM key lifetime. The default DKM policy applies to all DKM groups; the default policy can be overridden by a DKM group policy. At step 262 the group policy is signed by the TPM signing key in step 266, and DKM keys are sealed and signed with the TPM wrapping and signing keys in steps 264 and 266, and then stored.
As used herein, “sealing” involves encryption and in addition specification of a state in which the TPM must be in order for the data to be decrypted (unsealed). That is, state of the computer that has the TPM may be hashed and stored in TPM registers (also called measurement).
Conclusion
Embodiments and features discussed above can be realized in the form of information stored in volatile or non-volatile computer or device readable media. This is deemed to include at least media such as optical storage (e.g., compact-disk read-only memory (CD-ROM)), magnetic media, flash read-only memory (ROM), or any current or future means of storing digital information. The stored information can be in the form of machine executable instructions (e.g., compiled executable binary code), source code, bytecode, or any other information that can be used to enable or configure computing devices to perform the various embodiments discussed above. This is also deemed to include at least volatile memory such as random-access memory (RAM) and/or virtual memory storing information such as central processing unit (CPU) instructions during execution of a program carrying out an embodiment, as well as non-volatile media storing information that allows a program or executable to be loaded and executed. The embodiments and features can be performed on any type of computing device, including portable devices, workstations, servers, mobile wireless devices, and so on.
| Number | Name | Date | Kind |
|---|---|---|---|
| 5481613 | Ford et al. | Jan 1996 | A |
| 5812666 | Baker et al. | Sep 1998 | A |
| 5956489 | San Andres et al. | Sep 1999 | A |
| 6594671 | Aman et al. | Jul 2003 | B1 |
| 6711263 | Nordenstam et al. | Mar 2004 | B1 |
| 7089211 | Trostle et al. | Aug 2006 | B1 |
| 7260224 | Ingle et al. | Aug 2007 | B1 |
| 7502927 | Trostle et al. | Mar 2009 | B2 |
| 7577258 | Wiseman et al. | Aug 2009 | B2 |
| 7945959 | Ilechko | May 2011 | B2 |
| 7957320 | Konig et al. | Jun 2011 | B2 |
| 7974415 | Nochta | Jul 2011 | B2 |
| 7991994 | Salgado et al. | Aug 2011 | B2 |
| 7992194 | Damodaran et al. | Aug 2011 | B2 |
| 8037319 | Clifford | Oct 2011 | B1 |
| 8046579 | Kresina | Oct 2011 | B2 |
| 8064604 | Youn | Nov 2011 | B2 |
| 8116456 | Thomas | Feb 2012 | B2 |
| 8225690 | Shimada et al. | Jul 2012 | B2 |
| 8255690 | Wiseman et al. | Aug 2012 | B2 |
| 8291224 | Pelton et al. | Oct 2012 | B2 |
| 8447037 | Noh et al. | May 2013 | B2 |
| 8572377 | Kalbratt | Oct 2013 | B2 |
| 20020080974 | Grawrock | Jun 2002 | A1 |
| 20020144117 | Faigle | Oct 2002 | A1 |
| 20030110397 | Supramaniam et al. | Jun 2003 | A1 |
| 20030115313 | Kanada et al. | Jun 2003 | A1 |
| 20030126464 | McDaniel et al. | Jul 2003 | A1 |
| 20030154404 | Beadles et al. | Aug 2003 | A1 |
| 20040193917 | Drews | Sep 2004 | A1 |
| 20050097317 | Trostle et al. | May 2005 | A1 |
| 20050166051 | Buer | Jul 2005 | A1 |
| 20050180572 | Graunke | Aug 2005 | A1 |
| 20060072763 | You et al. | Apr 2006 | A1 |
| 20060136717 | Buer et al. | Jun 2006 | A1 |
| 20060147043 | Mann et al. | Jul 2006 | A1 |
| 20060236096 | Pelton et al. | Oct 2006 | A1 |
| 20060236363 | Heard et al. | Oct 2006 | A1 |
| 20060291664 | Suarez et al. | Dec 2006 | A1 |
| 20070039039 | Gilbert et al. | Feb 2007 | A1 |
| 20070094719 | Scarlata | Apr 2007 | A1 |
| 20070116269 | Nochta | May 2007 | A1 |
| 20070162750 | Konig et al. | Jul 2007 | A1 |
| 20070220591 | Damodaran et al. | Sep 2007 | A1 |
| 20070230706 | Youn | Oct 2007 | A1 |
| 20070258623 | McGrath et al. | Nov 2007 | A1 |
| 20080022370 | Beedubail et al. | Jan 2008 | A1 |
| 20080065884 | Emeott et al. | Mar 2008 | A1 |
| 20080070577 | Narayanan et al. | Mar 2008 | A1 |
| 20080083011 | McAlister et al. | Apr 2008 | A1 |
| 20080130902 | Foo Kune et al. | Jun 2008 | A1 |
| 20080152151 | Pourzandi et al. | Jun 2008 | A1 |
| 20080256646 | Strom et al. | Oct 2008 | A1 |
| 20080263370 | Hammoutene et al. | Oct 2008 | A1 |
| 20080271165 | Schnell et al. | Oct 2008 | A1 |
| 20080275991 | Matsuzaki et al. | Nov 2008 | A1 |
| 20080307054 | Kamarthy et al. | Dec 2008 | A1 |
| 20090006862 | Alkove et al. | Jan 2009 | A1 |
| 20090025063 | Thomas | Jan 2009 | A1 |
| 20090086979 | Brutch et al. | Apr 2009 | A1 |
| 20090092252 | Noll et al. | Apr 2009 | A1 |
| 20090136043 | Ramanna et al. | May 2009 | A1 |
| 20090154709 | Ellison | Jun 2009 | A1 |
| 20090240941 | Lee et al. | Sep 2009 | A1 |
| 20090249073 | Wiseman et al. | Oct 2009 | A1 |
| 20090254392 | Zander | Oct 2009 | A1 |
| 20090292914 | Liu et al. | Nov 2009 | A1 |
| 20100146295 | Proudler | Jun 2010 | A1 |
| 20100211781 | Auradkar et al. | Aug 2010 | A1 |
| 20100217853 | Alexander et al. | Aug 2010 | A1 |
| 20100303240 | Beachem et al. | Dec 2010 | A1 |
| 20100306554 | Nunez-Tejerina et al. | Dec 2010 | A1 |
| 20100313011 | Laffey | Dec 2010 | A1 |
| 20110038482 | Singh et al. | Feb 2011 | A1 |
| 20110040960 | Deierling et al. | Feb 2011 | A1 |
| 20110055560 | Meissner et al. | Mar 2011 | A1 |
| 20110088087 | Kalbratt | Apr 2011 | A1 |
| 20110103589 | Tie et al. | May 2011 | A1 |
| 20110150224 | Noh et al. | Jun 2011 | A1 |
| 20110200026 | Ji et al. | Aug 2011 | A1 |
| 20110243332 | Akimoto | Oct 2011 | A1 |
| 20120300940 | Sabin et al. | Nov 2012 | A1 |
| 20130254529 | Fu et al. | Sep 2013 | A1 |
| Entry |
|---|
| Trusted Platform Module; http://www.infineon.com/cms/en/product/channel.html?channel=ff80808112ab681d0112ab6921ae011f; Published Date: Nov. 17, 2007. |
| Hewitt; Trusted Computing and the Trusted Platform Module: What All the Fuss Is About; Published Date: Apr. 13, 2006. |
| Vaughan-Nichols; Windows 7, Security, and the Trusted Platform Module; http://www.cs.hmc.edu/˜mike/public—html/courses/security/s06/projects/bill.pdf; Published Date: Mar. 22, 2010. |
| Relph-Knight; Linux and the Trusted Platform Module (TPM); http://www.h-online.com/open/features/Linux-and-the-Trusted-Platform-Module-TPM-746611.html; Published Date: Sep. 28, 2009. |
| Kauer; OSLO: Improving the security of Trusted Computing; http://www.usenix.org/event/sec07/tech/full—papers/kauer/kauer—html/: Published Date: 2007. |
| McCune et al.; TrustVisor: Efficient TCB Reduction and Attestation; Published Date: Mar. 9, 2009. |
| Office action for U.S. Appl. No. 13/434,737, mailed on Jan. 16, 2014, Acar, et al., “Role-Based Distributed Key Management”, 10 pages. |
| Acar, et al., “Cryptographic Agility and its Relation to Circular Encryption”, Europcrypt 2010, Springer Verlag, May 2010, 25 pages. |
| Michener, et al., “Security Domains: Key Manaement in Large-Scale Systems”, IEEE Software, IEEE Computer Society, vol. 17, No. 5, Sep. 2000, pp. 52-58. |
| Acar, “Distributed Key Management and Cryptographic Agility”, <<http://www.cs.washington.edu/education/courses/csep590a/11wi/slides/UW%20Lecture%2020110224%20-%20Tolga.pdf>>, University of Michigan, 2011, pp. 1-22. |
| Acar, et al., “Key Management in Distributed Systems”, Microsoft, 2010, pp. 1-14. |
| Adusumilli, et al., “DGKD: Distributed Group Key Distribution with Authentication Capability”, IEEE, 2005, pp. 286-293. |
| Joshi, et al., “Secure, Redundant, and Fully Distributed Key Management Scheme for Mobile Ad Hoc Networks: An Analysis”, EURASIP Journal on Wireless Communications and Networking, 2005, pp. 579-589. |
| Lu, et al., “A Framework for a Distributed Key Management Scheme in Heterogeneous Wireless Sensor Networks”, IEEE, vol. 7, No. 2., 2008, pp. 639-647. |
| Mukherjee, et al., “Distributed key management for dynamic groups in MANETs”, Elsevier B.V., 2008, pp. 562-578. |
| Office action for U.S. Appl. No. 13/434,737, mailed on Aug. 8, 2013, Acar, et al., “Role-Based Distributed Key Management”, 10 pages. |
| Office action for U.S. Appl. No. 13/434,737, mailed on Jun. 18, 2014, Acar et al., “Role-Based Distributed Key Management”, 9 pages. |
| Number | Date | Country | |
|---|---|---|---|
| 20120173885 A1 | Jul 2012 | US |
