摘要:
Data cryptography is achieved in an improved manner by associating with the data cryptography key, a control vector which provides the authorization for the uses of the key intended by the originator of the key. Among the uses specified by the control vector are limitations on encryption, decryption, authentication code generation and verification, translation of the user's data. Complex combinations of data manipulation functions are possible using the control vectors, in accordance with the invention. The system administrator can exercise flexibility in changing the implementation of his security policy by selecting appropriate control vectors in accordance with the invention. Complex scenarios such as encrypted mail box, session protection, file protection, ciphertext translation center, peer-to-peer ciphertext translation, message authentication, message authentication with non-repudiation and many others can be easily implemented by a system designer using the control vectors, in accordance with the invention.
摘要:
Systems for performing bare machine computing are disclosed. A system may include a bare machine computing platform that includes a processor, one or more input/output devices, and a storage medium. The bare machine computing platform does not include an operating system. The system may further include a processor readable storage medium including one or more instructions for implementing an application object. The application object may contain data and one or more instructions for enabling an operating environment and executing an application within the operating environment.
摘要:
A data processor is disclosed which enables the selective simultaneous or asynchronous execution of mutually independent instructions of different classes in parallel coupled execution units and which enables the sequential execution of mutually dependent instructions of different classes by delaying the execution of a dependent instruction in a second execution unit until the completion of execution of a precursor instruction in a first execution unit. The instructions are dispatched to respective ones of a plurality of parallel coupled execution units, in accordance with their instruction class.
摘要:
A requested cryptographic function is validated for performance in conjunction with a cryptographic key, by inputting a first portion of an associated control vector into a first control vector checker, which outputs a first authorization signal if the requested cryptographic function has been authorized by the originator of the key. A second portion of the control vector is input to a second control vector checker, which outputs a second authorization signal if the requested cryptographic function has been authorized by the originator of the key. Both the first and the second authorization signals are applied to a cryptographic processor which initiates the execution of the requested cryptographic function.
摘要:
The invention is an apparatus and method for validating that key management functions requested for a cryptographic key by the program have been authorized by the originator of the key. The invention includes a cryptographic facility characterized by a secure boundary through which passes an input path for receiving the cryptographic service requests, cryptographic keys and their associated control vectors, and an output path for providing responses thereto. There can be included within the boundary a cryptographic instruction storage coupled to the input path, a control vector checking unit and a cryptographic processing unit coupled to the instruction storage, and a master key storage coupled to the processing means, for providing a secure location for executing key management functions in response to the received service requests. The cryptographic instruction storage receives over the input path a cryptographic service request for performing a key management function on a cryptographic key. The control vector checking unit has an input coupled to the input path for receiving a control vector associated with the cryptographic key and an input connected to the cryptographic instruction storage, for receiving control signals to initiate checking that the control vector authorizes the key management function which is requested by the cryptographic service request. The control vector checking unit has an authorization output connected to an input of the cryptographic processing means, for signalling that the key management function is authorized, the receipt of which by the cryptographic processing unit initiates the performance of the requested key management function with the cryptographic key. The invention enables the flexible control of many cryptographic key management functions in the generation, distribution and use of cryptographic keys, while maintaining a high security standard.
摘要:
A method and apparatus are disclosed for use in a data processing system which executes a program which outputs cryptographic service requests for operations with cryptographic keys which are associated with control vectors defining the functions which each key is allowed by its originator to perform. The improved method and apparatus enable the use of control vectors having an arbitrary length. It includes a control vector register having an arbitrary length, for storing a control vector of arbitrary length associated with an N-bit cryptographic key. It further includes a control vector checking means having an input coupled to the control vector register, for checking that the control vector authorizes the cryptographic function which is requested by the cryptographic service request. It further includes a hash function generator having an input coupled to the control vector register and an N-bit output, for mapping the control vector output from the control vector register, into an N-bit hash value. A key register is included for storing the N-bit cryptographic key. It further includes a logic block having a first input coupled to the N-bit output of the hash function generator, and a second input connected to the key register, for forming at the output thereof a product of the N-bit key and the N-bit hash value. Finally, an encryption device is included having a first input for receiving a cleartext data stream and a key input coupled to the output of the logic block, for forming a ciphertext data stream at the output thereof from the cleartext data stream and the product. A decryption device can be substituted for the encryption device to perform decryption operations in a similar manner.
摘要:
Cryptographic PIN processing is achieved in an improved manner by associating control vectors with the PIN generating (verification) keys and PIN encrypting keys which provide authorization for the uses of the keys intended by the originator of the keys. The originator may be the local cryptographic facility (CF) and a utility program under the control of a security administrator, or the originator may be another network node which uses the key management methods described in the above-referenced copending patent applications to distribute said keys.Among the uses specified by the control vector are limitations on the authority to use the associated key with certain PIN processing instructions, such as PIN generation, verification, translation and PIN block creation. Furthermore, the control vector may limit the authority of certain instructions to process clear PIN inputs (such as in PIN verification). The control vector may contain information identifying and, possibly restricting, PIN processing to a particular PIN format or particular processing algorithm.The control vector implementation provides a flexible method for coupling format, usage, and processing authorization to keys. The system administrator can exercise flexibility in changing the implementation of his security policy by selecting appropriate control vectors in accordance with the invention. Furthermore, a method is provided for the security administrator to restrict certain PIN format translations.