Search

KR-20260066150-A - Protection of data keys used for cryptographic processing

KR20260066150AKR 20260066150 AKR20260066150 AKR 20260066150AKR-20260066150-A

Abstract

A set of data keys arranged in a specific order is obtained. The set of data keys includes multiple data keys. The multiple data keys include a protection key. The protection key is protected so that it is not located in a selected position within the specific order. The set of data keys is encrypted with a single encrypted key. The single encrypted key is the result of encrypting the multiple data keys. The single encrypted key is returned. The single encrypted key will be decrypted to obtain multiple decrypted keys. At least one of the multiple decrypted keys is the protection key to be decrypted, which is used to encrypt the confidential value.

Inventors

  • 고메스 루이스
  • 브래드버리 조나단
  • 뷘트겐 라인하르트

Assignees

  • 인터내셔널 비지네스 머신즈 코포레이션

Dates

Publication Date
20260512
Application Date
20250324
Priority Date
20240328

Claims (20)

  1. In computer program products, A set of one or more computer-readable storage media; and Program instructions collectively stored in the set of one or more computer-readable storage media to enable at least one computing device to perform computer operations Includes, The above computer operations are: Acquire a set of data keys arranged in a specific order - said set of data keys includes a plurality of data keys, said plurality of data keys include a protected key, said protected key is prevented from being in a selected position within said specific order - ; Encrypting the above data key set with a single encrypted key - the single encrypted key is the encryption of the plurality of data keys - ; and Returning the single encrypted key above - the single encrypted key will be decrypted to obtain multiple decrypted keys, and at least one of the multiple decrypted keys is a decrypted protection key to be used for encryption of a confidential value - A computer program product that includes
  2. In claim 1, A computer program product wherein the above computer operations further include decrypting the single encrypted key to obtain the plurality of decrypted keys including the decrypted protection key.
  3. In claim 2, A computer program product wherein the above computer operations further include encrypting the confidential value using the above decrypted protection key.
  4. In claim 3, A computer program product in which decrypting the single encrypted key and encrypting the confidential value using the decrypted protection key are performed using a single architectural instruction.
  5. In claim 3, A computer program product wherein the plurality of decrypted keys further include decrypted keys, and the computer operations further include encrypting plaintext using the decrypted keys.
  6. In claim 5, A computer program product in which decrypting the single encrypted key, encrypting the confidential value using the decrypted protection key, and encrypting plaintext using the decrypted key are performed using a single architecture instruction.
  7. In claim 6, A computer program product in which the single encrypted key is provided to the single architecture instruction in a parameter block that is an input to the single architecture instruction, and the single architecture instruction is a different instruction from the selected architecture instruction used to encrypt the data key set as the single encrypted key.
  8. In any one of claims 1 to 7, A computer program product in which the encryption of the above data key set is performed by a selected architecture instruction, and the selected architecture instruction obtains the above data key set from an input parameter block of the selected architecture instruction.
  9. In any one of claims 1 to 8, A computer program product in which the selected position is the first position within the data key set.
  10. In any one of claims 1 to 9, A computer program product in which the above secret value is a tweak value and the above protection key is a key used to encrypt the above tweak value.
  11. In any one of claims 1 to 10, A computer program product in which the above data key set includes a fake data key at the selected location, based on the fact that a data key of the above data key set other than the fake data key is a protection key.
  12. In any one of claims 1 to 11, A computer program product wherein the above specific order comprises an arrangement in which one or more data keys of the above data key set are arranged in a usage order.
  13. In computer systems, At least one computing device; A set of one or more computer-readable storage media; and Program instructions collectively stored in the set of one or more computer-readable storage media to enable the at least one computing device to perform computer operations Includes, The above computer operations are: Acquire a set of data keys arranged in a specific order - said set of data keys includes a plurality of data keys, said plurality of data keys include a protection key, said protection key is prevented from being in a selected position within said specific order - ; Encrypting the above data key set with a single encrypted key - the single encrypted key is the encryption of the plurality of data keys - ; and Returning the single encrypted key above - the single encrypted key will be decrypted to obtain multiple decrypted keys, and at least one of the multiple decrypted keys is a decrypted protection key to be used for encryption of a confidential value - A computer system that includes
  14. In claim 13, A computer system in which the above computer operations further include decrypting the single encrypted key to obtain the plurality of decrypted keys including the decrypted protection key, and encrypting the confidential value using the decrypted protection key.
  15. In claim 14, A computer system in which decrypting the single encrypted key and encrypting the confidential value using the decrypted protection key is performed using a single architecture instruction.
  16. In any one of claims 13 to 15, A computer system in which the above data key set includes a fake data key at the selected location based on the fact that a data key of the above data key set other than the fake data key is a protection key.
  17. In a computer-implemented method, A step of obtaining a set of data keys arranged in a specific order - said set of data keys includes a plurality of data keys, said plurality of data keys include a protection key, said protection key is prevented from being in a selected position within said specific order - ; A step of encrypting the above data key set as a single encrypted key - the single encrypted key is the encryption of the plurality of data keys - ; and Step of returning the single encrypted key above - the single encrypted key will be decrypted to obtain a plurality of decrypted keys, and at least one of the plurality of decrypted keys is a decrypted protection key to be used for encryption of a confidential value - A computer-implemented method including
  18. In claim 17, A computer implementation method wherein the above computer operations further include decrypting the single encrypted key to obtain the plurality of decrypted keys including the decrypted protection key, and encrypting the confidential value using the decrypted protection key.
  19. In claim 18, A computer implementation method in which decrypting the single encrypted key and encrypting the confidential value using the decrypted protection key is performed using a single architecture instruction.
  20. In any one of claims 17 to 19, A computer implementation method in which the above data key set includes a fake data key at the selected location based on the fact that the data key of the above data key set other than the fake data key is a protection key.

Description

Protection of data keys used for cryptographic processing One or more aspects generally relate to cryptographic processing within a computing environment, and in particular to the protection of data keys used in cryptographic processing. Cryptography is used to protect data. There are numerous cryptographic algorithms, including the XTS-AES (XEX(XOR Encrypt XOR) Tweakable Block Cipher with Ciphertext Stealing—Advanced Encryption Standard) algorithm as well as others. The XTS-AES standard uses confidential values (e.g., tweak values) to provide additional protection. These confidential values are encrypted using a data key referred to as the protected key. Processing related to the use of protected data keys needs to be improved. The provision of a computer program product overcomes the disadvantages of the prior art and provides additional advantages. The computer program product comprises a set of one or more computer-readable storage media and program instructions collectively stored in the set of one or more computer-readable storage media to enable at least one computing device to perform computer operations. Computer operations include obtaining a set of data keys arranged in a specific order. The set of data keys includes multiple data keys. The multiple data keys include a protection key. The protection key is prevented from being in a selected position within a specific order. The set of data keys is encrypted with a single encrypted key. The single encrypted key is the result of encrypting the multiple data keys. The single encrypted key is returned. The single encrypted key will be decrypted to obtain multiple decrypted keys. At least one of the multiple decrypted keys is a decrypted protection key to be used for encryption of a confidential value. Computer implementation methods, computer systems, and computer program products related to one or more aspects are described and claimed herein. Each embodiment of the computer program product may be an embodiment of each computer system and/or each computer implementation method, and vice versa. Additionally, each embodiment is separable and optional from one another. Furthermore, the embodiments may be combined with one another. Each embodiment of the computer program product may be combined with aspects and/or embodiments of each computer system and/or computer implementation method, and vice versa. Additionally, services related to one or more aspects may also be described and claimed herein. Additional features and benefits are realized through the technology described herein. Other embodiments and aspects are considered to be part of the aspects described in detail and claimed herein. One or more aspects are specifically indicated as examples and clearly claimed in the claims at the end of this specification. The purpose, features, and advantages of the foregoing and one or more aspects are apparent from the following detailed description taken together with the accompanying drawings. FIG. 1 illustrates one example of a computing environment for integrating and using one or more aspects of the present disclosure. FIG. 2 illustrates one example of additional details of a processor of FIG. 1, according to one or more aspects of the present disclosure. FIG. 3a illustrates one example of a submodule of the key protection module of FIG. 1 according to one or more aspects of the present disclosure. FIG. 3b illustrates one example of a submodule of the performing submodule of FIG. 3a according to one or more aspects of the present disclosure. FIG. 4a illustrates one example of cryptographic key protection processing of a program according to one or more aspects of the present disclosure. FIG. 4b illustrates one example of cryptographic key protection processing of a processor according to one or more aspects of the present disclosure. FIG. 5a illustrates one example of the format of a command to perform a cryptographic key management operation according to one or more aspects of the present disclosure. FIGS. 5b to 5c illustrate examples of the contents of a general-purpose register used by the cryptographic key management operation execution instruction of FIG. 5a according to one or more aspects of the present disclosure. FIG. 5d illustrates one example of a parameter block used by the cryptographic key management operation execution command of FIG. 5a according to one or more aspects of the present disclosure. FIGS. 6a and 6b illustrate examples of encrypting a key according to one or more aspects of the present disclosure. FIG. 7a illustrates one example of the format of a cipher message command according to one or more aspects of the present disclosure. FIGS. 7b through 7d illustrate examples of the contents of a register used by the cipher message instruction of FIG. 7a according to one or more aspects of the present disclosure. FIGS. 7e to 7f illustrate examples of the contents of a general-purpose register used by the cipher message instruction o