公开(公告)号：GB2607794A

公开(公告)日：2022-12-14

申请号：GB202212344

申请日：2020-12-10

Applicant: IBM

Inventor： REINHARD BUENDGEN ,  VOLKER URBAN ,  RICHARD KISLEY

IPC: G06F21/57

Abstract: At least one secure object of a security module is bound to a secure guest. A trusted component determines whether metadata of the secure guest includes a confidential binding attribute for the security module. Based on determining that the metadata includes the confidential binding attribute, the trusted component configures the security module for the secure guest in a select mode. The select mode prevents certain operations from being intercepted by a hypervisor associated with the secure guest. The trusted component intercepts a security module communication and performs a cryptographic operation on one or more secure objects of the security module communication using the confidential binding attribute to provide a cryptographic result. An outcome of the security module communication, which includes the cryptographic result, is provided to a receiver.

公开(公告)号：GB2630336A

公开(公告)日：2024-11-27

申请号：GB202307761

申请日：2023-05-24

Applicant: IBM

Inventor： VOLKER URBAN ,  TAMAS VISEGRADY ,  REINHARD BUENDGEN ,  MICHAEL HOCKER ,  ERIC DAVID ROSSMAN

IPC: H04L9/08

Abstract: A computer-implemented method, for establishing identity-based hierarchical sessions on a hardware security module (HSM) for binding secure keys to a guest system, comprises: establishing a communication channel between the guest system and the HSM 102, wherein the communication channel is identity-based, end-to-end and encrypted, thereby establishing a session; transferring login information of the guest system through the communication channel to the HSM 104; maintaining a predefined security level throughout a hierarchy of the sessions 106, wherein no child session has a higher security level than its parent session; and performing a challenge-response protocol based on a session ownership verification with the guest 108, such that an HSM generated and secured key is bound to an associated session. The guest system may be executed on a hypervisor. Establishing the communication session may be based on a public/private key pair of said HSM and a transmitted code allowing the derivation of a symmetrical encryption/decryption key based on a Diffie-Hellman algorithm.

公开(公告)号：GB2607793A

公开(公告)日：2022-12-14

申请号：GB202212343

申请日：2020-12-10

Applicant: IBM

Inventor： REINHARD BUENDGEN ,  VOLKER URBAN ,  RICHARD KISLEY ,  JONATHAN BRADBURY ,  TORSTEN HENDEL ,  HARALD FREUDENBERGER ,  BENEDIKT KLOTZ ,  KLAUS WERNER ,  MARKUS SELVE

IPC: G06F21/60

Abstract: A security module, such as a cryptographic adapter, is reserved for a secure guest of a computing environment. The reserving includes binding one or more queues of the security module to the secure guest. The one or more queues are then managed based on one or more actions relating to the reservation.