Binding a security key of a secure client to a hardware security module

文档序号：157304 发布日期：2021-10-26 浏览：27次中文

阅读说明：本技术 将安全客户机的安全密钥绑定到硬件安全模块 (Binding a security key of a secure client to a hardware security module ) 是由 R·宾德根 T·维谢格拉迪 I·弗兰兹基于 2020-02-27 设计创作，主要内容包括：一种方法、计算机程序产品和系统,其中安全接口控件配置硬件安全模块以用于安全客户机的独占使用。安全接口控件(“SC”)从由管理程序管理的客户机中的给定客户机(经由管理程序)获得用于配置硬件安全模块(HSM)的配置请求。SC确定HSM是否已经被配置给一个或多个客户机中的特定客户机,但是基于确定HSM没有被配置给特定客户机并且是安全客户机,SC通过将客户机对HSM的访问排他地限制到给定客户机,取消建立HSM的配置。SC通过利用给定客户机的秘密来将给定客户机登录到HSM。SC从HSM获得会话代码,并保持该会话代码。(A method, computer program product, and system in which a secure interface control configures a hardware security module for exclusive use by a secure client. A secure interface control ("SC") obtains a configuration request (via a hypervisor) from a given one of the clients managed by the hypervisor to configure a Hardware Security Module (HSM). The SC determines whether the HSM has been configured to a particular client of the one or more clients, but based on determining that the HSM is not configured to the particular client and is a secure client, the SC de-configures the HSM by restricting access of the client to the HSM exclusively to the given client. The SC logs the given client into the HSM by utilizing the secret of the given client. The SC obtains the session code from the HSM and maintains the session code.)

1. A computer-implemented method, comprising:

configuring, by a secure interface control communicatively coupled to a hypervisor and a hardware security module, the hardware security module for exclusive use by a secure client managed by the hypervisor, the configuring comprising:

obtaining, by the security interface control via the hypervisor, a configuration request for configuring the hardware security module from a given client of the one or more clients managed by the hypervisor;

determining, by the security interface control, whether the hardware security module has been configured to a particular client of the one or more clients, wherein the particular client and the given client comprise different clients of the one or more clients;

based on determining that the hardware security module is not configured to the particular client, determining, by the secure interface control, that the given client comprises the secure client by evaluating metadata of the given client;

based on determining that the given client comprises a secure client, cancelling establishment of a configuration of the hardware security module by the secure interface control by exclusively restricting client access to the hardware security module to the given client of the one or more clients;

logging, by the secure interface control, the given client to the hardware security module, wherein the logging to the hardware security module comprises utilizing a secret of the given client, wherein the metadata comprises the secret;

obtaining, by the security interface control, a session code from the hardware security module based on logging into the hardware security module; and

maintaining, by the secure interface control, the session code.

2. The computer-implemented method of claim 1, wherein the maintaining comprises: storing the association of the session code with a NULL session code in an association table in the secure interface control.

3. The computer-implemented method of claim 1 or 2, wherein the metadata of the client is integrity protected and the secret is encrypted by using a key derived from a private key owned by the secure interface control.

4. The computer-implemented method of claim 3, wherein the private key comprises encryption measures of a boot image of the given client.

5. The computer-implemented method of claim 2, further comprising:

based on the configuration, providing, by the secure interface control, a new session code to the given client for use by the given client in a request to the hardware security module.

6. The computer-implemented method of claim 5, wherein the providing comprises:

intercepting, by the security interface control, a hardware security module login request from the given client, wherein the hardware security module login request includes login data from the given client;

generating, by the secure interface control, new login data based on the secret for the given client;

issuing, by the security interface control, a new hardware security module login request from the given client to the hardware security module, wherein the new hardware security module login request includes the new login data;

obtaining, by the secure interface control, a session code from the hardware security module;

generating, by the secure interface control, the new session code based on obtaining the session code from the hardware security module;

storing, by the secure interface control, an association between the session code from the hardware security module and the new session code in the table; and

sending, by the secure interface control, the new session code to the given client in response to the login request.

7. The computer-implemented method of claim 5, further comprising:

intercepting, by the security interface control, a request from the given client to the hardware security module, wherein the request includes the new session code;

obtaining, by the secure interface control, the session code from the hardware security module associated with the new session code from the table;

updating, by the secure interface control, the request from the given client to include a new request, wherein the new request includes the session code from the hardware security module instead of the new session code; and

issuing, by the security interface control, the new request to the hardware security module.

8. The computer-implemented method of claim 7, further comprising:

obtaining, by the secure interface control, fulfillment of the request from the hardware security module; and

issuing, by the secure interface control, fulfillment of the request to the given client.

9. The computer-implemented method of claim 8, wherein the request is selected from the group consisting of: a hardware security module security key generation request, and a hardware security module logout request.

10. The computer-implemented method of claim 6, further comprising:

obtaining, by the secure interface control from the hypervisor, an indication that the given client has stopped;

identifying, by the secure interface component, an association in the table between the session code from the hardware security module and the new session code;

generating, by the secure interface component, a list of one or more sessions that utilize the session code from the hardware security module based on the table; and

logging off, by the secure interface component, the given client from the one or more sessions.

11. The computer-implemented method of claim 1, further comprising:

obtaining, by the secure interface control from the hypervisor, an indication that the given client has stopped;

removing, by the secure interface control, the configuration.

12. The computer-implemented method of claim 6, further comprising:

obtaining, by the secure interface control from the hypervisor, an indication that the given client has stopped;

identifying, by the secure interface component, a reference to the given client maintained in the hardware security module; and

removing the reference by the secure interface component.

13. The computer-implemented method of any of claims 1 to 12, wherein the secure interface component is selected from the group consisting of: firmware, hardware, and software.

14. The computer-implemented method of any of claims 1 to 13, wherein determining that the given client comprises the secure client by evaluating metadata of the given client comprises: verifying one of a presence or a type of the metadata.

15. The computer-implemented method of any of claims 1-14, wherein utilizing the secret of the given client comprises: decrypting, by the secure interface control, the secret.

16. The computer-implemented method of claim 15, wherein the decrypting comprises: utilizing a key that is exclusively computed by the secure interface control.

17. A computer program product, comprising:

a computer-readable storage medium readable by one or more processors and storing instructions for execution by the one or more processors to perform a method comprising:

configuring, by the one or more processors communicatively coupled to a hypervisor and a hardware security module, the hardware security module for exclusive use by a secure client managed by the hypervisor, the configuring comprising:

obtaining, by the one or more processors via the hypervisor, a configuration request for configuring the hardware security module from a given client of the one or more clients managed by the hypervisor;

determining, by the one or more processors, whether the hardware security module has been configured to a particular client of the one or more clients, wherein the particular client and the given client comprise different clients of the one or more clients;

based on determining that the given client comprises a secure client, cancelling establishment of the configuration of the hardware security module by the one or more processors by exclusively restricting client access to the hardware security module to the given client of the one or more clients;

logging, by the one or more processors, the given client to the hardware security module, wherein the logging to the hardware security module comprises utilizing a secret of the given client, wherein the metadata comprises the secret;

obtaining, by the one or more processors, a session code from the hardware security module based on logging into the hardware security module; and

maintaining, by the one or more processors, the session code.

18. The computer program product of claim 17, wherein the maintaining comprises: storing the association of the session code with a NULL session code in a table accessible to the one or more processors.

19. The computer program product of claim 17 or 18, wherein the metadata of the client is integrity protected and the secret is encrypted by using a key derived from a private key owned by the secure interface control.

20. A system, comprising:

a memory;

one or more processors in communication with the memory;

program instructions executable by the one or more processors via the memory to perform a method comprising:

obtaining, by the one or more processors, a session code from the hardware security module based on logging into the hardware security module; and

maintaining, by the one or more processors, the session code.

Background

Cryptographic elements are important technical components in today's computer systems and information transmission networks. Information may be stored or transmitted in an encrypted protected form in order to avoid unauthorized access to the stored or transmitted information. In some cases, purely software-based techniques may be used, and in other cases, hardware support and security specific elements may be used to perform such data protection. In some cases, these particular elements are named Hardware Security Modules (HSMs), which may be used as part of a computer or information transmission system. Such a hardware security module may include specific circuitry to provide functionality for data encryption and data decryption. The functions may also include generating and storing encryption keys for use by the client system.

The HSM contains a master key that is not accessible to unauthorized parties. These master keys are used to encrypt (i.e., wrap) keys available to the user of the HSM. Such a key wrapped by the HSM master key is referred to as a security key. The HSM is tamper resistant and protects secrets from unauthorized access (e.g., unintended physical insertion, physical penetration, etc.). An HSM may be allocated to various virtual resources, such as Virtual Machines (VMs), and in a virtualized environment, the HSM may not be aware of its reallocation from one VM to another VM.

The flexibility of VM allocation can pose security issues because in a highly sensitive managed Information Technology (IT) environment, a more stringent security protocol may support protecting trusted users that utilize clients with security keys (wrapped by the HSM's master key) from untrusted users using the security keys, even if the clients themselves are hacked or otherwise compromised and the security keys and other data are stolen.

Disclosure of Invention

The shortcomings of the prior art are overcome and additional advantages are provided through the provision of a method for binding a security key of a secure client to a hardware security module. The method includes configuring, for example by a secure interface control communicatively coupled to a hypervisor and a hardware security module, the hardware security module for exclusive use by a secure client managed by the hypervisor, the configuring comprising: obtaining, by a security interface control via a hypervisor, a configuration request for configuring a hardware security module from a given client of one or more clients managed by the hypervisor; determining, by the security interface control, whether the hardware security module has been configured to a particular client of the one or more clients, wherein the particular client and the given client comprise different clients of the one or more clients; determining, by the security interface control, that the given client comprises a secure client by evaluating metadata of the given client based on determining that the hardware security module is not configured to the particular client; based on determining that the given client comprises a secure client, cancelling establishing the configuration of the hardware security module by the secure interface control by exclusively limiting client access to the hardware security module to the given client of the one or more clients; logging, by the security interface control, the given client to the hardware security module, wherein logging into the hardware security module comprises utilizing a secret of the given client, wherein the metadata comprises the secret; obtaining, by the security interface control, a session code from the hardware security module based on logging into the hardware security module; and maintaining the session code by the secure interface control.

The shortcomings of the prior art are overcome and additional advantages are provided through the provision of a computer program product for binding a security key of a secure client to a hardware security module. The computer program product includes a storage medium readable by a processing circuit and storing instructions for execution by the processing circuit for performing a method. The method includes configuring, e.g., by one or more processors communicatively coupled to a hypervisor and a hardware security module, the hardware security module for exclusive use by a secure client managed by the hypervisor, the configuring comprising: obtaining, by one or more processors via a hypervisor, a configuration request for configuring a hardware security module from a given client of one or more clients managed by the hypervisor; determining, by the one or more processors, whether the hardware security module has been configured to a particular client of the one or more clients, wherein the particular client and the given client comprise different clients of the one or more clients; determining, by the security interface control, that the given client comprises a secure client by evaluating metadata of the given client based on determining that the hardware security module is not configured to the particular client; based on determining that the given client comprises a secure client, cancelling establishment of the configuration of the hardware security module by the one or more processors by exclusively restricting access of the client to the hardware security module to the given client of the one or more clients; logging, by one or more processors, a given client to a hardware security module, wherein logging into the hardware security module comprises utilizing a secret of the given client, wherein the metadata comprises the secret; obtaining, by the one or more processors, a session code from the hardware security module based on logging into the hardware security module; and maintaining, by the one or more processors, the session code.

The shortcomings of the prior art are overcome and additional advantages are provided through the provision of a system for binding a security key of a secure client to a hardware security module. The system includes a memory, one or more processors in communication with the memory, and program instructions executable by the one or more processors via the memory to perform a method. The method includes configuring, e.g., by one or more processors communicatively coupled to a hypervisor and a hardware security module, the hardware security module for exclusive use by a secure client managed by the hypervisor, the configuring comprising: obtaining, by one or more processors via a hypervisor, a configuration request for configuring a hardware security module from a given client of one or more clients managed by the hypervisor; determining, by the one or more processors, whether the hardware security module has been configured to a particular client of the one or more clients, wherein the particular client and the given client comprise different clients of the one or more clients; determining, by the security interface control, that the given client comprises a secure client by evaluating metadata of the given client based on determining that the hardware security module is not configured to the particular client; based on determining that the given client comprises a secure client, cancelling establishment of the configuration of the hardware security module by the one or more processors by exclusively restricting access of the client to the hardware security module to the given client of the one or more clients; logging, by one or more processors, a given client to a hardware security module, wherein logging into the hardware security module comprises utilizing a secret of the given client, wherein the metadata comprises the secret; obtaining, by the one or more processors, a session code from the hardware security module based on logging into the hardware security module; and maintaining, by the one or more processors, the session code.

Methods and systems relating to one or more aspects are also described and claimed herein. Services relating to one or more aspects are also described and may be claimed herein. For example, in some embodiments of the invention, maintaining includes storing the association of the session code with the NULL session code in an association table in the secure interface control.

In some embodiments of the invention, the metadata of the client is integrity protected and the secret is encrypted by using a key derived from a private key owned by the secure interface control. The private key may include a cryptographic measure of the boot image of the given client.

In some embodiments of the present invention, based on the configuration, the processor(s) and/or the secure interface control provide the new session code to the given client for use by the given client in a request to the hardware security module.

In some embodiments of the invention, providing (by the processor(s) and/or the secure interface control) comprises: the processor(s) and/or the secure interface control intercept a hardware security module login request from a given client, wherein the hardware security module login request comprises login data from the given client; the processor(s) and/or the secure interface control generate new login data based on the given client's secret; the processor(s) and/or the secure interface control issue a new hardware security module login request from the given client to the hardware security module, wherein the new hardware security module login request includes new login data; the processor(s) and/or the secure interface control obtain session code from the hardware security module; generating a new session code based on obtaining the session code from the hardware security module, the processor(s) and/or the secure interface control; the processor(s) and/or the secure interface control store an association between the session code from the hardware security module and the new session code in a table; and in response to the login request, the processor(s) and/or the secure interface control send the new session code to the given client.

In some embodiments of the invention, the processor(s) and/or the security interface control intercept a request from a given client to the hardware security module, wherein the request includes a new session code. The processor(s) and/or the secure interface control obtain the session code from the hardware security module associated with the new session code from the table. The processor(s) and/or the secure interface control updates the request from the given client to include a new request, wherein the new request includes the session code from the hardware security module instead of the new session code. The processor(s) and/or the secure interface control issue a new request to the hardware security module.

In some embodiments of the invention, the processor(s) and/or the secure interface control obtain fulfillment of the request from the hardware security module. The processor(s) and/or secure interface control issue the requested fulfillment to a given client. In some embodiments of the invention, the request is selected from the group consisting of: a hardware security module security key generation request, and a hardware security module logout request.

In some embodiments of the invention, the processor(s) and/or the secure interface control obtain an indication from the hypervisor that a given client has stopped. The processor(s) and/or the secure interface control identify an association in the table between the session code from the hardware security module and the new session code. Based on the table, the processor(s) and/or the secure interface control generate a list of one or more sessions that utilize session code from the hardware security module. The processor(s) and/or the secure interface control annotate a given client from one or more sessions.

In some embodiments of the invention, the secure interface component selects a group comprising: firmware, hardware, and software.

In some embodiments of the invention, determining that the given client comprises a secure client by evaluating metadata of the given client comprises: the processor(s) and/or the secure interface control verify one of a presence or a type of the metadata.

In some embodiments of the invention, the processor(s) and/or the secure interface control utilizing the secret of the given client comprises: the processor(s) and/or the secure interface control decrypt the secret.

In some embodiments of the invention, the decrypting comprises: utilizing a key that is exclusively computed by the secure interface control.

Additional features are implemented through the techniques described herein. Other embodiments and aspects are described in detail herein and are considered a part of the claimed aspects.

Drawings

One or more aspects are particularly pointed out and distinctly claimed as examples in the claims at the conclusion of the specification. The foregoing objects, features and advantages of one or more aspects will become apparent from the following detailed description when taken in conjunction with the accompanying drawings, wherein:

FIG. 1 illustrates security issues encountered with current approaches utilizing hardware security modules;

FIG. 2 illustrates various aspects of some embodiments of the invention;

FIG. 3 is a workflow illustrating certain aspects of some embodiments of the invention;

FIG. 4 is a workflow illustrating certain aspects of some embodiments of the invention;

FIG. 5 is a workflow illustrating certain aspects of some embodiments of the invention;

FIG. 6 is a workflow illustrating certain aspects of some embodiments of the invention;

FIG. 7 is a workflow illustrating certain aspects of some embodiments of the invention;

FIG. 8 is a workflow illustrating certain aspects of some embodiments of the invention;

FIG. 9 depicts one embodiment of a computing node that may be utilized in a cloud computing environment;

FIG. 10 depicts a cloud computing environment according to an embodiment of the invention; and

FIG. 11 depicts abstraction model layers according to an embodiment of the invention.

Detailed Description

The accompanying figures, in which like reference numerals refer to identical or functionally-similar elements throughout the separate views and which are incorporated in and form a part of the specification, further illustrate the present invention and, together with the detailed description of the invention, serve to explain the principles of the present invention. As understood by those skilled in the art, the drawings are provided to facilitate an understanding and description of various aspects of certain embodiments of the invention. The invention is not limited to the embodiments described in the figures.

As understood by those skilled in the art, program code referred to throughout this application includes both software and hardware. For example, program code in some embodiments of the invention comprises fixed-function hardware, while other embodiments utilize software-based implementations of the functions described. Some embodiments combine both types of program code. One example of program code (also referred to as one or more programs) is depicted in fig. 9 when a program/utility 40 having a set (at least one) of program modules 42 can be stored in memory 28.

The term "hardware security module" or HSM may represent a pluggable component or a separate connection component of a computer system. The HSM may perform encryption operations and decryption operations using the master key or another provided key (e.g., a client key). Encryption and/or decryption may be performed on the hardware security module in hardware and software or any combination of both. The data may be received by the hardware security module in an unencrypted manner and may be encrypted on the HSM, or vice versa.

The term "guest system" may refer to, for example, an operating system executing in a virtual machine VM on a hypervisor. A user may be assigned to a client system. It may be that a particular encryption key may be assigned to the client system. The mentioned hypervisor can be used to perform such allocation. The specific encryption key may be stored on the HSM.

The term "content" may represent any character-based string. The string may include readable text or any other binary data.

The term "data pattern" may be basically another expression of content. The data pattern may represent a readable string or may include binary data. In the context of this document, there is no additional requirement for the data pattern. It may also be predefined, randomly selected, or otherwise determined.

The term "master key" may refer to an encryption/decryption key that is stored on the HSM. In the context of this document, in one embodiment, it may be assumed that the master key can never be transferred out of the hardware security module on which it is stored.

The term "client encryption unit" may denote a module adapted to perform encryption and/or decryption operations within or as part of a client system or as a service used by the client system.

The term "hardware security module encryption unit" may denote a module within the HSM adapted to encrypt any data pattern using a master key or another provided key, e.g. a client key. Thus, the "hardware security module decryption unit" may be used to decrypt any data pattern using the master key (e.g., the client key), or to decrypt another data pattern using another provided key (e.g., the client key).

It may be noted that the hardware security module (i.e., HSM) may be, for example, an encryption card. The guest system may be, for example, a virtual machine (i.e., a VM) running or executing a guest operating system. Configuring the HSM may include storing the master key in a memory of the HSM.

Embodiments of the present invention include a computer-implemented method, computer program product, and computer system that includes program code executing on at least one processing circuit that effectively binds a security key of an HSM to a particular client belonging to a particular owner such that data protected by the HSM is only usable within a system accessible to the HSM. In particular, as explained in more detail below, in embodiments of the invention, program code executing on one or more processors binds a security key of a secure client (e.g., a VM) configured to use HSM to HSM session code based on a secret of an image cryptographically linked to the secure client. However, the secret is not part of the client. Instead, it is separately transmitted over a secure channel (i.e., encrypted) to a secure interface control (e.g., firmware, trusted component) as part of the client metadata and cryptographically linked to the client, as described herein. The metadata is cryptographically linked to the client (e.g., contains a signature of the client image), and thus, the metadata of one client cannot be misused as the metadata of another client. Thus, the secure interface control can verify that the client and the metadata/secret belong to each other. In some embodiments of the invention, the secret is linked to a boot image of a secure client that is cryptographically bound to metadata that is securely (integrity and confidentiality protected) transferred (e.g., and independently, over a secure channel) to the trusted component. In some embodiments of the invention, the secret-containing portion of the metadata may be encrypted with a key that only the secure interface control can compute.

The secure client may also be referred to as a guest virtual machine, a virtual machine, and/or a virtual server. In an embodiment of the invention, the program code provides the secret (securely) to a secure interface control (e.g., firmware, trusted component) as part of the installation metadata provided to launch the image of the secure client. Although linked to the client, the secret is separately transmitted to the secure interface control over the secure channel (i.e., encrypted) as part of the client metadata and cryptographically linked to the client. Thus, the secure interface control can verify that the client and the metadata/secret belong to each other. Thus, in some embodiments of the invention, the metadata of the secure client is integrity protected and includes a secret encrypted by a key derived using a private key owned by the secure interface control (e.g., cryptographic measures of the boot image of the given client). The metadata need not be accessible by the secure client itself. As will be explained in more detail below, in an embodiment of the invention, the program code of the trusted component: 1) reserving the HSM for the secure client during the lifetime of the client; 2) opening an HSM session using the secret; 3) intercepting the HSM key generation request and reissuing the request to replace the used session code with the session code received in reply when the session is opened using the secret; and 4) closing all sessions opened using the secret when the secure client is terminated.

FIG. 1 is a portion of a shared computing environment 100 including an HSM110 illustrating the problem of key security related to HSMs using existing methods that is addressed by embodiments of the present invention, thereby illustrating how embodiments of the present invention provide much more key security in HSMs than existing methods. As shown in fig. 1, the HSM contains a master key 120 that is inaccessible to unauthorized parties. Master key 120 is used by program code of the HSM to encrypt (i.e., wrap) the program code of the HSM with keys that are made available to users of the HSM. The key wrapped by the HSM master key 120 is referred to as a security key. In fig. 1, client 150 (client 1), a Virtual Machine (VM), possesses security key 130 provided to client 150 from hypervisor 140 of HSM 110. As understood by those skilled in the art, the HSM is tamper-resistant and protects secrets from unauthorized access (e.g., unplanned physical insertion, physical penetration, etc.), however, client 150 does not have substantial security and thus may represent a vulnerability. In a virtual environment, the HSM110 may not be aware of its reallocation from one client (i.e., VM) to another client (i.e., VM) because the hypervisor 140 controls the allocation of the security keys 130. Thus, if a malicious user utilizes second client 160 (client 2) to hack into given client 150 (client 1), and security key 130 assigned to client 150 is maintained by second client 160, a security breach exists. Thus, the second client 160 may steal (170) the security key 130 of the client 150 as distributed by the hypervisor 140. This is particularly a problem in highly sensitive hosted IT environments, where the owner of the hosted client wishes to maintain more active security than the administrator of the hosting environment. In the shared computing environment 100, the various clients may be owned by different entities, and the HSM110 may belong to only some of these entities. Thus, a client owner (such as the owner of the client 150 to which the security key 130 is assigned) desires to maintain its security key 130, which is wrapped by the master key 120 of the HSM 110. The client owner does not want the security key 130 to be used by untrusted clients owned by different entities that utilize resources in the shared computing environment 100. In fig. 1, the client and the second client 160 have different owners, and the owner of the client 150 wants to ensure that even if the client 150 is hacked (as shown in fig. 1) and the security key 130 and other data are stolen (170), it cannot be utilized by any owner other than the owner of the client 150 to which the security key 130 was originally assigned.

Embodiments of the present invention are inevitably associated with computing, at least because they aim to solve problems specific to computing and to provide technical approaches that are also within the field. Embodiments of the present invention bind the security keys of the HSM to specific clients (e.g., VMs) belonging to a specific owner. The problem addressed by aspects of some embodiments of the invention shown in fig. 1 is computation-specific (i.e., an unauthorized client gains access to the secure wrapping key of an authorized client). Given that both the problem and the method are computation-specific, embodiments of the present invention are inevitably associated with computations.

Embodiments of the present invention provide significant advantages to the key security problem shown in fig. 1 over prior approaches, e.g., some prior approaches provide support for key security by providing a context for executing a client without requiring a hypervisor to be able to access memory used by the client and/or to confidentially install the secure client (i.e., using a public key to protect secrets within the client's installation data, where only trusted components (hardware (HW) and/or Firmware (FW) components) may access the private key of the client). In some embodiments of the invention, the secure interface control (which may also be understood as a trusted component) is hardware, firmware, or a combination thereof. This approach adds an extra layer of complexity and still does not bind the client owner to a given security key. Other methods create a separate session to bind the security key with the session code (which depends on the session login data), but this method eliminates the functionality of having a given key continuously used by the client, thereby compromising the efficiency of the processing involving the client in the case of using the security key. Additionally, some approaches attempt to bind the HSM to an Operating System (OS) image. These methods have specific drawbacks not found in embodiments of the present invention: 1) when the boot device changes, the binding is broken; and/or 2) the HSM adapter can only be checked after it is plugged in.

FIG. 2 illustrates aspects of a computing environment 200 (such as a shared computing environment) in which aspects of some embodiments of the invention are implemented. Similar to fig. 1, HSM210 includes a master key 220. Moreover, hypervisor 240 interacts with clients (e.g., VMs) including secure client 250, which is understood as such because its secure key 230 (wrapped with master key 220) is bound to HSM 210. In addition to hypervisor 240, in embodiments of the present invention, a trusted component (shown in this non-limiting example as secure interface control 265, but could also be a secure interface control in other embodiments of the present invention) supports the configuration of pass-through access HSM 210. Specifically, in some embodiments of the present invention, security interface control 265 enforces a policy that: once pass-through access is configured for the secure client 250, the HSM210 cannot be (temporarily) configured to another client or component of the system during the life cycle of the secure client 250. In some embodiments of the invention, the secure interface control 265 opens a session to the HSM210 based on the secret 225 that is part of the client metadata cryptographically linked to the client and that may be contained in the secure client's installation data (e.g., Secure Execution (SE) header), and binds all the secure keys 230 of the secure client 250 to the secret 225. The secret 225 is cryptographically linked to the image of the secure client 250 and securely provided to the secure interface control 265 as part of the installation metadata provided to launch the image of the secure client 250. The secret 225 is not part of the secure client 250 and is transmitted as part of the client metadata to the secure interface control 265 (over a secure channel, i.e., encrypted) and cryptographically linked to the secure client 250. Thus, secure interface control 265 may verify that secure client 250 and metadata/secret 225 belong to each other. The metadata of secure client 250 is integrity protected and includes a secret 225, which secret 225 may be encrypted by a key derived using a private key owned by secure interface control 265 (e.g., encryption measures for the boot image of a given client).

Fig. 3 is a workflow 300 illustrating aspects of some embodiments of the invention. For purposes of illustration only, the workflow 300 is illustrated with reference to the computing environment 200 of FIG. 2. In particular, fig. 3 is a workflow 300 illustrating aspects of binding a secure client 250 (a client having at least one secure key 230 that has been wrapped by an HSM master key 220) to an HSM 210. As described above, many bindings are accomplished with the help of a trusted component (in FIG. 2, secure interface control 265). The program code of the secure interface control 265 in embodiments of the present invention supports the configuration of the pass-through access HSM 210. To support this aspect, program code executing on the one or more processors configures the secure interface control 265 (i.e., the program code of the secure interface control 265) to provide certain functionality.

The workflow 300 of fig. 3 illustrates the functionality provided by the configured secure interface control 265. In particular, workflow 300 illustrates certain aspects of some embodiments of the invention in which a trusted component (e.g., secure interface control 265, a secure interface control as hardware, firmware, or a combination thereof) creates a session for a secure client based on HSM secrets based on including the HSM secrets in the metadata of the secure client. Thus, all created (i.e., initiated via login), session, key generation requests, and session termination requests (i.e., initiated via logout) from the secure client are intercepted by the secure interface control. Upon intercepting these requests, the program code of the secure interface control reissues the request, which originally included standard login data and session code provided by the HSM, with a request that includes login data (which includes the HSM secret) and session code generated by the secure interface control. Thus, the program code replaces the standard login data in the request with login data that includes the HSM secret, and the program code replaces the session code provided by the HSM with the session code generated by the secure interface control.

Referring to FIG. 3, for purposes of illustration, certain aspects of the workflow are presented in any order. Although described in order for ease of understanding, all aspects of the program code of the secure interface control opening a default session to the HSM for a secure key (310) that is not yet bound to a secure client for any session with the HSM and the program code determining (370) that the secure client has been terminated are an event loop, wherein the remaining aspects (the program code intercepts each HSM login session of the secure client (320), the program code associates the session (initiated by the login) with an HSM session that utilizes login data based on the secret of the secure client (330), the program code intercepts each HSM key generation and session logoff request of the secure client (340), the program code replaces session code for these actions with associated session code based on the secret of the secure client (350), and upon determining that a given event has occurred, program code closes all sessions based on the secret of the secure client 360)) may occur in any order, including but not limited to the order of workflow 300, and may occur asynchronously at any time during workflow 300.

Returning to fig. 3, referring to fig. 2, in some embodiments of the invention, program code of secure interface control 265 opens a default session to HSM210 for a secure key of secure client 250 that is (yet) not bound to any session with HSM210 (310). Program code intercepts each HSM210 login session for secure client 250 (320). The program code associates (330) the session (initiated by login) with the HSM210 session utilizing login data based on the secret of the secure client. In an embodiment of the present invention, secret 225 is not part of client 250 because it is separately transmitted to secure interface control 265 (over a secure channel, i.e., encrypted) as part of the client metadata and cryptographically linked to client 225. Thus, secure interface control 265 may verify that client 250 and metadata/secret 225 belong to each other. The program code of the HSM 265 may maintain its association in the table 245 of session codes based on the secret of the secure client 225 with the session codes returned to the secure client 250. The HSM may provide and track the session code returned to the secure client 250 in the table 215. As shown in fig. 2, the program code of secure interface control 265 also stores the HSM configuration of secure client 250, along with a table that stores session codes that associate security client based secrets with session codes returned to secure client 245.

Returning to fig. 3, the program code intercepts each HSM key generation and session deregistration request of the secure client 250 (340). The secure client 250 stores a secure key 230 wrapped by the HSM210 with a master key 220. The program code replaces the session code for these actions with the associated session code (e.g., from table 245) based on the secure client's secret 225 (350). The program code determines that the secure client has been terminated (360). Based on determining that the given event has occurred, the program code closes all sessions based on the secure client's secret 225 (370). The given event may vary. In some embodiments of the present invention, the program code closes all sessions based on the secure client's secret 225 based on determining that the secure client 250 has been terminated. The program code of the HSM210 and other elements of the system may also take additional action in the event of an accident to protect the security of the system. For example, in some embodiments of the present invention, if the HSM210 is unplugged, the program code deletes all session state data. In some embodiments of the present invention, program code executing on the processing device clears all sessions of the HSM210 if the secure interface control 265 terminates unexpectedly.

In an embodiment of the invention, program code executing on a processing resource (including program code of a trusted component (e.g., secure interface control 265 of fig. 2)) to bind a security key (e.g., security key 130 of fig. 2) of a secure client (e.g., secure client 250 of fig. 2) to an HSM (e.g., HSM210 of fig. 2) accomplishes at least five general aspects: 1) the program code of the secure interface control initially configures the relationship/connection between the HSM and the secure client; 2) intercepting a request from a security client by a program code of the security interface control, and finally returning a new session code to the security client; 3) program code of the secure interface control intercepts a request from a secure client for a new secure key generated (wrapped with a master key) by the HSM; 4) program code of the secure interface control intercepts a request from the secure client to logout of a session with the HSM; and 5) upon stopping the secure client, the program code of the secure interface control starts and completes various cleanup activities. Fig. 4-8 illustrate a workflow 400 and 800 for these aspects.

Referring to fig. 4, a workflow 400 illustrates the program code of a secure interface control initially configuring the relationship/connection between the HSM and the secure client in an embodiment of the present invention. As shown in fig. 2, the secure interface control is communicatively coupled to the HSM and the client managed by the hypervisor via the hypervisor. In one embodiment of the invention, program code of a secure interface control (e.g., a trusted FW, a trusted component, etc.) receives a configuration request via a hypervisor (e.g., a virtual machine manager) from a client (e.g., a virtual machine) of one or more clients managed by the hypervisor (410). Program code determines whether the HSM has been configured for a given client of the one or more clients (420). Based on determining that the HSM is configured for the given client, the program code returns an error in response to the configuration request (435). In an embodiment of the invention, the program code of the security component (e.g., security FW, security interface control) implements: for HSMs configured to clients, the hypervisor managing the client cannot intercept any requests of the secure client of the HSM.

Returning to fig. 4, based on a determination that the HSM is not configured for a given client, the program code determines whether the client is a secure client (e.g., based on authentication including aspects of the client's metadata) (440). In an embodiment of the invention, the presence or type of metadata of the client determines whether the client is secure. The metadata is cryptographically linked to the client (e.g., contains a signature of the client image), and thus, the metadata of one client cannot be misused as the metadata of another client. If the client is not secure, the process terminates (435). Based on determining that the client is a secure client, the program code prevents the HSM from being accessed by other clients (450). In some embodiments of the invention, an HSM that is not configured for a secure client (particularly an HSM on which a session is not created using the HSM secret of the secure client) may be configured to another client (or a component running in the system) if the secure client is started but not yet terminated.

Referring to fig. 4, program code logs in (e.g., accesses) the HSM by utilizing the secret of the secure client (460). The program code of the secure interface control logs into the HSM using the HSM secret from the metadata of the secure client before the HSM is first accessed by the secure client. In response to logging into the HSM, the program code receives session code from the HSM (470). The program code stores the association of the session code with the NULL session code in an association table in the security component (480). Thus, the secure interface control stores in the table an association of NULL session codes with session codes returned by the HSM. In some embodiments of the invention, the table associates session codes based on the secret of the secure client with session codes returned to the secure client by the HSM.

Referring to FIG. 5, a workflow 500 illustrates program code of a secure interface control intercepting a request from a secure client in an embodiment of the invention. As shown in fig. 5, the program code of the security component (e.g., security FW) intercepts each session login request from a secure client whose login data is replaced with a combination of the login data and HSM secret (e.g., by bitwise XOR of the two pieces of data) and reissues the login request. Thus, instead of returning the session code returned by the HSM, the program code of the secure interface control generates a new session code (e.g., login data from the secure client) that is consistent with the specifications of the login request and stores the association of the generated session code with the session code returned by the HSM in a table (e.g., table 265 of fig. 2).

Returning to fig. 5, in some embodiments of the invention, program code of a secure interface control (e.g., trusted FW, trusted component) intercepts an HSM login request from a secure client, where the HSM login request utilizes login data from the secure client (510). The program code generates new login data based on the secret of the secure client, wherein the secret of the secure client is cryptographically linked to the image of the secure client (520). The program code issues an HSM login request (the original request has been intercepted) with new login data (i.e., data based on the secret of the secure client) (530). The program code receives session code from the HSM (540). Based on receiving the session code from the HSM, the program code generates new session code (the session code changes based on the login data) (550). The program code associates the session code from the HSM with the new session code and stores the association in an association table (560). The program code returns the new session code to the secure client (570).

In addition to intercepting HSM login requests from a secure client as shown in fig. 5, in embodiments of the present invention, the program code of the trusted component (e.g., secure interface control 265 of fig. 2) also intercepts requests from the secure client to the HSM, including but not limited to generation requests and session logoff requests. Fig. 6-7 illustrate aspects of the security component processing key generation and logoff requests, respectively. As shown in fig. 6-7, the program code of the security component intercepts and reissues these requests, with the session code provided by the security client replaced with the session code provided by the HSM (as stored in the association table).

Fig. 6 is a workflow 600 illustrating program code processing of a secure interface control to an HSM key generation request with new session code (e.g., 560 of fig. 5). In some embodiments of the invention, program code of a secure interface control (e.g., trusted FW, trusted component) intercepts an HSM key generation request from a secure client that utilizes new session code (610). The program code looks up the new session code in the association table and locates the associated session code (from the HSM, e.g., 540 of fig. 5) (620). Based on the location session code, the program code issues an HSM key generation request to the HSM using the session code (630). In response to the request, the program code obtains the requested key and returns the key to the secure client (640). Thus, the program code returns the results of the HSM request to the secure client.

Similar to workflow 600 of fig. 6, fig. 7 depicts workflow 700, which illustrates program code of a secure interface control processing an HSM logoff request with new session code (e.g., 560 of fig. 5). In some embodiments of the invention, program code of a secure interface control (e.g., trusted FW, trusted component) intercepts an HSM logoff request from a secure client utilizing new session code (710). The program code looks up the new session code in the association table and locates the associated session code (from the HSM, e.g., 540 of fig. 5) (720). Based on the location session code, the program code uses the session code to issue an HSM logoff request to the HSM (730). The program code deletes the association (the association associating the new session code with the session code) from the association table (735). In response to the request, log off of the secure client from the HSM is completed (740).

FIG. 8 depicts a workflow 800 illustrating the termination of a secure client by program code in some embodiments of the invention. Generally, in embodiments of the present invention, if the secure client terminates, the secure interface control terminates all sessions it creates (using the HSM secret of the secure client). In some embodiments of the invention, program code of the secure interface control obtains information via the hypervisor indicating that the secure client has been stopped (810). Based on determining that the secure client has been stopped, program code of the security component identifies all sessions of the secure client with the HSM based on the association table (820). In some embodiments of the invention, the program code may generate a list of all sessions associated with the session code. Based on identifying the session via the session code, the program code logs off the secure client from all identified sessions (830). The program code removes the HSM configuration of the secure client (840). The program code clears the secure client of remaining resources (850).

Embodiments of the present invention include various security measures to protect the integrity of the HSM and the secure client. For example, in some embodiments of the invention, if the security interface control crashes, all sessions in the HSM are terminated. In addition, if the HSM is removed from the server, all sessions in the HSM are terminated.

Embodiments of the present invention include computer implemented methods, computer program products, and systems for binding a security key of a secure client to a hardware security module. Various aspects of these embodiments are performed by a secure interface control, which may include software, hardware, and/or firmware. The software aspects are executed by one or more processors. Thus, for ease of understanding, aspects of various embodiments of the present invention are described as being broadly executed by program code that may include secure interface controls, regardless of the makeup of the aspects. Thus, in some embodiments of the invention, the program code configures the hardware security module for exclusive use by the secure client managed by the hypervisor. The configuration includes: the program code obtains, via the hypervisor, a configuration request for configuring the hardware security module from a given client of the one or more clients managed by the hypervisor; program code to determine whether the hardware security module has been configured for a particular client of the one or more clients, wherein the particular client and the given client comprise different clients of the one or more clients; determining, based on program code, that the hardware security module is not configured for the particular client, the program code determining that the given client comprises a secure client by evaluating metadata of the given client; based on determining that the given client comprises a secure client, the program code cancels establishing the configuration of the hardware security module by restricting access of the client to the hardware security module exclusively to the given client of the one or more clients. The program code logs the given client to the hardware security module, wherein logging into the hardware security module includes utilizing a secret of the given client, wherein the metadata includes the secret. Logging in a hardware security module based on a program code, the program code obtaining a session code from the hardware security module; and maintaining, by the one or more processors, the session code.

In some embodiments of the invention, maintaining comprises: the program code stores the association of the session code with the NULL session code in an association table in the secure interface control.

In some embodiments of the invention, the metadata of the client is integrity protected and the secret is encrypted by a key derived using a private key owned by the secure interface control. The private key may include encryption measures for the boot image of the given client.

In some embodiments of the invention, based on the configuration, the program code provides the given client with new session code for use by the given client in a request to the hardware security module.

In some embodiments of the invention, providing (by the program code) comprises: program code intercepts a hardware security module login request from a given client, wherein the hardware security module login request includes login data from the given client; the program code generates new login data based on the secret for the given client; the program code sends a new hardware security module login request from the given client to the hardware security module, wherein the new hardware security module login request includes new login data; the program code obtains a session code from the hardware security module; based on obtaining the session code from the hardware security module, the program code generates a new session code; the program code stores an association between the session code from the hardware security module and the new session code in a table; and in response to the login request, the program code sends the new session code to the given client.

In some embodiments of the invention, program code intercepts a request from a given client to a hardware security module, where the request includes new session code. The program code obtains the session code from the hardware security module associated with the new session code from the table. The program code updates the request from the given client to include a new request, wherein the new request includes the session code from the hardware security module instead of the new session code. The program code issues a new request to the hardware security module.

In some embodiments of the invention, the program code obtains fulfillment of the request from the hardware security module. The program code issues fulfillment of the request to the given client. In some embodiments of the invention, the request is selected from the group consisting of: a hardware security module security key generation request, and a hardware security module logout request.

In some embodiments of the invention, the program code obtains an indication from the hypervisor that the given client has stopped. The program code identifies an association in the table between the session code from the hardware security module and the new session code. Program code generates a list of one or more sessions that utilize session code from the hardware security module based on the table. Program code logs a given client from one or more sessions.

In some embodiments of the invention, the program code obtains an indication from the hypervisor that the given client has stopped. The program code removes the configuration.

In some embodiments of the invention, the program code obtains an indication from the hypervisor that the given client has stopped. The program code identifies a reference to a given client that is maintained in the hardware security module. The program code removes these references.

In some embodiments of the invention, the secure interface component selects a group comprising: firmware, hardware, and software.

In some embodiments of the invention, determining that the given client comprises a secure client by evaluating metadata of the given client comprises: the program code verifies one of the presence or type of the metadata.

In some embodiments of the invention, the program code utilizing the secret for the given client comprises: the program code decrypts the secret.

In some embodiments of the invention, the decrypting comprises: utilizing a key that is exclusively computed by the secure interface control.

Additional features are implemented through the techniques described herein. Other embodiments and aspects are described in detail herein and are considered a part of the claimed aspects.

Referring now to fig. 9, a schematic diagram of an example of a computing node (which may be a cloud computing node 10). Cloud computing node 10 is only one example of a suitable cloud computing node and is not intended to suggest any limitation as to the scope of use or functionality of embodiments of the invention described herein. In any event, cloud computing node 10 is capable of being implemented and/or performing any of the functions set forth above. In embodiments of the invention, security client 250 (fig. 2), security interface control 265 (e.g., security interface control) (fig. 2), and/or hypervisor 240 (fig. 2) may each be understood to execute on cloud computing node 10 (fig. 9) and, if not cloud computing node 10, one or more general purpose computing nodes comprising aspects of cloud computing node 10.

In the cloud computing node 10, there is a computer system/server 12 that is operational with numerous other general purpose or special purpose computing system environments or configurations. Examples of well known computing systems, environments, and/or configurations that may be suitable for use with computer system/server 12 include, but are not limited to, personal computer systems, server computer systems, thin clients, thick clients, hand-held or laptop devices, multiprocessor systems, microprocessor-based systems, set top boxes, programmable consumer electronics, network PCs, minicomputer systems, mainframe computer systems, distributed cloud computing environments that include any of the above systems or devices, and the like.

Computer system/server 12 may be described in the general context of computer system-executable instructions, such as program modules, being executed by a computer system. Generally, program modules may include routines, programs, objects, components, logic, data structures, etc. that perform particular tasks or implement particular abstract data types. Computer system/server 12 may be practiced in distributed cloud computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed cloud computing environment, program modules may be located in both local and remote computer system storage media including memory storage devices.

As shown in fig. 9, a computer system/server 12 is shown in the form of a general purpose computing device that may be used as a cloud computing node 10. The components of computer system/server 12 may include, but are not limited to, one or more processors or processing units 16, a system memory 28, and a bus 18 that couples various system components including system memory 28 to processors 16.

Bus 18 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures. By way of example, and not limitation, such architectures include Industry Standard Architecture (ISA) bus, Micro Channel Architecture (MCA) bus, Enhanced ISA (EISA) bus, Video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus.

Computer system/server 12 typically includes a variety of computer system readable media. Such media may be any available media that is accessible by computer system/server 12 and includes both volatile and nonvolatile media, removable and non-removable media.

The system memory 28 may include computer system readable media in the form of volatile memory, such as Random Access Memory (RAM)30 and/or cache 32. The computer system/server 12 may also include other removable/non-removable, volatile/nonvolatile computer system storage media. By way of example only, storage system 34 may be provided for reading from and writing to non-removable, nonvolatile magnetic media (not shown, and commonly referred to as "hard drives"). Although not shown, a magnetic disk drive for reading from and writing to a removable, nonvolatile magnetic disk (e.g., a "floppy disk") and an optical disk drive for reading from or writing to a removable, nonvolatile optical disk such as a CD-ROM, DVD-ROM, or other optical media may be provided. In which case each may be connected to bus 18 by one or more data media interfaces. As will be further depicted and described below, memory 28 may include at least one program product having a set (e.g., at least one) of program modules that are configured to carry out the functions of embodiments of the invention.

By way of example, and not limitation, a program/utility 40 having a set (at least one) of program modules 42, and an operating system, one or more application programs, other program modules, and program data may be stored in memory 28. Each of the operating system, one or more application programs, other program modules, program data, or some combination thereof, may include an implementation of a networked environment. Program modules 42 generally perform the functions and/or methodologies of embodiments of the present invention described herein.

The computer system/server 12 may also communicate with one or more external devices 14 (such as a keyboard, pointing device, display 24, etc.); one or more devices that enable a user to interact with the computer system/server 12; and/or any device (e.g., network card, modem, etc.) that enables computer system/server 12 to communicate with one or more other computing devices. Such communication may occur via an input/output (I/O) interface 22. Moreover, the computer system/server 12 may communicate with one or more networks, such as a Local Area Network (LAN), a general Wide Area Network (WAN), and/or a public network (e.g., the internet) via the network adapter 20. As shown, network adapter 20 communicates with the other components of computer system/server 12 via bus 18. It is to be understood that although not shown, other hardware and/or software components may be used in conjunction with the computer system/server 12. Examples include, but are not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data archive storage systems, among others.

It should be understood that although this disclosure includes detailed descriptions regarding cloud computing, implementation of the teachings recited herein is not limited to a cloud computing environment. Rather, embodiments of the invention can be implemented in connection with any other type of computing environment, whether now known or later developed.

Cloud computing is a service delivery model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, network bandwidth, servers, processing, memory, storage, applications, VMs, and services) that can be provisioned and released quickly with minimal administrative cost or interaction with the service provider. Such a cloud model may include at least five characteristics, at least three service models, and at least four deployment models.

The characteristics are as follows:

self-service on demand: consumers of the cloud may unilaterally automatically provide computing capabilities (such as server time and network storage) on demand without manual interaction with the service provider.

Wide network access: capabilities are available on the network and accessed through standard mechanisms that facilitate the use of heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs).

Resource pool: the provider's computing resources are relegated to a resource pool to serve multiple consumers using a multi-tenant model, where different physical and virtual resources are dynamically allocated and reallocated according to demand. Typically, the customer has no control or knowledge of the exact location of the resources provided, but can specify locations at a higher level of abstraction (e.g., country, state, or data center), and thus has location independence.

Quick elasticity: the ability to expand outward quickly and resiliently (in some cases automatically) can be provided quickly and released quickly to contract quickly. To the consumer, the capabilities available for offering generally appear to be unlimited and may be purchased in any number at any time.

Measurable service: cloud systems automatically control and optimize resource usage by leveraging metering capabilities at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency to both the provider and consumer of the utilized service.

The service model is as follows:

software as a service (SaaS): the capability provided to the consumer is to use the provider's applications running on the cloud infrastructure. Applications may be accessed from various client devices through a thin client interface (e.g., web-based email) such as a web browser. In addition to limited user-specific application configuration settings, consumers do not manage nor control the underlying cloud infrastructure including network, server, operating system, storage, or even individual application capabilities, among others.

Platform as a service (PaaS): the capability provided to the consumer is to deploy on the cloud infrastructure consumer-created or obtained applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure, including networks, servers, operating systems, or storage, but has control over the applications that are deployed, and possibly also the application hosting environment configuration.

Infrastructure as a service (IaaS): the capability provided to the consumer is to provide the processing, storage, network, and other underlying computing resources in which the consumer can deploy and run any software, including operating systems and applications. The consumer does not manage nor control the underlying cloud infrastructure, but has control over the operating system, storage, deployed applications, and possibly limited control over selected network components (e.g., host firewalls).

The deployment model is as follows:

private cloud: the cloud infrastructure operates solely for an organization. It may be administered by the organization or a third party and may exist either inside or outside the organization.

Community cloud: the cloud infrastructure is shared by several organizations and supports specific communities with common interest relationships (e.g., tasks, security requirements, policy and compliance considerations). It may be administered by the organization or a third party and may exist either inside or outside the organization.

Public cloud: the cloud infrastructure may be available to the general public or large industry groups and owned by organizations selling cloud services.

Mixing cloud: the cloud infrastructure consists of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technologies that enable data and application portability (e.g., cloud bursting for load balancing between clouds).

Cloud computing environments are service-oriented with features focused on stateless, low-coupling, modularity, and semantic interoperability. At the heart of computing is an infrastructure comprising a network of interconnected nodes.

Referring now to FIG. 10, an illustrative cloud computing environment 50 is depicted. As shown, cloud computing environment 50 includes one or more cloud computing nodes 10 with which local computing devices used by cloud consumers, such as Personal Digital Assistants (PDAs) or cellular telephones 54A, desktop computers 54B, laptop computers 54C, and/or automobile computer systems 54N may communicate. The nodes 10 may communicate with each other. They may be physically or virtually grouped (not shown) in one or more networks, such as a private cloud, community cloud, public cloud, or hybrid cloud as described above, or a combination thereof. This allows the cloud computing environment 50 to provide infrastructure as a service, platform as a service, and/or software as a service without the cloud consumer needing to maintain resources for it on the local computing device. It should be understood that the types of computing devices 54A-N shown in fig. 10 are merely illustrative, and that computing node 10 and cloud computing environment 50 may communicate with any type of computing device over any type of network and/or network addressable connection (e.g., using a web browser).

Referring now to FIG. 11, a set of functional abstraction layers provided by cloud computing environment 50 (FIG. 10) is shown. It should be understood at the outset that the components, layers, and functions illustrated in FIG. 11 are illustrative only and that embodiments of the present invention are not limited thereto. As shown, the following layers and corresponding functions are provided:

the hardware and software layer 60 includes hardware and software components. Examples of hardware components include: a mainframe 61; a RISC (reduced instruction set computer) architecture based server 62; a server 63; a blade server 64; a storage device 65; and a network and network components 66. In some embodiments, the software components include web application server software 67 and database software 68.

The virtualization layer 70 provides an abstraction layer from which the following examples of virtual entities may be provided: the virtual server 71; a virtual memory 72; virtual networks 73, including virtual private networks; virtual applications and operating systems 74; and virtual client 75.

In one example, the management layer 80 may provide the functionality described below. The resource provisioning function 81 provides for dynamic acquisition of computing resources and other resources for performing tasks in a cloud computing environment. The metering and pricing function 82 provides cost tracking of the use of resources within the cloud computing environment and provides billing or invoicing for the consumption of these resources. In one example, these resources may include application software licenses. The security functions provide identity authentication for cloud consumers and tasks, and protection for data and other resources. User portal function 83 provides consumers and system administrators access to the cloud computing environment. The service level management function 84 provides for the allocation and management of cloud computing resources to meet the required service level. A Service Level Agreement (SLA) planning and fulfillment function 85 provides for the pre-arrangement and procurement of cloud computing resources for which future demands are predicted from SLAs.

Workload layer 90 provides an example of the functionality that may utilize a cloud computing environment. Examples of workloads and functions that may be provided in this layer include: mapping and navigation 91; software development and lifecycle management 92; virtual classroom education offers 93; data analysis processing 94; transaction processing 95; and binding the security key to the secure client 96. It will be appreciated that these are just a few examples, and in other embodiments, the layers may include different services.

The present invention may be a system, method, and/or computer program product with any possible level of technical detail integration. The computer program product may include computer-readable storage medium(s) having thereon computer-readable program instructions for causing a processor to perform various aspects of the present invention.

The computer readable storage medium may be a tangible device that can hold and store instructions for use by an instruction execution device. The computer readable storage medium may be, for example, but is not limited to, an electronic memory device, a magnetic memory device, an optical memory device, an electromagnetic memory device, a semiconductor memory device, or any suitable combination of the foregoing. A non-exhaustive list of more specific examples of the computer-readable storage medium includes the following: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a Static Random Access Memory (SRAM), a portable compact disc read-only memory (CD-ROM), a Digital Versatile Disc (DVD), a memory stick, a floppy disk, a mechanical coding device such as a raised structure in a punch card or groove having instructions recorded thereon, and any suitable combination of the foregoing. A computer-readable storage medium as used herein should not be construed as a transitory signal per se, such as a radio wave or other freely propagating electromagnetic wave, an electromagnetic wave propagating through a waveguide or other transmission medium (e.g., optical pulses through a fiber optic cable), or an electrical signal transmitted through a wire.

The computer-readable program instructions described herein may be downloaded from a computer-readable storage medium to a corresponding computing/processing device, or to an external computer or external storage device via a network (e.g., the internet, a local area network, a wide area network, and/or a wireless network). The network may include copper transmission cables, optical transmission fibers, wireless transmissions, routers, firewalls, switches, gateway computers and/or edge servers. The network adapter card or network interface in each computing/processing device receives computer-readable program instructions from the network and forwards the computer-readable program instructions for storage in a computer-readable storage medium within the respective computing/processing device.

Computer-readable program instructions for carrying out operations of the present invention may be assembly instructions, Instruction Set Architecture (ISA) instructions, machine-related instructions, microcode, firmware instructions, state setting data, configuration data for an integrated circuit, or source or object code written in any combination of one or more programming languages, including an object oriented programming language such as Smalltalk, C + + or the like and a procedural programming language such as the "C" programming language or a similar programming language. The computer-readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider). In some embodiments, an electronic circuit comprising, for example, a programmable logic circuit, a Field Programmable Gate Array (FPGA), or a Programmable Logic Array (PLA), can personalize the electronic circuit by executing computer-readable program instructions with state information of the computer-readable program instructions in order to perform aspects of the present invention.

Aspects of the present invention are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer-readable program instructions.

These computer-readable program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks. These computer-readable program instructions may also be stored in a computer-readable storage medium that can direct a computer, a programmable data processing apparatus, and/or other devices to function in a particular manner, such that the computer-readable storage medium having stored therein the instructions which implement the aspects of the function/act specified in the flowchart and/or block diagram block or blocks.

The computer readable program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer, other programmable apparatus or other devices implement the functions/acts specified in the flowchart and/or block diagram block or blocks.

The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, element components, and/or groups thereof.

The description of the various embodiments has been presented for purposes of illustration but is not intended to be exhaustive or limited to the disclosed embodiments. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described embodiments. The terminology used herein is chosen to best explain the principles of the embodiments, the practical application, or improvements to the technology found in the marketplace, or to enable others of ordinary skill in the art to understand the embodiments disclosed herein.

32页详细技术资料下载

上一篇：一种医用注射器针头装配设备

下一篇：安全器具扩展

Binding a security key of a secure client to a hardware security module

相关技术

网友询问留言