1. Technical Field
The present invention relates in general to data processing systems, and in particular to data security within such systems. More particularly, the present invention relates to an apparatus and method for logically binding data to a fixed location within a data processing system.
2. Description of the Related Art
Computer security encompasses a number of different aspects, from passwords and permissions, to data encryption, virus protection, firewalls, and VPNs, software bugs, data backup and physical system security. The continued growth in electronic communication and commerce over expansive computer-driven networks has resulted in a dramatic proliferation of potential security data security problems as data is stored and delivered over multiple networked devices.
Specialized security hardware that complements transmission-based security has been developed to address the myriad of potential security threats to stored and/or transmitted digital data. Such complementary hardware security addresses hardening and assuring the integrity of the environment in which digital application data resides. This security hardware can be utilized for a number of purposes including securing storage of confidential information such as security keys, and off-loading of intensive security operations such as Secure Socket Layer (SSL) processing or digital signature operations. So called “smart cards” and hardware tokens are among the most common forms of secured hardware storage. These mechanisms are tamper-resistant, preventing unauthorized access to security keys. Hardware security devices can also perform cryptographic operations solely from within a system thus providing both a secure environment to access of confidential data, as well as being able to off-load processor intensive operations from network devices.
One such hardware security device is known as an embedded security system (ESS), which provides system security measures outside the interactive processing environment (i.e. the operating system). As depicted in FIG. 1, an ESS 102 is typically an integrated circuit chip that is permanently coupled (typically soldered) to a planar (e.g. a motherboard) 104 within a data processing system 100. Preferably, ESS 102 is uniquely associated with planar 104 such that ESS 102 is not transferrable to another planar. To this end, one function of ESS 102 is to verify the identity of its host planar 104.
ESS security is not universally required and implementation with all data processing systems, particularly personal computers (PCs), personal data assistants (PDAs), poses additional unnecessary overhead costs to low profit margin products. A possible solution is to provide a removable installation site for optional ESS devices. While this approach provides greater flexibility for customers, it poses an unacceptable security risk for applications, such as public/private key transactions, in which specific data must be associated with a particular data processing system with absolute assurance.
Referring back to FIG. 1, another problem with conventional ESS security is that it provides a relatively inadequate barrier for assuring that sensitive data is uniquely associated with a particular data processing system. As explained above, ESS 102 is typically soldered onto planar 104. ESS 102 can potentially be desoldered and removed from planar 104, and installed onto another data processing system, thus compromising the security of data within ESS 102 particularly as this security depends on the need for the object data to be uniquely associated with data processing system 100.
From the foregoing, it can be appreciated that a need exists for a system that will ensure the status of data as being associated with a particular data processing platform. The present invention addresses such a need by providing a logical binding mechanism that avoids the aforementioned problems associated with physical binding mechanisms.