1. Field of the Invention
The invention described herein relates to information security and to security in networked information systems in particular.
2. Background Art
In a networked information system, information security functions are often allocated on a per machine basis. Each machine in the network is traditionally responsible for the security of information that the machine sends, receives, stores, or otherwise processes. Relevant security functions include, but are not limited to, encryption, decryption, authentication, key management, and integrity assurance.
While there are obvious advantages to having such functionality at each machine, there are also disadvantages. First, replication of all such functionality at each machine is expensive. Second, the amount of logic required to execute these functions can be considerable. In a software embodiment, this translates to large amounts of code, and a large amount of memory. Speed can also be an issue in a software implementation, given the amount of logic that must be executed.
In a hardware embodiment, extensive functionality translates to a significant space requirement, since considerable silicon may be needed. This, in turn, can lead to additional design concerns, such as those related to power consumption and heat dissipation. Finally, if long term key storage is required (e.g., in an architecture that complies with the Trusted Computing Platform Alliance (TCPA) Main Specification) then non-volatile memory (NVM) is also required at each client.
What is needed, therefore, is a security architecture that makes all of the necessary security functionality available at machines in a network in a cost effective manner. Preferably, this is accomplished in a manner that requires minimal silicon and/or memory, and avoids the need for NVM.