1. Field of Invention
The present invention relates to trusted calculation technology, and more particularly to an inter-system binding method and application based on hardware security unit.
2. Description of Prior Art
Hardware security unit such as Trusted Platform Module (TPM) generally has the functionalities for securing the uniqueness of user identity, the completeness and the privacy of user's working space; securing the confidentiality/completeness of the stored, processed and transmitted information; and securing the completeness of the hardware environment settings, operation system kernel, service and application programs. As a basis of a secure system, the hardware security unit secures the system to have immunity so as to block the attacks from virus and hacking software. Additionally, as a hardware key module, the hardware security unit saves keys used for encryption inside the chip or encrypts and stores the keys in an external space, instead of saving the keys on a hard disk or other media in plain text as usual, and provides a reliable cryptography service to the system platform and application programs through a hardware security unit software middleware. In this procedure, the key management, data secure encapsulation/de-capsulation and digital signature calculation have very high security.
A device equipped with a hardware security unit may be referred to as a trusted computing system. In the prior specifications and techniques, the functionalities of the hardware security unit are only effective in the device where it is located, and there is no approach for establishing a trusted relationship between different devices having hardware security units based on the hardware security unit. Therefore, there is a need to extend the trusted computing functions to other trusted computing systems.
For example, a user owns two electronic devices, a personal computer (PC) and a mobile phone, both of them having hardware security units mounted thereon. The user stores some privacy files on the PC, and uses a key of the hardware security unit on the PC for encryption and storage. If the user wants to transmit these files to the mobile phone for further processing, then a procedure needs to be performed in which the files are decrypted firstly by inputting a decryption key on the PC. After that, the decrypted files are transmitted to the mobile phone. Finally, the mobile phone uses its hardware security unit to encrypt the received files for storage. In the above procedure, there is no mechanism for dealing with a problem whether the counter-party trusted computing system is trustable or not; meanwhile, since the transmission is performed in plain text, there is a potential security hazard therein; and the user is required to input the keys or passwords during the decryption and encryption, and thus the procedure is troublesome.
There are a lot of other needs for trusted computing extensions, for example, a laptop computer vs. a PC, a mobile phone vs. a PC, a mobile phone vs. a laptop computer, a PC vs. a PC, associations of wireless devices, and so on. However, there is no approach for granting the trusts between systems based on hardware security unit in the prior arts.