Computers systems usually include persistent storage. Persistent storage is storage where contents are preserved even when no power is supplied to the storage. Magnetic storage is normally non-volatile by nature, whereas semiconductor memories (e.g. dynamic and static RAM) are normally volatile.
Persistent storage may be used for maintaining state information. For example, in a rights management application that controls rights to audio material, state information may include information about how many times a user may listen to a certain audio file. When a use has occurred, the state information regarding the number of uses will be changed by the rights management application. The state information is maintained even when the rights management application is not running or inactive, and when the computer system is off. Other contexts similarly use state information to store information in a persistent way.
Since state information may store sensitive data, such information must be protected from an adversary who may wish to change the data. An adversary in the rights management context, for example, may wish to change the state information to grant unlimited use of the audio file.
One way to secure the state information is through the use of encryption. If a trusted party signs the state information each time it is changed, no change can occur in the state information without being detected. Before the use of the state information, it can be checked to make sure that it has been signed by the trusted party.
A problem with this is the problem of rollback. An adversary may save a version of the signed state information and, after the signed state information has been replaced with a newer version, the adversary may remove the newer version and replace it with the saved older version. In the digital rights example, the adversary may replace state information indicating no plays As remain for the user of the audio file with older state information indicating that some plays remain. In this way, the adversary may gain access to the content.
In order to prevent the rollback problem, a secure counter may be used. A secure counter is a counter that holds data (a counter value) securely, so that no adversary can change the data, and which can perform two operations on request. The secure counter can report on the counter value, and the secure counter can increment the counter value. Because operations on the counter are limited to these operations, the security of the counter is more easily ensured. If there is no way for a user or a computer system containing a secure counter to, for example, set a counter to a specific value, then an adversary will generally not be able to do so either.
To secure state information using a secure counter, when state information is signed, the counter value is incremented, and a copy of the counter value is appended to the state information and signed. Before state information is used, in addition to verifying the signature, the current counter value is checked and compared to the counter value appended to the state information and signed. The data is only used if the signature is verified and the appended counter value matches the current counter value. In this way, rollbacks can be prevented and security enhanced.
This rollback prevention method requires a secure counter for each piece of data that is being secured. When the counter is used to secure a first piece of data, the counter value is appended to that data and signed. In order to check the security of the data, the signature is verified and the counter value is checked against the actual present value of the counter. If a second piece of data is also secured using that same counter, then any modification of the first piece of data, which will entail a counter increment, will cause the verification of the second piece of data to fail, since the counter value stored with the second data will no longer be equal to the present value of the counter.
One possible solution is to implement in hardware a secure counter for each piece of data to be secured. However, this is obviously costly in terms of hardware. Additionally, increasing the number of secure counters may increase the complexity of the implementation of secure counters in hardware, and this increased complexity may introduce opportunities for security to be thwarted.
Thus, there is a need for a method to provide security for more than one set of data without using a proliferation of hardware secure counters that properly addresses and satisfies heretofore unfilled needs in the art.