The present invention relates generally to the field of computing, and more particularly to multi-level security enforcement with a stateless cryptographic coprocessor.
Trusted computing may rely on highly trustworthy information processing systems using Multi-Level Security (MLS) or multiple levels of security. MLS is the application of a computer system to process information with incompatible classifications (i.e., at different security levels), permit access by users with different security clearances and needs-to-know, and prevent users from obtaining access to information for which they lack authorization. There are two contexts for the use of Multi-Level Security. One is to refer to a system that is adequate to protect itself from subversion and that has robust mechanisms to separate information domains, i.e., trustworthiness. Another context is to refer to an application of a computer that will require the computer to be strong enough to protect itself from subversion and that possesses adequate mechanisms to separate information domains, i.e., a system which must be trusted. This distinction is important because systems that need to be trusted are not necessarily trustworthy.
Multi-level security systems, used in high-assurance environments, require privilege separation and reliable tracking of origins and purpose of cryptographic keys and data. While MLS-specific capabilities are available in application-specific cryptographic service providers (CSPs), commodity providers lack the infrastructure of such information tagging. As a prerequisite of enforcing MLS rules, CSPs must associate types with essentially all their inputs, before adding any type-based rule enforcement.
Generic, commodity CSP programming interfaces (APIs), as a rule, do not associate attributes with raw host-visible data, and tend to offer only rudimentary key-usage attributes. Key-transport capabilities are particularly limited, and commodity APIs are mainly incapable of transporting key attributes securely. These deficiencies essentially prohibit a usage of commodity CSPs as building blocks within MLS environments, even if their functional APIs could be easily used by MLS-aware applications.
Thus, there is a need for a commodity CSP or cryptographic module accommodating MLS compliance, while retaining binary-compatible functionality for applications unaware of MLS extensions. A need may also be present for high-assurance key-usage restrictions which may be securely enforced within hardware security systems and managed externally from MLS hosts for a large number of clients requesting cryptographic services.