The present invention relates to data storage and processing, and, in particular, to methods and apparatus for encrypting, decrypting, and processing data in a secure computing environment.
Computing systems are becoming increasingly more advanced, often tying multiple coprocessors together in order to boost processing speed and enhance overall performance. Often, computing systems integrate the coprocessors in parallel (or at least in concert) to increase processing efficiency. Such advances are critical to the success of many applications, such as real-time multimedia gaming and other computation-intensive applications.
Advanced computing systems may also include encryption technology in order to provide a more secure computing environment. Data may be encrypted and then stored in a memory for later access. Various encryption schemes have been employed to achieve a measure of security, e.g., using public and private keys, as is well known in the art.
There is a tradeoff in the amount of time and resources spent on encryption versus the security of the data. For example, a data stream may provide packets which include 256 bytes of data plus a header associated with each packet. All 256 bytes of data may be encrypted in accordance with a conventional encryption scheme. However, the encryption is computationally intensive, and additional packets of data may arrive during the time it takes to perform the encryption on the first packet of data. If the encryption system is not capable of keeping pace with the data transport system, the encryption processing will impair the overall system performance.
In the past, a variety of techniques have been employed to help address this encryption problem. One scheme performs encryption only on the header, which is typically much smaller than the data in the packet. The rationale is that if the header is rendered unusable, the data associated with it will likewise be rendered unusable. Because the data of interest is itself not encrypted, anyone bypassing the encrypted header has immediate access to the data.
Another scheme performs partial encryption on the data within the packet. Here, the problems associated with full encryption may be avoided (e.g., excessive time and resource usage). Furthermore, as opposed to header encryption, because some of the data is encrypted, the overall data block is of little practical use.
Unfortunately, secure data processing is difficult to achieve in a multiprocessing environment, or in a processing environment where distinct processors have access to a shared memory. In a multiprocessor environment, raw data may be passed along common buses. This data can be readily obtained by accessing connections (e.g., pins) between components on a computer chip. It is also possible that critical data may be obtained by one coprocessor even though it is meant for processing by another coprocessor. This scenario is even more alarming in distributed computing environments where coprocessors (or distinct processors) may be physically separated from one another and/or under the control of different entities, which may become common in advanced gaming environments, to name one such application.
Therefore, there is a need in the art for new methods and apparatus for achieving data security while avoiding excessive encryption processing time and wasting valuable computing resources.