Abstract: An embodiment of the present disclosure provide a key protection method, via setting that each core of the multi-core process may have one symmetric master key, dynamically obtaining the plaintext private key of the asymmetric algorithm via a decryption operation and using the Intel TSX, it may be ensured that the private key and the intermediate variables used in the computation process may be stored in the cache occupied by the operation core only in terms of the hardware level, which may prevent the attackers from stealing the private key from the physical memory and ensure the security of the implementation of the public-key cryptographic algorithm in the computer system.

Abstract: A system and method for providing cryptographic operation service in a virtualization environment. In the system, a configuration subsystem provides an interface for an administrator and a common user to input information about a virtual cryptographic device. A key file storage subsystem stores a key file and protects it with the protection password. A virtual machine operating subsystem obtains a corresponding key file from the storage subsystem according to the input of the configuration subsystem, creates a virtual device for a guest virtual machine, and finally operates the guest virtual machine to provide cryptographic computing service for the guest virtual machine. Thus the administrator/the common user can specify a key file and input a protection password for a guest virtual machine via the corresponding interface to facilitate the creation of a virtual cryptographic device, and can manage the virtual cryptographic device in a user-friendly and centralized manner.

Abstract: The present invention discloses a method and a system for checking revocation status of digital certificates in a virtualization environment.

Abstract: A system and method for providing cryptographic operation service in a virtualization environment. In the system, a configuration subsystem provides an interface for an administrator and a common user to input information about a virtual cryptographic device. A key file storage subsystem stores a key file and protects it with the protection password. A virtual machine operating subsystem obtains a corresponding key file from the storage subsystem according to the input of the configuration subsystem, creates a virtual device for a guest virtual machine, and finally operates the guest virtual machine to provide cryptographic computing service for the guest virtual machine. Thus the administrator/the common user can specify a key file and input a protection password for a guest virtual machine via the corresponding interface to facilitate the creation of a virtual cryptographic device, and can manage the virtual cryptographic device in a user-friendly and centralized manner.

Abstract: The present invention discloses a method and a system for checking revocation status of digital certificates in a virtualization environment.

Abstract: A multi-core processor based key protection method and system is described. An Operating System (OS) supporting Symmetric Multi-Processing (SMP) is set up on a multi-core processor. One core of the multi-core processor is configured as a cryptographic operation core, which is prohibited from running other processes of the OS and dedicated to perform a public-key cryptographic operation. The private key and an intermediate variable in a process of the public-key cryptographic operation are stored in a cache exclusively occupied by the cryptographic operation core.

Abstract: The present invention discloses a method and a system for protecting root CA certificates in a virtualization environment. The method installs a root CA certificate security manager on a host computer. The root CA certificate security manager stores the lists of root CA certificates and provides certificate validation service to virtual machines via a read-only interface. When a virtual machine needs the verification of a certificate, it sends a certificate validation service request to the root CA security manager. The root CA certificate security manager provides certificate validation services to the virtual machine in response to the request.

Abstract: The present invention discloses a method and a system for protecting root CA certificates in a virtualization environment. The method installs a root CA certificate security manager on a host computer. The root CA certificate security manager stores the lists of root CA certificates and provides certificate validation service to virtual machines via a read-only interface. When a virtual machine needs the verification of a certificate, it sends a certificate validation service request to the root CA security manager. The root CA certificate security manager provides certificate validation services to the virtual machine in response to the request.

Abstract: An embodiment of the present disclosure provide a key protection method, via setting that each core of the multi-core process may have one symmetric master key, dynamically obtaining the plaintext private key of the asymmetric algorithm via a decryption operation and using the Intel TSX, it may be ensured that the private key and the intermediate variables used in the computation process may be stored in the cache occupied by the operation core only in terms of the hardware level, which may prevent the attackers from stealing the private key from the physical memory and ensure the security of the implementation of the public-key cryptographic algorithm in the computer system.

Abstract: A multi-core processor based key protection method and system is described. An Operating System (OS) supporting Symmetric Multi-Processing (SMP) is set up on a multi-core processor. One core of the multi-core processor is configured as a cryptographic operation core, which is prohibited from running other processes of the OS and dedicated to perform a public-key cryptographic operation. The private key and an intermediate variable in a process of the public-key cryptographic operation are stored in a cache exclusively occupied by the cryptographic operation core.

Abstract: A digital certificate issuing system with intrusion tolerance ability and the issuing method thereof are disclosed. The system comprises an offline secret key distributor, at least one online task distributor, k online secret share calculators and m online secret share combiners.

Abstract: Disclosed is a digital certificate issuing system with intrusion tolerance ability and the issuing method thereof. The system comprises a task distributor, k calculators, m combiners and a sub-secret-key distributor. The processing of distributing a private key of a Certificate Authority comprises the steps of: the sub-secret-key distributor expressing a private key d as a sum of t sub-secret-keys dji and one sub-secret-key ca, and t<k; the distributor distributing k×l random numbers dji into i dji per calculator and sends them to k calculators, obtaining a set of ca and their equation combination representations and sending them to m combiners for pre-storage according to the combiner security condition.