Abstract: The method includes receiving a challenge request sent by a first service trusted server and obtaining to-be-verified information of the first service trusted server in the challenge request; sending a verification request to a trusted remote proving server, wherein the verification request includes the to-be-verified information of the first service trusted server; and obtaining a verification response returned by the trusted remote proving server.

Abstract: Methods, apparatuses, systems, storage media, and computing devices for updating a measurement are disclosed. One of the methods includes: detecting that an application device initiates a measurement update, wherein the measurement update includes at least one of: an object update that updates a measurement object, and a policy update that updates a policy; and performing measurement update processing upon verifying that the measurement update satisfies a predetermined condition, wherein the measurement update processing includes performing an update process on at least one of content included in an execution of a measurement process, and wherein the measurement process includes calculating a measurement object using a predetermined algorithm, comparing a calculation result with a pre-stored verification reference value, and determining that an integrity of the measurement object is not corrupted if a comparison result is consistent.

Abstract: The disclosure provides a key generation method and apparatus. The key generation method comprises: encrypting a first key factor generated by a first device with an initial key, and sending the encrypted first key factor to a second device through a first secure channel, wherein the initial key is a key preset for the first device and the second device; receiving, through the first secure channel, a second key factor encrypted with the initial key, wherein the second key factor is generated by the second device; decrypting the second key factor encrypted with the initial key and received through the first secure channel, so as to obtain the second key factor; and generating a shared key between the first device and the second device according to the first key factor and the second key factor.

Abstract: A data processing method based on an integrated chip is provided. The method includes providing computing information of a trusted computing chip to a high-speed encryption chip, and invoking the high-speed encryption chip to perform data encryption or trusted computing based on the computing information. As such, after these two types of chips are integrated, these two types of secure computing (the trusted computing and the data encryption) can share common computing information. Compared with using individual sets of computing information before integration, corresponding hardware and management costs are reduced. Moreover, the trusted computing chip is superior to the high-speed encryption chip in terms of functional integrity and reliability for data encryption functions. Storing the computing information by the trusted computing chip can improve the security of the data encryption.

Abstract: Measurement methods, devices and systems based on a trusted high-speed encryption card are disclosed. One of the methods includes: a BIOS actively measuring at least one firmware in a device if an integrity measurement result made by a trusted security chip for the BIOS indicates that the integrity thereof is not corrupted; loading one or more firmware if the integrity of the one or more firmware in the device actively measured by the BIOS is not corrupted; and forbidding a system of the device from being started or controlling the system to enter into a non-secure mode if the integrity of one or more firmware in the device actively measured by the BIOS is corrupted.

Abstract: A method including a security chip receiving a cryptographic operation request; the security chip acquiring a measurement result, wherein the measurement result is a result of measuring a dynamic measurement module in a cryptographic operation module by using a platform measurement root; and the security chip starting a cryptographic operation when determining that the measurement result is identical to a pre-stored standard value. The present disclosure solves a technical problem of failure to guarantee a dynamic trust for measurement code when starting dynamic measurement of a cryptographic operation.

Abstract: Identity information processing method and apparatus are disclosed. The method includes: obtaining customized information of a user process on an integrated chip; determining a target operational firmware preloaded on a reconfigurable chip according to the customized information; generating first process identity information used for verifying the user process based on the target operational firmware and a fixed operational firmware of a non-reconfigurable chip; and providing the first process identity information to a privacy certificate issuing authority for performing firmware legitimacy verification of an operational firmware to determine that an identity of the user process is legitimate according to a result of the firmware legitimacy verification.

Abstract: Key processing methods and apparatuses, storage media, and processors are disclosed. A method includes: a security chip receiving a dynamic measurement request for a cryptographic operation; and the security chip generating a child key of a platform measurement root key based on the platform measurement root key and a random number, wherein the child key of the platform measurement root key is used for encrypting a loading process and an execution process measured by a dynamic measurement module, and the dynamic measurement module is a module used for measuring a firmware that performs cryptographic operations. The present disclosures solves the technical problems that existing key processing methods cannot guarantee the integrity of cryptographic operation algorithm firmware and the credibility of cryptographic operation execution environments during a cryptographic operation process.

Abstract: A trusted measuring method including: measuring, by a trusted platform control module, itself after being powered on; measuring, by the trusted platform control module, a high-speed encryption/decryption module when the measurement of the trusted platform control module by itself is valid; and measuring, by the trusted platform control module in combination with the high-speed encryption/decryption module, the integrity of a platform and a system when the measurement of the high-speed encryption/decryption module by the trusted platform control module is valid. The measuring process includes: calculating a measurement object by using a predetermined algorithm, comparing the calculation result with a pre-stored verification reference value, and determining that the integrity of the measurement object is not destroyed if the comparison result is consistent.

Abstract: A method for quantum key output is disclosed. The method can be implemented by a first quantum key management device. The method can comprise acquiring a first quantum key from a first quantum key distribution device, according to the obtained first key acquisition request, and storing the acquired first quantum key in a first management device address range in a first storage media, the first management device address range having the same address range indicator as a second management device address range in a second storage media for storing a corresponding second quantum key acquired by a second quantum key management device, wherein the address range indicator is one of a pair of head address and a tail address, a head address and a range length, or a head address and a length of one of the first quantum key or the second quantum key.

Abstract: The method includes receiving a challenge request sent by a first service trusted server and obtaining to-be-verified information of the first service trusted server in the challenge request; sending a verification request to a trusted remote proving server, wherein the verification request includes the to-be-verified information of the first service trusted server; and obtaining a verification response returned by the trusted remote proving server.

Abstract: The method includes receiving a challenge request sent by a first service trusted server and obtaining to-be-verified information of the first service trusted server in the challenge request; sending a verification request to a trusted remote proving server, wherein the verification request includes the to-be-verified information of the first service trusted server; and obtaining a verification response returned by the trusted remote proving server.

Abstract: An authentication method for a QKD process includes: a sender selects a basis for preparing authentication information according to an algorithm in an algorithms library, and respectively applies different wavelengths to send quantum states of control information and data information according to a preset information format; a receiver filters the received quantum states, employs a basis of measurement corresponding to the algorithm to measure the authentication information quantum state, sends reverse authentication information when the measurement result is in line with the algorithm, and terminates the distribution process otherwise. In addition, the sender terminates the distribution process when its local authentication information is inconsistent with the reverse authentication information.

Abstract: A method, an apparatus, a system and a computing system for policy deployment of a trusted server are provided. The method includes sending a metric policy of at least one metric object and a verification policy of at least one verification object in a process of policy deployment of a trusted server to a service center; the trusted server receiving reminder information returned by the service center, wherein the reminder information is used for representing a reminder to the trusted server to redeploy a metric algorithm and a verification algorithm that are consistent if a metric algorithm of a metric object is detected to be inconsistent with a verification algorithm of a corresponding verification object. The present disclosure solves the technical problems of poor independence and flexibility due to the use of a same metric algorithm for all metric objects by existing trusted server policy management solutions.

Abstract: One embodiment described herein provides a system and method for facilitating user access to encryption keys stored within a hardware module. During operation, a server coupled to the hardware module receives a key request from the user, the key request comprising a user identifier and a key identifier. The server receives a voice message from the user, extracts voice features from a voiceprint associated with the received voice message, looks up voice features stored within the hardware module based on the user identifier, and compares the extracted voice features with the voice features stored within the hardware module. In response to the extracted voice features matching the stored voice features, the server retrieves from the hardware module an encryption key based on the user identifier and the key identifier.

Abstract: A BIOS (Basic Input/Output System) flashing method and a BIOS image file processing method, belonging to the field of computers, are provided. The methods include: obtaining a BIOS image file, the BIOS image file carrying a first verification parameter and a first file parameter, verifying that the first verification parameter has validity, verifying that the BIOS image file has completeness based on the first file parameter; and performing BIOS flashing employing the BIOS image file verified as having completeness. The present disclosure may improve security and reliability of data servers.

Abstract: A method including obtaining a BIOS image file carrying a private key signature of the BIOS management server, verifying that the BIOS image file has validity according to a public key of the BIOS management server, and verifying that the BIOS image file has integrity according to the pre-stored first file parameter. If both the validity and integrity of the BIOS image file are verified, the BIOS is started. This present disclosure improves the security and reliability of the data server.

Abstract: One embodiment described herein provides a system and method for ensuring data and computation security. During operation, a server receives a key-negotiation request from a client and authenticates the client. In response to the client authenticating the server, the server negotiates, via a quantum-key-distribution process, a secret key shared between the client and the server; and stores the secret key in a trusted-computing module.

Abstract: The disclosure provides a key generation method and apparatus. The key generation method comprises: encrypting a first key factor generated by a first device with an initial key, and sending the encrypted first key factor to a second device through a first secure channel, wherein the initial key is a key preset for the first device and the second device; receiving, through the first secure channel, a second key factor encrypted with the initial key, wherein the second key factor is generated by the second device; decrypting the second key factor encrypted with the initial key and received through the first secure channel, so as to obtain the second key factor; and generating a shared key between the first device and the second device according to the first key factor and the second key factor.

Abstract: A quantum key distribution system includes a quantum security key management (QSKM) device, a plurality of quantum security key distribution (QSKD) devices, and a quantum security key service (QSKS) device. The QSKD device splits an identity-based system private key into a plurality of system sub-private keys, and distributes the plurality of system sub-private keys to a corresponding number of the QSKD devices. The QSKS device forwards a request for acquiring an authorized private key from a first QSKD device to a predetermined number of second QSKD devices. The predetermined number of second QSKD devices each generate an identity-based authorized sub-private key from the system sub-private key. The first QSKD device acquires, from the predetermined number of second QSKD devices, the identity-based authorized sub-private keys, and reconstructs an identity-based authorized private key based on the identity-based authorized sub-private keys.