A method and system are disclosed for allowing a central processing unit (CPU) to perform signing/decryption operations securely. The system includes the CPU, which embeds an asymmetric private decryption key called CPU Decryption Key (CDK). A public key corresponding to the CDK, known as CPU Encryption Key (CEK) is published by the CPU vendor, and comes with a vendor-signed certificate. The CPU exposes two instructions - IMPORT_KEY and USE_KEY, which point to memory locations for storing decrypted keys, wrapped keys, and data. The disclosed mechanism provides a high level of security in cloud environments by providing a secure key delivery to the signer and protecting the signer. In addition, it involves low cost when compared to hardware security modules(HSM).
Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.
Savagaonkar, Uday and Honig, Andrew, "A Cpu-Instruction-Based Asymmetric Signing/Decryption Mechanism For Secure Handling Of Asymmetric Keys", Technical Disclosure Commons, (September 20, 2018)