WO2025027180A1 - Network of trusted execution environments - Google Patents

Abstract

The invention relates to a network of at least two trusted execution environments and a method for forming a network of at least two trusted execution environments. The invention also relates to a method for operating and expanding a network of trusted execution environments.

Description

network of secure data processing environments

The invention relates to a network of at least two secure data processing environments and a method for forming a network of at least two secure data processing environments (Network of Trusted Execution Environments). The invention also relates to a method for operating and expanding a network of secure data processing environments.

It is known from the state of the art to use central data processing facilities (servers) to coordinate the flow of data in information technology infrastructure. The advantages of digitization are largely based on the networking of digitized devices and equipment. These only rarely interact directly with each other. Servers usually coordinate the flow of data. In order to be able to reliably provide digitization services that are critical to the welfare of society, trustworthy provision and maintenance of the servers must be guaranteed.

Such data processing facilities and procedures have, provided they are carefully implemented, the property that access by both third parties and the personnel operating the data processing system to the data processed by the system is restricted and controlled by technical and organizational measures, such as those required in the requirements catalogs of the ISO/IEC standards of the 27k series or the Federal Office for Information Security (BSI C5), so that a minimum level of protection against unauthorized data access or manipulation of the data processed by the facility can be achieved.

As long as the design of the data processing facilities does not comply with the principles of security against manipulation, i.e. the requirement that changes to the system may only be possible through the cooperation of employees from several different organisations involved in the construction and operation of the data processing system, data processing facilities and procedures for protecting the confidentiality and integrity individual employees from the organizations involved in the construction and/or operation of the data processing system still violate regulations for the protection of confidentiality and integrity and, as a result, violate the confidentiality and/or integrity of the data processed in the data processing facilities.

The probability of such a breach of the confidentiality and/or integrity of the data processed in the data processing facilities decreases by several (decimal) orders of magnitude if the principles of designing the data processing facilities in accordance with security against manipulation, as described, for example, in [H. A. Jäger et al. (2020). Tamper-proof cloud infrastructures. ISBN 978-3-658-31848-2. Pages 33-79. Springer Nature.], are observed.

Assuming the independence of employees from several different organisations involved in the construction and/or operation of the data processing facilities, the aforementioned probability that the properties of tamper-proof data processing facilities will be changed and that this change will be used to violate the confidentiality and/or integrity of the data processed in the data processing facilities can be considered as the probability of infidelity by a single employee of these organisations multiplied by the number of different independent organisations necessary to make a change.

Such tamper-proof data processing devices and the state-of-the-art methods implementing them provide a high level of security against violations of the confidentiality and/or integrity of the data processed by them by ensuring that no data is available unencrypted outside of the program execution environments or data processing environments (Trusted Execution Environments, TEE) intended for data processing. For example, such TEE can be implemented at chip level as “Software Guard Extensions” (SGX) from Intel Corporation, as described in [I. Anati et al. (2013). Innovative Technology for CPU Based Attestation and Sealing. In Workshop on Hardware and Architectural Support for Security and Privacy HASP '13.]. Furthermore, TEE can be implemented at server and multi-server level, for example by the precautionary deletion of data within a module as soon as an attack attempt is detected, as is the case in [FIPS PUB 140-2: Security Requirements for Cryptographic Modules. NIST. July 26, 2007. “Security Level 4 provides the highest level of security. At this security level, the physical security mechanisms provide a complete envelope of protection around the cryptographic module with the intent of detecting and responding to all unauthorized attempts at physical access. Penetration of the cryptographic module enclosure from any direction has a very high probability of being detected, resulting in the immediate deletion of all plaintext critical security parameters. ”] Another class of secure computing environments at chip level encapsulate large parts of the computing, for example an entire “virtual machine”, in such a way that the programs used for computing do not have to be adapted to the secure computing environment, or only slightly so. Two examples of such TEEs at chip level implement the TEEs described in [D. Kaplan (2017). PROTECTING VM REGISTER STATE WITH SEV-ES. “Secure Encrypted Virtualization” (SEV) from Advanced Micro Devices Corporation (AMD) described in https://www.amd.com/en/developer/sev.html by AMD], as well as “Trusted Domain Extensions” (TDX) from Intel Corporation described in [P.-C. Cheng et. al (2023). Intel TDX Demystified: A Top-Down Approach. In https://arxiv.org/abs/2303.15540 by IBM Research].

Such tamper-proof data processing environments and the procedures implementing them also provide a high level of security against breaches of confidentiality and/or integrity if the keys used to encrypt the results and intermediate results of the data processing tasks as soon as they leave the TEE are generated exclusively in a clearly defined and closed network of secure data processing environments and do not leave this network.

In order to be able to restart the network even in the event of a simultaneous failure of all data processing environments in the network, in some designs of such networks of tamper-proof data processing environments, in accordance with the state of the art, a sufficiently large group of mutually independent auditors of the system share an initially automatically generated original secret, for example using the “Shamir Secret Sharing” method [A. Shamir (1979). How to Share a Secret. Programming Techniques. Editor R. Rivest. Communications of the ACM. Vol. 22 No. 11.], which they recreate in a system of data processing environments after a successful completion of the audit by sufficient subset of partial secrets (Sharmir parts) is entered at a human-machine interface.

In the case of state-of-the-art combinations of data processing environments and the processes that implement them, the configuration of the technical parameters required to distribute the original secret is usually a manual process that must be carried out individually for each data processing environment and is also part of the implementation review by independent auditors. In order to limit the effort of the manual processes, in practice only combinations of secure data processing environments with the same technology and design are used.

The disadvantage of this is that the manual process, which has to be carried out individually for each data processing environment, is time-consuming and costly. This disadvantage makes the formation and expansion of large networks from a large number of secure data processing environments impractical.

In addition, there is the disadvantage that the use of different types of secure data processing environments when forming a network of data processing environments means an additional high expenditure of time and costs for forming a network.

A further disadvantage is that the manual processes for setting up the federation of secure data processing environments can become subject to abuse of the privilege for setting up the federation and thus the security against violations of confidentiality, integrity and availability can be lost.

Even if, in accordance with the state of the art, the cooperation of several independent persons to form or expand an association is enforced by means of the secure sharing of a common original secret, fraudulent cooperation between these persons cannot be ruled out. In addition, depending on the state of the art, it may happen that the (partial) secret holders required to set up a network or to expand an existing network are not available, making it impossible to set up a network or expand an existing network.

In some of the secure data processing environments implemented in accordance with the state of the art, for example those designed by encrypting "virtual machines" (such as TDX from Intel Corporation or "Secure Encrypted Virtualization" (SEV) from AMD Corporation), in addition to the encapsulation of the processing environment, there is privileged access to the computing resources and the data processed by them. This privileged access is not disadvantageous in some of the application constellations, for example if the administrators of the servers are to be excluded, but the administrators of the application logic, i.e. the application software, are trusted. However, in constellations in which no administrator, not even the administrators of the application logic, should be able to violate the confidentiality and integrity of the data, this remaining privileged access and the associated access options to the resources, to the coding of the application logic and to the data processed by it is a disadvantage.

The object of the invention is therefore to provide a network and a method for forming a network of secure data processing environments which provide a very high level of protection against the violation of the confidentiality of the data and the programs processing them, the integrity of the data and the programs processing them and the availability of the data and the programs processing them, without having the disadvantages of the networks and methods for forming such networks known from the prior art.

This object is achieved according to the invention by the methods and devices according to the independent claims. Advantageous further developments are specified in the respective dependent claims.

The invention relates to a network and a method for forming a network of at least two secure data processing environments (Network of Trusted Execution Environments), in which the secure data processing environments are coupled to each other autonomously and without human intervention in such a way that (partial) secrets or identities would have to be entered manually, combine to form a network and/or lock remaining privileged accesses, so that the complexity and costs of forming and expanding networks of secure data processing environments are low compared to the state of the art, correspondingly large networks are practicable and the misuse of privileges as well as a fraudulent violation of the confidentiality and integrity of the data and/or the programs processing the data are largely excluded.

The invention has the following particular advantages:

1. Since the secure data processing environments of an initial set of secure data processing environments defined to form a network of secure data processing environments (Network of Trusted Execution Environments), whose secure data processing environments can mutually attest to their status as a secure data processing environment, determine autonomously among themselves which of the secure data processing environments generates the original secret, which is then transmitted to the participating secure data processing environments and to the additional secure data processing environments, both the complexity and the costs of setting up a network of secure data processing environments are significantly reduced compared to the state of the art and security is increased compared to the state of the art, since the misuse of an administrator privilege that is unavoidable in the case of manual interventions is largely excluded.

2. Since the methods and devices according to the invention for forming a network of secure data processing environments are also suitable for automatically transmitting secure data processing environments added to a network when it is expanded, the identity and the creation history of the network, the complexity and costs for expanding a network of secure data processing environments are significantly reduced compared to the prior art.

3. Since the methods and devices according to the invention for forming a network of secure data processing environments are also suitable for protecting other secrets that for the operation of the network of data processing environments and/or software instances of the network, can be clearly and repeatably derived from the original secret, it is possible to form large networks of many secure data processing environments with such stateless secure data processing environments with low complexity and low costs and thus to achieve a particularly high level of protection against the loss of the original secret. Since the methods and devices according to the invention for forming a network of secure data processing environments are also suitable for not having to resort to the involvement of human persons by entering (partial) secrets at a human-machine interface, nor the entry of identities of one of the secure data processing environments involved, on the one hand no fraudulent behavior can lead to a loss of confidentiality or integrity and on the other hand no situations can arise in which the necessary human persons as bearers of (partial) secrets are not available to form or expand a network of secure data processing environments. Since the methods and devices according to the invention for forming a network of secure data processing environments are also suitable for automating not only the generation of the original secret but also other parts of the method for forming a network of secure data processing environments, the complexity and costs of forming large networks of many secure data processing environments are further reduced. Since the methods and devices according to the invention for forming a network of secure data processing environments are also suitable for generating the original secret and other secrets by method parts that are implemented independently of the design of the secure data processing environments used, different versions of secure data processing environments can be used mixed in a network, which means an advantageous flexibility for the method and the resulting networks. Different versions of secure data processing environments with different, practically relevant Properties can be used in a mixed manner, thus reducing costs through better adaptation to practical requirements. Since the methods and devices according to the invention for forming a network of secure data processing environments are also suitable for forming a network of secure data processing environments, a first secure data processing environment which, according to its design, has privileged access, with a second secure data processing environment which, according to its design, does not have privileged access, in such a way that the second secure data processing environment which, according to its design, does not have privileged access, exclusively controls the privileged access of the first secure data processing environment, privileged access is no longer given in the inventive combination of the two secure data processing environments, and thus a violation of the confidentiality of the data and the programs which process them, and of the integrity of the data and the programs which process them, is largely excluded. Since the methods and devices according to the invention for forming a network of secure data processing environments are also suitable for using several secure data processing environments, which according to their design do not have privileged access, to exclusively control the privileged access(s) of one or more secure data processing environments, which according to their design have privileged access, complex and extensive software packages and application logic can be largely protected against a violation of the confidentiality of the data and the programs that process them, the integrity of the data and the programs that process them, and a violation of the availability of the data and the programs that process them. Since the methods and devices according to the invention for forming a network of secure data processing environments are also suitable for administering the secure data processing environments via a positively defined list of commands for carrying out administration activities, the advantage arises that flexible maintenance of the programs executed by the secure data processing environments is possible. 10. Since the methods and devices according to the invention for forming a network of secure data processing environments are finally suitable for one or more secure data processing environments, which according to their design do not have privileged access, and in a nested manner within a secure data processing environment, which according to its design does not have privileged, unrestricted access but does have an interface via which a plurality of positively defined commands for carrying out administration activities can be triggered, which exclusively control the positively defined commands for carrying out administration activities, this results in the advantage that this enables a flexible distribution of responsibilities to different administrators.

Details and features of the invention as well as concrete embodiments of the invention emerge from the following description in conjunction with the drawings. It shows:

Fig. 1 is a block diagram of an inventive network of secure data processing environments to explain the inventive method for forming such a network with the designations:

V-DVU network of secure data processing environments

S1 to Sn Server 1 to Server n

DVU 1,1 to DVUl,ml secure data processing environment 1 of server 1 to secure data processing environment ml of server 1

DVUn,l to DVUn,mn secure data processing environment 1 of server n to secure data processing environment mn of server n

KS1 to KSh Configuration Server 1 to Configuration Server h

AVS1 to AVSk Authenticity Verification Server 1 to Authenticity

verification server k

Fig. 2 shows a state diagram of an embodiment of the method according to the invention for forming a network of secure data processing environments with the designations: Z1 to Z6 States of the secure data processing environments 1 to 6 with the designations “UNINITIALIZED”, “NEGOTIATION PHASE”, “EXCHANGE KEY PHASE”, “VERIFICATION PHASE”, “ONLINE”, and “IMPORT PHASE”

BOO State change during initialization of the bootstrap subprocedure “INIT BOOTSTRAP”

AND Obtaining acceptance of the negotiation data “ACCEPT NEGOTIATION DATA“

ASA state change as soon as all initially involved secure data processing environments have accepted the checks of the last current state: “ALL SEEDS ACCEPTED”

AKD Obtaining acceptance of the key data “ACCEPT KEY DATA” AVR Obtaining acceptance of the verification report “ACCEPT VERIFICATION REPORT”

IMP State change to initialize an extension of the network by adding a secure data processing environment “INIT IMPORT”

AIM Obtaining acceptance of the existing data of the network “ACCEPT IMPORT DATA”

RST state change to return to the initial state “RESET”

Fig. 3 is the same block diagram as in Fig. 1, wherein the network of secure data processing environments is added to explain the method part for extending the network, a server with one or more secure data processing environments with the following designation: Sn+1 Server n+1

Fig.4 is a collection of 4 block diagrams a), b), c) and d) to explain the method according to the invention for forming a network of secure execution environments with the designations:

V-DVU network of secure execution environments

S 1 to S4 Server 1 to Server 4 DVU1 and DVU3 secure data processing environments that have privileged access and access

PZ Privileged Access and Access

DVU2 and DVU4 secure data processing environments that do not have privileged access and access

ALI and AL2 Application Logic 1 and Application Logic 2

AC1 Administrator Client 1

NC1,1 to NCl,p User client of ALI 1 to User client of ALI p

NC2,1 to NC2,q User client of AL2 1 to User client of ALI q

AZL1 User Access Logic 1

Fig.4 a collection of 2 block diagrams a) and b) to explain the method according to the invention for forming a network of secure execution environments with the designations:

V-DVU network of secure execution environments

S5 to S8 Server 5 to Server 8

DVU5 and DVU6 secure data processing environments that have privileged access and access

PZ Privileged Access and Access

DVUC7 and DVUC8 Control units (controllers) of the secure data processing environments 7 and 8

DVU7 and DVU8 secure data processing environments that no longer have privileged access

AL5 to AL8 Application Logic 5 to Application Logic 8

AC56 Administrator Client for DVU5 and DVU6

AC78 Administrator Client for DVU7 and DVU8

NC5,1 to NC5,p User client 1 to p of AL5

NC6,1 to NC6,q User client 1 to q of AL6

NC7,1 to NC7,r User client 1 to r of AL7

NC8,1 to NC8,s User client 1 to s of the AL8 The devices and methods according to the invention enable adequate protection against violations of the confidentiality of the data and/or programs processing them, the integrity of the data and/or programs processing them and/or the confidentiality of the data and/or programs processing them, as well as reducing the complexity and costs of forming a network of secure data processing environments.

The plurality of m secure data processing environments DVU 1,1, DVU1,2 to DVUl,ml shown in Fig. 1 are components of a first data processing device, which in practice is called a "server", here Sever 1 (Sl). Such servers comprise, among other things, a housing, a power supply, the network components, the persistent and volatile storage units and one or more processor units. Depending on the design, the secure data processing environments are implemented, for example, as components of the processor units and the main memory using firmware, i.e. extension of the machine-level instruction sets (e.g. Software Guard Extensions Secure Encrypted Virtualisation or Trusted Domain Extension). When a secure computing environment is initiated by software programs running on one of the server's processors, it is determined which keys the secure computing environment will use to encrypt data written to the volatile memory (random access memory, RAM) or to the persistent memory (storage). In some versions of secure computing environments, the keys are written in special registers on the processor chips that are intended only for this purpose.

Additional secure data processing environments DVUa,b, where a is one of { 1, 2, .. n} and b is one of { 1, 2, .. ma}, are provided by a large number of servers, server 2 (S2), server 3 (S3) to server n (Sn). All of these secure data processing environments are registered with configuration servers 1 (KS1) to configuration server h (KSh) according to their identity and specific technical design and obtain all software and configuration information from there when the system starts. This includes, among other things, information about which secure data processing environments belong to the network to be formed from this defined set of secure data processing environments. In addition, all of these secure data processing environments are registered with the authenticity verification servers 1 (AVS1) to k (AVSk) according to their identity and their specific technical design. This means that the data processing environments can attest to each other with the help of the authenticity verification servers 1 (AVS1) to k (AVSk) that they are fundamentally entitled to participate in the inventive formation of a network of secure data processing environments (V-DVU).

At least two secure data processing environments DVUc,d and DVUe,f, where c and e are from { 1, 2, .. n}, d from { 1, 2, .. md} and f from { 1, 2, .. me}, as well as additional secure data processing environments on a case-by-case basis, together form the seed of data processing environments from which the network of secure data processing environments is constituted according to the invention.

The aforementioned attestation process is implemented cryptographically, i.e. a central infrastructure of public and private key pairs belonging to the secure data processing environments DVUa,b (public key infrastructure) is initialized by the operator of the V-DVU network. To do this, he uses a subset of the k authenticity verification servers (designated AVS1 to AVSk in Fig. 1) that includes at least one authenticity verification server. In order to enable a high level of availability of the authenticity verification service, a subset of several authenticity verification servers can advantageously be used. The operator of the V-DVU network can use these to have the authenticity of the secure data processing environments confirmed by the manufacturer of these secure data processing environments.

If, for example, a secure data processing environment DVUc,d needs to have the authenticity of a second secure data processing environment DVUe,f, designated by the manufacturer as a secure data processing environment, attested, in this example the secure data processing environment DVUc,d sends a message to one of the authenticity verification servers AVSh+1 to AVSk with the request whether the secure data processing environment DVUe,f is actually a secure data processing environment in the sense of the manufacturer of a secure data processing environment with regard to the origin and status of the machine-related programs. These can be verified based on the constantly updated reports on the secure Data processing environments and the status of the machine-related software can answer the query reliably. This attests to the fact that the secure data processing environment DVUe,f belongs to the seed for the secure data processing environment DVUc,d. This way, all secure data processing environments can ensure the authenticity of the other secure data processing environments of the seed.

In addition, the secure computing environments DVUc,d and DVUe,f can mutually assure each other of the authenticity of the programs controlling the secure computing environments by comparing a measurement of the programs or comparing the identity of the signing auditor. Such a measurement is the application of a one-way function (hash) to the code to be measured.

sicheren Datenverarbeitungsumgebungen angehörenden sicheren Datenverarbeitungsumgebungen erfolgt schrittweise mit der Initiierung der

mi sicheren Datenverarbeitungsumgebungen durch den Betreiber des Verbundes der Datenverarbeitungsumgebungen V-DVU. The inventive autonomous determination of the common original secret, under the defined set of £

The implementation of secure data processing environments belonging to secure data processing environments will be carried out gradually with the initiation of the

with secure data processing environments by the operator of the V-DVU network of data processing environments.

In Fig. 2, a total of seven states ZI to Z7 of an embodiment of the method for the autonomous determination of the common original secret are shown, of which initially only the states ZI to Z6 are considered.

If a secure data processing environment is started from the seed of secure data processing environments by the operator of the V-DVU network of data processing environments, this secure data processing environment changes from the state “UNINITIALIZED” (ZI) to the state “NEGOTIATION PHASE” (Z2) by initializing the bootstrap sub-procedure “INIT BOOTSTRAP” (BOO).

In this state Z2, each secure data processing environment initially randomly or quasi-randomly generates an asymmetric communication key pair that is intended for secure communication between the secure data processing environments of the seed, because it is assumed that the transmission channels between the secure data processing environments can be insecure. The public key of this The communication key pair is signed with the signature key characteristic of the secure data processing environment and this signed communication key is sent as a tuple with the public communication key to all other secure data processing environments of the seed and a response is requested with the signed public key of the other secure data processing environments. After receiving the signed public keys of the other secure data processing environments, the authenticity of the public key is checked (“ACCEPT NEGOTIATION DATA”, AND).

As soon as the public keys of all other secure data processing environments have been successfully verified using the described “negotiation” AND, the state “NEGOTIATION PHASE” (Z2) changes to the next state “EXCHANGE KEY PHASE” (Z3) (“ALL SEEDS ACCEPTED”, ASA).

In this state Z3, each secure data processing environment generates its own random or quasi-random proposal for the original secret together as a tuple with a particularly precise (double variable) random or quasi-random pseudo-clock and exchanges this tuple with all other secure data processing environments of the seed (“ACCEPT KEY DATA”, AKD). Afterwards, all tuples of the individual, own proposals for the original secret and the pseudo-clocks are sorted according to the values of the pseudo-clocks. If a conflict arises because two or more pseudo-clocks have the same value, the process is reset (“RESET”, RST). If a clear order of the tuples (“creation history” or “creation pseudo-history”, since the “clocks” are pseudo-clocks) is found, then the process is continued.

As soon as all tuples with the individual suggestions for the original secret and the pseudo-time for the secure data processing environments have been collected and checked for their authenticity (“ALL SEEDS ACCEPTED”, ASA), the system switches from state Z3 to the next state “VERIFICATION PHASE” (Z4).

In this state Z4, each secure data processing environment encrypts the list of tuples created and sorted in state Z3 with the key characteristic of each secure data processing environment and sends it to all other secure data processing environments. An identifier of the self-generated list, generated by a one-way function (hash), is then compared with the identifiers of the lists of the other secure data processing environments, also generated by a one-way function (ACCEPT VERIFICATION REPORT). If a conflict arises, i.e. one or more lists or the unique identifiers of the lists differ from one another, the process is reset (RST). Finally, the suggestion for the shared original secret is selected from the list which, for example, has the highest value for the pseudo-time. In this way, all of the secure data processing environments involved have the identical shared original secret and persist this shared original secret encrypted with a key that is characteristic of the secure data processing environment and is only accessible in this secure data processing environment. If an error occurs during persistence, for example due to a typo, the process is reset (RST).

As soon as all secure data processing environments confirm to each other that the shared original secret has been successfully persisted (“ALL SEEDS ACCEPTED”, ASA), the system switches to the final state of the status diagram in Fig. 2, “ONLINE” (Z5). The secure data processing environment remains in this state Z5 until the server implementing the secure data processing environment is shut down.

The master secret, which is now available to all secure data processing environments, is the basis for deriving keys that are necessary to decrypt data that must be shared between different secure data processing environments. The derivation of keys for decrypting data from other secure data processing environments also depends on the identity of the other secure data processing environment, for example a name, a signature of the auditor of the other data processing environment or other characterizing features of the other secure data processing environment.

In any case, the derivation of keys for decrypting data from other secure data processing environments is unique and repeatable, since it always relies on the same common original secret and the identity established by convention within the network. digital words characterizing other secure data processing environments.

The ability to securely read data from other secure data processing environments is essential to be able to run all programs in large software packages with “confidential computing” and to create redundant structures to improve the availability of the software services and data provided by the software.

In the described embodiment, the secure data processing environments interact autonomously with one another without a person from the operator of the network of secure data processing environments having to make inputs at a human-machine interface after the initial configuration process. This results in a significant reduction in the complexity and costs of a network of secure data processing environments according to the invention. This also results in a significant improvement in the confidentiality, integrity and availability of the programs executed in the secure data processing environments, as well as the data processed with the programs.

In Fig. 3, an additional server Sn+1 is added to the network of secure data processing environments shown in Fig. 1, which in turn contains a plurality of secure data processing environments DVUn+1,1 to DVUn+l,mn+l.

To expand the V-DVU network, the operator of the V-DVU network adds the configuration to one of the configuration servers KS1 to KSh, which replicate this configuration change to the other configuration servers in accordance with standard practice. In the extension of the configuration data, the operator indicates that the server Sn+1 is being added to an existing network of secure data processing environments and does not belong to the seed of secure data processing environments for the formation of a new network of secure data processing environments.

When it starts, the server Sn+1 obtains the configuration data from one of the configuration servers KS1 to KSh and also receives the addresses of the secure Data processing environments involved in secure data processing environments DVU 1,1 to DVUn,mn.

The server Sn+1 starts in the state ZI of the state diagram "UNINITIALIZED" shown in Fig. 2. The configuration parameter, which states that the server Sn+1 is not an initial seed DVU according to the configuration parameters, but is added to an existing network of secure data processing environments, triggers the server Sn+1 to switch to the state "IMPORT PHASE" (Z6) ("INIT IMPORT", IMP) in the embodiment of the method according to the invention.

In state Z6 "IMPORT PHASE", each of the DVUn+1,1 to DVUn+l,mn secure data processing environments of the server Sn+1 randomly or quasi-randomly generates an asymmetric communication key pair that is intended for secure communication between the secure data processing environments and the secure data processing environments of the servers S1 to Sn. The public key of this communication key pair is signed with the signature key characteristic of the secure data processing environments of the server Sn+1 and this signed communication key is sent as a tuple with the public communication key to another secure data processing environment of the servers S1 to Sn and a response is requested with the signed public key of the other secure data processing environments. If the other secure data processing environment requested first does not respond as expected, another other secure data processing environment is requested, and so on until the requested information is received. After receiving the signed public keys of the other secure data processing environments, the authenticity of the public key is checked. According to the invention, the server Sn+1 then requests the shared original secret from one of the secure data processing environments already belonging to the V-DVU network, together with the identifier for the "history of creation" of the V-DVU network generated by a one-way function (hash). Finally, the secure data processing environments of the server Sn+1 persist the original secret ("ACCEPT IMPORT DATA", AIM).

Once all secure computing environments of the server Sn+1 have confirmed that the shared original secret has been successfully read and decrypted from the persistent storage (“ALL SEEDS ACCEPTED”, ASA), the system switches to the final state of the state diagram in Fig. 2 “ONLINE” (Z5).

Extensions of the V-DVU network by additional servers Sn+1, Sn+2, etc., each with one or more secure data processing environments, can be carried out in an analogous manner not only with the step size of one server described in this embodiment, but also with arbitrarily large step sizes with a plurality and even a large number of servers.

In the described embodiment, additional servers Sn+1, Sn+2, etc. can be added to the n servers of the seed configuration in the simple manner described above, and in this way existing networks of secure data processing environments can be expanded with very little complexity to result in very large networks of secure data processing environments.

Large networks have a very low probability that all secure data processing environments in the network will jointly stop functioning and, as a result, the shared original secret will be lost. Large networks are therefore robustly protected against the loss of the original secret.

Even when the network is expanded to include one or more servers Sn+1, Sn+2, etc., each with one or more secure data processing environments, as described in the exemplary embodiment, the secure data processing environments interact autonomously with one another without a person from the operator of the network of secure data processing environments having to make entries at a human-machine interface after the configuration expansions. This results in a significant reduction in the complexity and costs of a network of secure data processing environments according to the invention. This also results in a significant improvement in the confidentiality, integrity and availability of the programs executed in the secure data processing environments, as well as the data processed with the programs. In a similar way, other automations can be carried out within the D-DVU network, for example the generation of sets of keys for specific services and applications, databases, storage systems and the like. The derivation of the other keys takes place in a "trust hierarchy", i.e. a sequence of sub-processes that generate keys that each refer to previously generated keys. The generated keys are secured in encrypted form, with the shared original secret being used to generate the encryption key for this process, so that the backup (storage) takes place independently of individual secure data processing environments. This means that these keys are not lost if the secure data processing environment in which the keys were generated ceases to function.

The automation of the formation of the network of secure data processing environments V-DVU can be designed to such an extent that, apart from the initial entries in one of the configuration servers KS1 to KSh, no further entries have to be made by the V-DVU operator's staff at the human-machine interfaces of the servers S1 to Sn+x, where x can take on very large natural numerical values, by automatically recording the basic operating conditions of each individual server with regard to embedding in the network connection, participation in distributed storage systems and the like (auto-discovery) and negotiating them in interaction with the other servers in the V-DVU network. Principles of majority decisions and Byzantine fault tolerance can be applied here.

The described embodiment of the invention is ultimately suitable for creating a software service for key derivation and management (Key Derivation and Management Service) that is designed independently of the specific implementation of the secure data processing environments DVUa,b by generating a common original secret and creating an instance that is independent of the secure data processing environments and the server in terms of the software architecture. In many implementations according to the state of the art, key generation is dependent on the individual hardware of the secure data processing environments and the independence of the secure data processing environments and the server according to the invention is not given. In Fig. 4, the sub-figures a) and b) show a secure data processing environment DVU1 in the server SI and DVU2 in the server S2, respectively. Within the DVU1, the application logic ALI is operated for the users with their user clients NC 1,1 to NC1,p. Within the DVU2, the application logic AL2 is operated for the users with their user clients NC2,1 to NC2,q.

The secure data processing environment DVU 1 has privileged access PZ, which can be used by the administrator of the application logic ALI via the administrator client AC1 to carry out administration activities. In practice, such privileged access PZ is largely unrestricted access for administrators to the resources of the secure data processing environment, which, in terms of its rights, has historically grown to include far more functions than are necessary for administration in the secure data processing application environment. In practice, privileged access PZ is a protocol that makes a command line of the computer or virtual computer usable remotely (Secure Shell, SSH). Nevertheless, the use of such a secure data processing application environment with privileged access is sensible, since the administrators of the servers implementing the secure data processing application environment are excluded from accessing the executing programs and the processed data. The operating system of the server S 1 may also contain faulty entry points for attackers, without this giving potential attackers access to the programs executed in the secure data processing application environment DVU3 and to the data processed with them.

The secure data processing environment DVU2 does not have such privileged access PZ, which is why the outer shell of the secure data processing environment DVU2 is not indicated as a rectangle but as an oval to distinguish it.

The partial figures c) and d) of Fig. 4 show inventive networks of secure data processing environments V-DVU, which are formed from the secure data processing environments DVU3 and DVU4.

As indicated in sub-figures c) of Fig. 4, the secure data processing environment DVU4, which has no privileged access, exclusively controls the administration logic AZL1 the administration of the secure data processing environment DVU3, which has privileged access, in that the AZL1 only allows a positively defined list of administration commands to be executed for the administration of the secure data processing environment DVU3.

Alternatively, as indicated in sub-figures d) of Fig. 4, both the secure data processing environment DVU3 and DVU4 can be operated within a common server S4.

In Fig. 5, two sub-figures a) and b) are shown, each illustrating a network of secure data processing environments V-DVU. In sub-figure a), a secure data processing environment DVU5 or DVU6 is implemented in the servers S5 and S6, each of which has privileged access PZ, via which the administrator of the two application logics AL5 and AL6 controls the application logics AL5 and AL6 using his client AC56. As in Fig. 4, the user clients NC5,1 to NC5,p, which interact with the application logic AL5, as well as the user clients NC6,1 to NC6,q, which interact with the application logic AL5, are shown here.

In part b) of Fig. 5, an embodiment of an inventive network is shown in which the privileged access of the secure data processing environment DVU7 in the server 7 was closed with the application logic AL7. In practice, privileged access is closed by blocking the ports for privileged access (close SSH ports) in the configuration of the secure data processing environment DVU7. Such configuration changes can be part of the "attestation" explained above, so that the other secure data processing environments of the V-DVU network can convince themselves of the existence of a correctly implemented configuration with cryptographic strength.

In part b) of Fig. 5, an administration access logic AZL1 is also shown, which exclusively allows the execution of a positively defined list of administration commands and thus enables the administration of the application logic AL7. The integrity of the administration access logic AZL1 can also be part of the previously explained “measurement” of the attestation process, so that the other secure data processing environments of the V-DVU network can convince themselves of the existence of a correctly implemented administration access logic AZL1 with cryptographic hardness. The users of the application logic AL7 can rely on a very highly confidential processing of the data and a very highly confidential access to the application logic AL7 via the user clients NC7,1 to NC7,r.

The server S8 in part b) of Fig. 5 also shows the administration access logic AZL2, which is executed by a secure data processing environment DVU9 without privileged access, which is implemented embedded in the secure data processing environment DVU8 (nesting of TEEs). This embodiment in turn provides the particularly high level of security that only the controlling administration commands transmitted by the administration client AC78 and, as a result, the users of the application logic AL8 can rely on a particularly high level of confidentiality in the processing of the data and the access to the application logic AL8 via the user clients NC8,1 to NC8,s.

The different embodiments illustrate different possibilities for forming networks of secure data processing environments, which, depending on the design, are suitable for different distribution of responsibilities in administration. For example, a first administrator can be responsible for a secure data processing environment that is implemented as a secure virtual machine, and a second administrator can be responsible for a specific process within the same secure data processing environment. In this example, an embedded secure data processing environment designed analogously to the secure data processing environment DVU9 can ensure that the second administrator does not have access to the other parts of the secure data processing environment designed as a virtual machine for which the first administrator is responsible, and conversely, the first administrator also has no access to the specific process for which the second administrator is responsible.

Claims

claims 1. Method for forming a network of at least two secure data processing environments (Network of Trusted Execution Environments), whereby the secure data processing environments of a defined, initial set of secure data processing environments can mutually attest to their status as a secure data processing environment, characterized in that the secure data processing environments autonomously determine among themselves which of the secure data processing environments generates a master secret, which is then transmitted to the participating secure data processing environments and to those that are added in extensions. 2. Method according to claim 1, characterized in that secure data processing environments which are added when a network is expanded automatically receive the identity of the data processing environments involved in the network and the history of the network's creation. 3. Method according to claims 1 or 2, characterized in that secrets which are necessary for the operation of the network of data processing environments and/or software instances of the network are derived from the original secret in a unique and repeatable manner. 4. A method for forming a network of secure data processing environments (Network of Trusted Execution Environments), characterized in that neither the involvement of human persons to enter partial secrets at a human-machine interface nor the entry of identities of one of the participating secure data processing environments is necessary to generate the original secret. 5. Method according to claim 4, characterized in that not only the process parts for generating the master secret, but also other parts of the process for forming a network of secure data processing environments are automated. 6. Method for forming a network of secure data processing environments (Network of Trusted Execution Environments), whereby the secure data processing environments of a defined, initial set of secure data processing environments can mutually attest to their status as a secure data processing environment, characterized in that the process parts used to generate the original secret and further secrets are designed independently of the execution of the secure data processing environments used. 7. Method for forming a network of secure data processing environments (Network of Trusted Execution Environments), whereby the secure data processing environments of a defined, initial set of secure data processing environments can mutually attest to their status as a secure data processing environment, characterized in that a first secure data processing environment, which according to its execution has privileged, unrestricted access, and a second secure data processing environment, which according to its execution has no privileged access, form a network of secure data processing environments in such a way that the second secure data processing environment, which according to its execution has no privileged access, exclusively controls the privileged access of the first secure data processing environment. 8. Method according to claim 7, characterized in that several secure data processing environments which, according to their design, do not have privileged access, exclusively control the privileged access(s) of one or more secure data processing environments which, according to their design, have privileged access. 9. Method for forming a network of secure data processing environments (Network of Trusted Execution Environments), whereby the secure data processing environments of a defined, initial set of secure data processing environments can mutually attest to their status as a secure data processing environment, characterized in that the secure data processing environments do not have a privileged access channel, but have a plurality of positively defined commands to carry out administrative tasks relating to the secure data processing environment and the programs executed therein. 10. Method according to claim 9, characterized in that one or more secure data processing environments, which according to their design do not have privileged access, are operated in a nested manner within a secure data processing environment, which according to their design does not have privileged, unrestricted access but has an interface via which a plurality of positively defined commands for carrying out administration activities can be triggered, which exclusively control the positively defined commands for carrying out administration activities. 11. A network of trusted execution environments, the network being adapted to execute a method according to one of claims 1 to 3. 12. A network of trusted execution environments, the network being adapted to execute a method according to one of claims 4 and 5. 13. A network of trusted execution environments, the network being adapted to execute a method according to claim 6. 14. A network of trusted execution environments, the network being adapted to execute a method according to one of claims 7 and 8. 15. Network of Trusted Execution Environments, wherein the network is adapted to execute a method according to one of claims 9 and 10.