U.S. patent application number 12/184062 was filed with the patent office on 2009-02-05 for multi-level key manager.
This patent application is currently assigned to ViaSat, Inc.. Invention is credited to John C. Andolina, John R. Owens, Richard L. Quintana, Stuart N. Shanken.
Application Number | 20090034734 12/184062 |
Document ID | / |
Family ID | 39832694 |
Filed Date | 2009-02-05 |
United States Patent
Application |
20090034734 |
Kind Code |
A1 |
Owens; John R. ; et
al. |
February 5, 2009 |
Multi-Level Key Manager
Abstract
A cryptographic device and method are disclosed for processing
different levels of classified information. A memory caches keys
for use in a cryptographic processor. The cryptographic processor
requests a key associated with a particular classification level
when processing a packet of the particular classification level.
The cryptographic device confirms that the key and the packet are
of the same classification level in a high-assurance manner.
Checking header information of the keys one or more times is
performed in one embodiment. Some embodiments authenticate the
stored key in a high-assurance manner prior to providing the key to
the cryptographic device.
Inventors: |
Owens; John R.; (Carlsbad,
CA) ; Andolina; John C.; (Vista, CA) ;
Shanken; Stuart N.; (San Diego, CA) ; Quintana;
Richard L.; (Carlsbad, CA) |
Correspondence
Address: |
TOWNSEND AND TOWNSEND AND CREW LLP;VIASAT, INC (CLIENT #017018)
TWO EMBARCADERO CENTER
EIGHTH FLOOR
CA
94111
US
|
Assignee: |
ViaSat, Inc.
Carlsbad
CA
|
Family ID: |
39832694 |
Appl. No.: |
12/184062 |
Filed: |
July 31, 2008 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
60962821 |
Jul 31, 2007 |
|
|
|
60962822 |
Jul 31, 2007 |
|
|
|
60962848 |
Jul 31, 2007 |
|
|
|
61026438 |
Feb 5, 2008 |
|
|
|
Current U.S.
Class: |
380/277 |
Current CPC
Class: |
G06F 2221/2113 20130101;
G06F 21/74 20130101; G06F 21/72 20130101; H04L 63/0485 20130101;
H04L 63/105 20130101 |
Class at
Publication: |
380/277 |
International
Class: |
H04L 9/14 20060101
H04L009/14 |
Claims
1. A cryptographic device for processing classified information
having a plurality of different classification levels, the
cryptographic device comprising: a memory holding a plurality of
keys outside of an integrated circuit, wherein the plurality of
keys are for the plurality of different classification levels; a
cryptographic processor that is part of the integrated circuit,
wherein the cryptographic processor uses the plurality of keys to
process packets of information that are categorized according to
the plurality of different classification levels; and a key
manager, wherein: the key manager can access a plurality of rules
associated with the plurality of different classification levels,
the plurality of rules regulate interaction with the plurality of
keys, a first rule of the plurality of rules is used by the key
manager in a first classification level of the plurality of
different classification levels, and a second rule of the plurality
of rules is used by the key manager in a second classification
level of the plurality of different classification levels.
2. The cryptographic device for processing classified information
having the plurality of different classification levels as recited
in claim 1, wherein: a first key accessed in the first
classification level includes a header that is checked against the
first rule, and the first key includes a coded header that is
checked against the first rule.
3. The cryptographic device for processing classified information
having the plurality of different classification levels as recited
in claim 1, wherein the first and second keys are encrypted in the
memory.
4. The cryptographic device for processing classified information
having the plurality of different classification levels as recited
in claim 1, wherein the plurality of keys are stored in an
encrypted state.
5. The cryptographic device for processing classified information
having the plurality of different classification levels as recited
in claim 1, wherein the key manager further comprises a key
decoder, which decrypts the plurality of keys before passing them
to the cryptographic processor.
6. The cryptographic device for processing classified information
having the plurality of different classification levels as recited
in claim 1, further comprising an access controller, wherein the
access controller checks that a predetermined state of operation is
active while writing the first key to a partition of the
memory.
7. A method for processing classified information in a
high-assurance manner, the method comprising steps of: receiving a
request for a first key by a cryptographic processor; choosing a
first rule from a plurality of rules; retrieving a first sterile
key from a memory; checking the first sterile key with the first
rule; decrypting the first sterile key with a first protection key
to produce the first key; checking the first key with the first
rule; providing the first key to the cryptographic processor if the
checking the first sterile key step and the checking the first key
step are completed successfully; receiving a request for a second
key by a cryptographic processor; choosing a second rule from the
plurality of rules; retrieving the second sterile key from the
memory; checking the second sterile key with the second rule;
decrypting the second sterile key with a second protection key to
produce a second key; checking the second key with the second rule;
and providing the second key to the cryptographic processor if the
checking the second sterile key step and the checking the second
key step are completed successfully.
8. The method for processing classified information in the
high-assurance manner as recited in claim 7, further comprising a
step of erasing the first and second protection keys to zeroize
utility of the first and second keys.
9. The method for processing classified information in the
high-assurance manner as recited in claim 7, wherein the
cryptographic processor is capable of processing multiple
classification levels simultaneously in different packets.
10. The method for processing classified information in the
high-assurance manner as recited in claim 7, wherein the first rule
requires a classification level of a packet being processed with
the cryptographic processor to match the classification level of
the first key.
11. The method for processing classified information in the
high-assurance manner as recited in claim 7, wherein: the first and
second sterile keys are stored in a second integrated circuit, and
the decrypting steps are performed in a first integrated
circuit.
12. A cryptographic device for processing information with a
plurality of classification levels, the cryptographic device
comprising: a memory holding a plurality of keys; a cryptographic
processor that uses the plurality of keys to process packets of
information that are correlated to the plurality of classification
levels; and a key manager that comprises a rule enforcement circuit
and a key decryption circuit, wherein: the key manager retrieves a
first key for a first packet being processed by the cryptographic
processor, the first packet is of a first classification level, the
first key is associated with the first classification level, the
rule enforcement circuit checks that the first key is designated
for the first classification level before providing the first key
to the cryptographic processor for processing the first packet, the
key manager retrieves a second key for a second packet being
processed by the cryptographic processor, the second packet is of a
second classification level, the second key is associated with the
second classification level, and the rule enforcement circuit
checks that the second key is designated for the second
classification level before providing the second key to the
cryptographic processor for processing the second packet.
13. The cryptographic device for processing information with the
plurality of classification levels as recited in claim 12, wherein
at least one of the first and second keys are stored in the memory
in an unusable form.
14. The cryptographic device for processing information with the
plurality of classification levels as recited in claim 12, wherein
the key manager further comprises a key decoder that descrambles
the first key before providing the first key to the cryptographic
processor.
15. The cryptographic device for processing information with the
plurality of classification levels as recited in claim 12, wherein
the memory and the cryptographic processor are in different
integrated circuit.
16. The cryptographic device for processing information with the
plurality of classification levels as recited in claim 12, wherein:
the plurality of keys are divided among a plurality of partitions
in the memory, and each classification level has a different
partition to logically separate keys of different classification
levels.
17. The cryptographic device for processing information with the
plurality of classification levels as recited in claim 12, wherein
the plurality of classification levels includes a plurality of
protection values that are each used to descramble the plurality of
keys.
18. The cryptographic device for processing information with the
plurality of classification levels as recited in claim 12, wherein
the rule enforcement circuit checks the first key twice to confirm
that the first classification level of the key matches the first
classification level of the packet.
19. The cryptographic device for processing information with the
plurality of classification levels as recited in claim 12, wherein
the first and second keys are decrypted in the key manager.
20. The cryptographic device for processing information with the
plurality of classification levels as recited in claim 12, wherein
a header is used to designate the first key for the first
classification level.
Description
[0001] This application claims the benefit of and is a
non-provisional of co-pending: U.S. Provisional Application Ser.
No. 60/962,848 filed on Jul. 31, 2007; U.S. Provisional Application
Ser. No. 61/026,438 filed on Feb. 5, 2008; U.S. Provisional
Application Ser. No. 60/962,821 filed on Jul. 31, 2007; and U.S.
Provisional Application Ser. No. 60/962,822 filed on Jul. 31, 2007;
which are all hereby expressly incorporated by reference in their
entirety for all purposes.
[0002] This application expressly incorporates by reference: U.S.
Application Ser. No. ______, filed on an even day herewith,
entitled "INPUT OUTPUT ACCESS CONTROLLER" (temporarily referenced
by Attorney Docket No. 017018-017210US/VS-0245); and, U.S.
Application Ser. No. ______, filed on an even day herewith,
entitled "TRUSTED LABELER" (temporarily referenced by Attorney
Docket No. 017018-014610US/VS-0246); in their entirety for all
purposes.
BACKGROUND
[0003] This disclosure relates in general to secure computing
systems and, more specifically to high-assurance access to keys at
different classification levels amongst other things.
[0004] Governments classify information at different levels
generally according to their sensitivity, for example, SECRET
versus TOP SECRET. Users of the information are also classified by
what level they are able to get access to. For example, someone
with a SECRET clearance is not given access to TOP SECRET
information. Procedures are put in place to avoid exposure to
persons without the proper classification level.
[0005] In processing systems, physical security is used to prevent
information of different classification levels from bleeding over
to a different classification level. To process at multiple
classification levels, there may be several devices running in
parallel for each classification level. Devices that may be capable
of running at multiple classification levels are run at one
classification level, cleared out and then run at a different
classification level. Intermixing of different classified
information is generally taboo in these systems.
[0006] There are situations that require smaller cryptographic
devices that can process different classification levels. Switching
between classification levels takes time and slows down processing.
Some have proposed trusted operating systems that can process
information with more flexibility, but these solutions are avoided
due to a lack of trust.
[0007] Different keys are required for each classification level to
maintain the security of information in each classification level.
The keys may be simply different values or could be used with
different algorithms. Even if security is breached for one
classification level, the unique keys and algorithms can keep
information protected in the other classification levels safe.
SUMMARY
[0008] In an embodiment, a cryptographic device and method are
disclosed for processing different levels of classified
information. A memory caches keys for use in a cryptographic
processor. The cryptographic processor requests a key associated
with a particular classification level when processing a packet of
the particular classification level. The cryptographic device
confirms that the key and the packet are of the same classification
level in a high-assurance manner. Checking header information of
the keys one or more times is performed in one embodiment. Some
embodiments authenticate the stored key in a high-assurance manner
prior to providing the key to the cryptographic device.
[0009] In one embodiment, a cryptographic device for processing
classified information having a number of different classification
levels is disclosed. The cryptographic device includes a memory, a
cryptographic processor and a key manager. The memory holds a
number of keys outside of an integrated circuit. The plurality of
keys are for the plurality of different classification levels. The
cryptographic processor is part of the integrated circuit and uses
the plurality of keys to process packets of information that are
categorized according to the number of different classification
levels. The key manager can access a plurality of rules associated
with the plurality of different classification levels that regulate
interaction with the plurality of keys. A first rule of the number
of rules is used by the key manager in a first classification level
of the number of different classification levels. A second rule of
the number of rules is used by the key manager in a second
classification level of the number of different classification
levels.
[0010] In another embodiment, a method for processing classified
information in a high-assurance manner is disclosed. In one step, a
request is received for a first key by a cryptographic processor. A
first rule from a number of rules is applied to a first sterile key
retrieved from a memory. The first sterile key is decrypted with a
first protection key to produce the first key. The first key is
also checked with the first rule. The first key is provided to the
cryptographic processor if the checking the first sterile key step
and the checking the first key step are completed successfully. A
request is received for a second key by the cryptographic
processor. A second rule from the number of rules is applied to a
second sterile key retrieved from the memory. The second sterile
key is decrypted with a second protection key to produce the second
key. The second key is also checked with the second rule. The
second key is provided to the cryptographic processor if the
checking the second sterile key step and the checking the second
key step are completed successfully.
[0011] In yet another embodiment, a cryptographic device for
processing information with a plurality of classification levels is
disclosed. The cryptographic device includes a memory, a
cryptographic processor and a key manager. The memory holds a
number of keys that are used by a cryptographic processor to
process packets of information that are correlated to the plurality
of classification levels. The key manager includes a rule
enforcement circuit and a key decryption circuit. The key manager
retrieves a first key for a first packet being processed by the
cryptographic processor. The first packet and the first key are of
a first classification level. The rule enforcement circuit checks
that the first key is designated for the first classification level
before providing the first key to the cryptographic processor for
processing the first packet. The key manager retrieves a second key
for a second packet being processed by the cryptographic processor.
The second packet and the second key are of a second classification
level. The rule enforcement circuit checks that the second key is
designated for the second classification level before providing the
second key to the cryptographic processor for processing the second
packet.
[0012] Further areas of applicability of the present disclosure
will become apparent from the detailed description provided
hereinafter. It should be understood that the detailed description
and specific examples, while indicating various embodiments, are
intended for purposes of illustration only and are not intended to
necessarily limit the scope of the disclosure.
BRIEF DESCRIPTION OF THE DRAWINGS
[0013] The present disclosure is described in conjunction with the
appended figures:
[0014] FIG. 1 depicts a block diagram of an embodiment of a
cryptographic device;
[0015] FIG. 2 depicts a block diagram of an embodiment of a
partitioned key cache;
[0016] FIG. 3 depicts a block diagram of an embodiment of a key
manager;
[0017] FIG. 4 depicts a diagram of an embodiment of a key
unscrambling process; and
[0018] FIG. 5 illustrates a flowchart of an embodiment of a process
for operating the cryptographic device.
[0019] In the appended figures, similar components and/or features
may have the same reference label. Further, various components of
the same type may be distinguished by following the reference label
by a dash and a second label that distinguishes among the similar
components. If only the first reference label is used in the
specification, the description is applicable to any one of the
similar components having the same first reference label
irrespective of the second reference label.
DETAILED DESCRIPTION
[0020] The ensuing description provides preferred exemplary
embodiment(s) only, and is not intended to limit the scope,
applicability or configuration of the disclosure. Rather, the
ensuing description of the preferred exemplary embodiment(s) will
provide those skilled in the art with an enabling description for
implementing a preferred exemplary embodiment. It being understood
that various changes may be made in the function and arrangement of
elements without departing from the spirit and scope as set forth
in the appended claims.
[0021] Referring first to FIG. 1, a block diagram of an embodiment
of a cryptographic device 100 is shown. The cryptographic device
100 processes information of different classifications. Information
in each classification level is kept separate or partitioned from
information of other classification levels throughout the
cryptographic device 100. Additionally, each classification level
can use different cryptographic algorithms and/or keys. Several
integrated circuits could be used to implement the cryptographic
device 100 where at least a cryptographic processor 120 is in one
integrated circuit and the partitioned key cache 116 is in another.
Other embodiments could have the partitioned key cache 116 and
cryptographic processor 120 as part of the same integrated
circuit.
[0022] A cryptographic processor 120 is the circuit that performs
encryption, decryption and/or bypass for the information that
passes through it. Information may be a stream or packetized in
cryptographic processor 120. The packets or streams are of
different classification levels. The cryptographic processor 120
can reconfigure itself for the appropriate processing on a
packet-by-packet basis. Different processing steps are set up for
each classification level in a pipeline fashion by the
cryptographic processor 120. The processing steps perform
formatting and cryptographic processing with a number of different
algorithms and/or keys. Some of these processing steps can be
common to multiple classification levels such that the
cryptographic processor 120 can potentially reuse the sub-circuits
performing processing steps for the multiple classification
levels.
[0023] A system bus 124 allows the processor 108 to communicate
with a key manager 104, a partitioned key cache 116, an
input/output (IO) access controller 112, and other peripherals that
are not shown in the figure. The processor 108 communicates with
the key manager 104, via the IO access controller 112, to access
the partitioned key cache 116. Keys are loaded into the partitioned
key cache 116 by the processor 104 in this embodiment and read by
the cryptographic processor 120. Other embodiments could load the
keys from an external source, for example.
[0024] The IO access controller 112 checks that the processor 108
or anything else using the system bus 124 is operating as expected.
The processor 108 writes a state to the IO access controller 112.
Each state is able to access peripherals defined by addresses or
ranges of addresses. The IO access controller 112 checks that only
the designated addresses are accessed by the processor 108 in a
given state to assure that the interaction with the key manager 104
and partitioned key cache 116 to write keys is authorized. Each
address or range of addresses can be designated for read only,
write only or read and write accessible. The IO access controller
112 further understands how states transition through the state
machine such that state transitions are also checked when the
processor 108 is using the system bus 124.
[0025] There are states defined exclusive to the various
classification levels. The cryptographic processor 120 performs
certain key operations in certain states. The IO access controller
112 checks if an address range of a partitioned key cache 116 has
been properly written by the processor based upon the current
state. Table I gives an example of the states used for various
classification levels. Additionally, the algorithm and key address
is given in the table. These entries in the table serve as rules.
For example, states four, seven and nine operate in a CONFIDENTIAL
classification level using a DES cryptographic algorithm and the
key at address forty-three in the partitioned key cache. The IO
access controller 112 in this example would make sure the current
states were one of states four, seven or nine when the processor
108 writes the key at address forty-three in the partitioned key
cache 116. Where a violation were determined the IO access
controller 112, the key could be zeroized and/or other remedial
action could be taken.
TABLE-US-00001 TABLE I State Enforcement Rules State(s)
Classification Algorithm Key Address 1 TS AES 256 11 2, 19 S AES
196 5 3, 21 NC Triple DES 21 4, 7, 9 C DES 43
[0026] As a packet passes through the cryptographic processor 120
certain algorithms use keys to perform the desired processing for
that packet. The partitioned key cache 116 holds keys in a sterile
or encrypted form. Sterilization puts the keys in a form that
protects the encapsulated key even if recovered improperly. Various
encryption algorithms could be used for sterilizing the keys. A key
manager 104 is capable of deriving the key from the sterilized
version. The partitioned key cache 116 could use dynamic random
access memory (DRAM) or static random access memory (SRAM). This
embodiment uses volatile RAM for the partitioned key cache 116 that
is in a separate integrated circuit, but could be integral with the
integrated circuit of the key manager 104 and/or cryptographic
processor 120. The partitioned key cache 116 could be a segment of
a larger memory used for other purposes in other embodiments.
[0027] A key manager 104 receives requests from the cryptographic
processor 120 for keys used to process the various packets. The key
manager 104 checks the requests, retrieves the sterilized key,
reconstitutes the key, performs checks, and returns the key to the
cryptographic processor 120. The key manager 104 is implemented in
logic that is not reprogrammable during normal operation. To load
keys into the partition key cache 116, the processor 108 interacts
with the key manager 104 under the supervision of the IO access
controller 112.
[0028] With reference to FIG. 2, a block diagram of an embodiment
of a partitioned key cache 116 is shown. The partitioned key cache
116 has a number of partitions 204 defined. Those partitions map to
peripherals or address ranges used by the IO access controller 112.
A given classification level stores its keys in one partition 204
and is prevented from accessing other partitions 204. Although the
partitioned key cache 116 is a single integrated circuit with a
common interface in this embodiment, the partitioning enforces a
logical separation in a high-assurance manner. Table II gives an
example of the mapping between state, classification and partition
204. These mappings serve as rules. For example, state one operates
at a TOP SECRET classification level and has access to partition B
204-2, which includes addresses eleven through twenty.
TABLE-US-00002 TABLE II State to Partition Mapping State(s)
Classification Partition Addresses 1 TS 11-20 2, 19 S 1-10 3, 21 NC
21-30 4, 7, 9 C 31-45
[0029] Referring next to FIG. 3, a block diagram of an embodiment
of a key manager 104 is shown. In a high-assurance manner, the key
manager enforces logical separation of the partitioned key cache
116 where no physical separation of the interface to the
partitioned key cache 116 exists. A key request interface 332 is
coupled to the cryptographic processor 120 to receive requests for
one or more particular key located at specified addresses in the
partitioned key cache 116.
[0030] This embodiment includes a request validator 336 that checks
the request to make sure the request is formatted correctly. Other
embodiments of the request validator 336 could check that the
classification level of the requesting packet matches the
classification level of the partition 204 of the requested key.
With a specified key location, a key memory interface 132 couples
to the partitioned key cache 116 to retrieve the requested key. The
sterile key is returned to a key buffer 308.
[0031] A rule enforcement circuit 336 includes a sterile key
validator 304, a key decoder 324 and a reconstituted key validator
328. Multiple levels of checks are performed on the key before the
key is provided to the cryptographic processor 120.
[0032] The sterile key validator 304 checks the classification
level of the sterile key against the classification level of the
packet that precipitated the request of the key. Essentially, the
sterile key is checked to make sure it matches the type of
processing being performed in the cryptographic processor 120 to
provide high-assurance. The sterile key validator 304 could also
match the algorithm and/or state as further rule checks in some
embodiments.
[0033] A CRC, checksum or other validity value is appended to the
sterile key in this embodiment when stored in the partitioned key
cache 116. The software determines the validity value when writing
the sterile key into the partitioned key cache 116. A check of the
validity value allows conformation that information stored by the
processor 108 was delivered accurately to the sterile key validator
304.
[0034] A key map database 316 holds information to validate the
keys in their sterile or reconstituted form. The state,
classification, address, algorithm, key length, header information,
and/or other information could be stored in the key map database
316. A look-up table is used in one embodiment of the key map
database 316. Where several keys are used for a given
classification level, the finer granularity of state can confirm
that the key is the correct one for a particular situation. For
example, there could be a different state for each key. Other
embodiments could provide granularity using two or more partitions
204 for a particular classification level.
[0035] A key decoder 324 converts the sterilized key from the
partitioned key cache 116 into a reconstituted key that is ready
for use by the cryptographic processor 120. A payload of the
sterilized key is decrypted to produce a reconstituted key. A cache
protection key store 320 holds a cache protection key for each
classification level. Table III shows an example of the information
stored in the cache protection key store 320. Other embodiments
could have a different cache protection key for each sterilized key
or one cache protection key for all keys.
TABLE-US-00003 TABLE III Cache Protection Keys State(s)
Classification Random Key 1 TS 19A5E9F45609DC90h 2, 19 S
AA5119A456870190h 3, 21 N 78A5E49B56A093D0h 4, 7, 9 C
15E456894309AE9F0h
[0036] Within the decrypted payload of the sterilized key is
information that is checked by a reconstituted key validator 328.
Additionally, a CRC, checksum or other validity value is embedded
in the decrypted payload as a second validity value. The
reconstituted key validator 328 also checks the second validity
value. This additional check provides a further layer of
high-assurance. Should the process pass all of its checks, the
decrypted key is provide to the cryptographic processor 120 for use
in processing the particular packet that requested the key.
[0037] With reference to FIG. 4, a diagram demonstrating an
embodiment of a key unscrambling process 400 is shown. A sterile
key 416 includes a sterile key header, a sterile key payload and a
sterile key CRC, which serves as a validity value. All this
information is stored in the partitioned key cache 116 by the
processor 108. The sterile key header holds the classification
level, the applicable encryption algorithm(s), and any additional
key identifiers. Some embodiments may also include the memory
address of the sterile key. The sterile key CRC is a validity value
that is calculated on the whole sterile key header and sterile key
payload such that any corruption can be discerned.
[0038] The sterile key payload is exclusive-ORed 324 with a cache
protection key 420 from the cache protection key store 320 to
decrypt the reconstituted key header, reconstituted key payload and
reconstituted key CRC. Those items along with the sterile key
header and sterile key CRC form the reconstituted key 404. The
reconstituted key payload is the actual key that will be used by
the cryptographic processor 120. The reconstituted key CRC is a
validity value that allows checking that the fields of the
reconstituted key 404 has not changed. The exclusive-OR key decoder
324 is just one example of a simple decryption function. Other
embodiments may use any type of decryption function(s).
[0039] Referring next to FIG. 5, a flowchart of an embodiment of a
process 500 for operating the cryptographic device 100 is shown.
The depicted portion of the process is initiated in block 504 where
the cryptographic processor 120 has a packet that uses a particular
key, which is requested from the key manager 104. Some embodiments
check the key request. In any event, the key is requested from the
partitioned key cache 116 by the key manager 104. The address of
the key requested falls within a particular partition 204.
[0040] The sterile key 416 is retrieved in block 516 from the
partitioned key cache 116 in block 516. The sterile key header is
checked in block 520 to determine if the classification matches the
classification of the packet requesting the key. Additional checks
are possible, for example, the sterile key CRC or validity value
could be checked. Presuming the check in block 520 is successful,
processing continues to block 524 where the sterile key payload is
decrypted.
[0041] In the reconstituted key 404, the reconstituted key header
is checked in block 528. Prior to the decoding block 524, the
reconstituted key header was scrambled. Additionally, a
reconstituted key CRC or validity value can be checked in some
embodiments. If the check in block 528 passes, processing continues
to block 532 where the key is returned the cryptographic processor
120.
[0042] Should any of the checks fail in blocks 520 or 528, the
partitioned key cache 116 is erased and/or the cache protection key
store 320 in block 536. Without the cache protection keys, the keys
remain in a sterile form. Erasure of the cache protection keys can
typically be performed much more quickly than the partitioned key
cache 116. Further remedial action can be taken in block 540.
[0043] The above embodiments discuss processing at different
classification levels. These classification levels could be
government classification levels, but need not be necessarily so. A
classification level is just a logical partition in the information
passed. Any information that needs to be kept separate from other
information could be in a separate classification level or logical
partition.
[0044] While the principles of the disclosure have been described
above in connection with specific apparatuses and methods, it is to
be clearly understood that this description is made only by way of
example and not as limitation on the scope of the disclosure.
* * * * *