WO2004061628A2 - Attestation using both fixed token and portable token - Google Patents
Attestation using both fixed token and portable token Download PDFInfo
- Publication number
- WO2004061628A2 WO2004061628A2 PCT/US2003/036110 US0336110W WO2004061628A2 WO 2004061628 A2 WO2004061628 A2 WO 2004061628A2 US 0336110 W US0336110 W US 0336110W WO 2004061628 A2 WO2004061628 A2 WO 2004061628A2
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- key
- token
- blob
- sealed
- authorization data
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F1/00—Details not covered by groups G06F3/00 - G06F13/00 and G06F21/00
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/34—User authentication involving the use of external additional devices, e.g. dongles or smart cards
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/36—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes
- G06Q20/367—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes involving electronic purses or money safes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0827—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving distinctive intermediate devices or communication paths
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0877—Generation of secret information including derivation or calculation of cryptographic keys or passwords using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3234—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
Definitions
- TPM Trusted Platform Module
- Third parties may utilize remote computing devices to establish a level 5 of trust with the computing device using the attestation mechanisms of the fixed token.
- the processes by which this level of trust is established typically require that a remote computing device of the third party perform complex calculations and participate in complex protocols with the fixed token.
- a local user of the platform may also want to establish a similar level of trust with the 0 local platform or computing device. It is impractical, however, for a local user to perform the same complex calculations and participate in the same complex protocols with the fixed token as the remote computing devices in order to establish trust in the computing device.
- FIG. 1 illustrates an example computing device comprising a fixed token and a portable token.
- FIG. 2 illustrates an example fixed token and an example portable token of FIG. 1.
- FIG. 3 illustrates an example trusted environment that may be implemented by the computing device of FIG. 1.
- FIG. 4 illustrates an example sealed key blob and an example protected 0 key blob that may be used by the computing device of FIG. 1 for local attestation.
- FIG. 5 illustrates an example method to create the protected key blob of
- FIG. 6 illustrates an example method to load keys of the protected key blob of FIG. 4. 5
- references in the specification to "one embodiment”, “an embodiment”, 5 "an example embodiment”, etc., indicate that the embodiment described may include a particular feature, structure, or characteristic, but every embodiment may not necessarily include the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an embodiment, it is submitted that it is within the knowledge of one skilled in the art to effect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described.
- blob (binary large object) is commonly used in the database arts to refer to any random large block of bits that needs to be stored in a database in a form that cannot be interpreted by the database itself.
- blob is intended to have a much broader scope.
- blob is intended to be a broad term encompassing any 0 grouping of one or more bits regardless of structure, format, representation, or size.
- the verb "hash" and related forms are used herein to refer to performing an operation upon an operand or message to produce a value or a "hash”.
- the hash operation generates a hash from which it is 5 computationally infeasibie to find a message with that hash and from which one cannot determine any usable information about a message with that hash.
- the hash operation ideally generates the hash such that determining two messages which produce the same hash is computationally impossible.
- the hash operation ideally has the above properties
- one way functions 0 such as, for example, the Message Digest 5 algorithm (MD5) and the Secure Hashing Algorithm 1 (SHA-1 ) generate hash values from which deducing the message are difficult, computationally intensive, and/or practically infeasibie.
- MD5 Message Digest 5 algorithm
- SHA-1 Secure Hashing Algorithm 1
- first”, “second”, “third”, etc. are used herein as labels to distinguish between similarly named components and/or operations.
- such terms are not used to signify and are not meant to signify an ordering of components and/or operations.
- such terms are not used to signify and are not meant to signify one component and/or operation having greater importance than another.
- the computing device 100 may comprise one or more processors 102 ⁇ ... 102 P .
- the processors 102 ⁇ ... 102p may support one or more operating modes such as, for example, a real mode, a protected mode, a virtual 8086 mode, and a virtual machine extension mode (VMX mode).
- the processors 102 ⁇ ... 102 P may support one or more privilege levels or rings in each of the supported operating 5 modes.
- the operating modes and privilege levels of processors 102 ⁇ ... 102p define the instructions available for execution and the effect of executing such instructions. More specifically, the processors 102 ⁇ ... 102 P may be permitted to execute certain privileged instructions only if the processors 102 ⁇ ... 102p is in an appropriate mode and/or privilege level.
- the chipset 104 may comprise one or more integrated circuit packages or chips that couple the processors 102 ⁇ ... 102 P to memory 106, a network interface 108, a fixed token 110, a portable token 112, and other I/O devices 114 of the computing device 100 such as, for example, a mouse, keyboard, disk drive, video controller, etc.
- the chipset 104 may comprise a memory controller (not
- the chipset 104 and/or the processors 102 ⁇ ... 102 P may define certain regions of the memory 106 as protected memory 116.
- the processors 102 ⁇ ... 102 P may access the protected memory 116 only when in a particular operating mode (e.g. protected mode) and privilege level (e.g. OP).
- the network interface 108 generally provides a communication mechanism for the computing device 100 to communicate with one or more remote agents 118 ⁇ ... 118 R (e.g. certification authorities, retailers, financial institutions) via a network 120.
- the network interface 108 may comprise a Gigabit Ethernet controller, a cable modem, a digital subscriber line
- DSL digital versatile disk
- POTS plain old telephone service
- the fixed token 110 may be affixed to or incorporated into the computing device 100 to provide some assurance to remote agents 118 ⁇ ... 118 R and/or a local user that the fixed token 110 is associated only with the computing
- the fixed token 110 may be incorporated into one of the chips of the chipset 104 and/or surface mounted to the mainboard (not shown) of the computing device 100.
- the fixed token 110 may comprise protected storage for metrics, keys and secrets and may perform various integrity functions in response to requests from the processors 102 ⁇ ... 102 P and the chipset 104.
- the fixed token 110 may store metrics in a trusted manner, may 5 quote metrics in a trusted manner, may seal secrets to a particular environment (current or future), and may unseal secrets to the environment to which they were sealed. Further, the fixed token 110 may load keys of a sealed key blob and may establish sessions that enable a requester to perform operations using a key associated with the established session.
- the portable token 112 may establish a link to the processors 102 ⁇ ...
- the portable token interface 122 may comprise a port (e.g. USB port, IEEE 1394 port, serial Port, parallel port), a slot (e.g. card reader, PC Card slot, etc.), transceiver (e.g. RF transceiver, Infrared transceiver, etc.), and/or some other interface mechanism
- the portable token 112 may comprise protected storage for keys and secrets and may perform various integrity functions in response to requests from the processors 102 ⁇ ... 102 P and the chipset 104. In one embodiment, the portable token 112 may load keys of a
- the portable token 112 may change usage authorization data associated with a sealed key blob, and may return a sealed key blob of a protected key blob after determining that a requester is authorized to receive the sealed key blob.
- the fixed token 110 may comprise one or more processing units 200, a random number generator 202, and protected storage 204 which may comprise keys 206, secrets 208, and/or one or more platform configuration register (PCR) registers 210 for metrics.
- the portable token 112 may comprise one or more processing units 212, a random number generator
- the processing units 200, 212 may perform integrity functions for the computing device 100 such as, for example, generating and/or computing symmetric and asymmetric keys. In one embodiment, the processing units 200, 212 may use the generated keys to encrypt and/or sign information. Further, the processing units 200, 212 may generate the symmetric keys based upon an AES (Advanced Encryption Standard), a DES (Data Encryption Standard), 3DES (Triple DES), or some other symmetric key generation algorithm that has been seeded with a random number generated by the random number generators 202, 214.
- AES Advanced Encryption Standard
- DES Data Encryption Standard
- 3DES Triple DES
- the processing units 200, 212 may generate the asymmetric key pairs based upon an RSA (Rivest-Shamir-Adleman), EC (Elliptic Curve), or some other asymmetric key pair generation algorithm that has been seeded with a random number generated by the random number generators 202, 214.
- RSA Raster-Shamir-Adleman
- EC Elliptic Curve
- both the fixed token 110 and the portable token are fixed token 110 and the portable token
- the 112 may generate immutable symmetric keys and/or asymmetric key pairs from symmetric and asymmetric key generation algorithms seeded with random numbers generated by their respective random number generator 202, 214. In general, these immutable keys are unalterable once the tokens 110, 112 activate them. Since the immutable keys are unalterable after activation, the immutable keys may be used as part of a mechanism to uniquely identify the respective token 110, 112. Besides the immutable keys, the processing units 200, 212 may further generate one or more supplemental asymmetric key pairs in accordance with an asymmetric key generation algorithm. In an example embodiment, the computing device 100 may generate supplemental asymmetric key pairs as needed whereas the immutable asymmetric key pairs are immutable once activated.
- the computing device 100 typically utilizes its supplemental asymmetric key pairs for most encryption, decryption, and signing operations.
- the computing device 100 typically provides the immutable public keys to only a small trusted group of entities such as, for example, a certification authority.
- the fixed token 110 of the computing device 100 in one embodiment never provides a requester with an immutable private key and only provides a requester with a mutable private key after encrypting it with one of its immutable public keys and/or one of its other supplemental asymmetric keys.
- the portable token 5 112 may provide some assurance to the computing device 100 and/or remote agents 118 ⁇ ... 118R that a user associated with the portable token 112 is present or located at or near the computing device 100. Due to uniqueness of the portable token 112 and an assumption that the user is in control of the portable token 112, the computing device 100 and/or remote agents 118 ⁇ ... 118 R may reasonably 0 assume that the user of the portable token 112 is present or the user has authorized someone else to use the portable token 112.
- the one or more PCR registers 210 of the fixed token 110 may be used to record and report metrics in a trusted manner.
- the processing units 200 may support a PCR quote operation that returns a quote or contents of an 5 identified PCR register 210.
- the processing units 200 may also support a PCR extend operation that records a received metric in an identified PCR register 210.
- the PCR extend operation may (i) concatenate or append the received metric to an metric stored in the identified PCR register 210 to obtain an appended metric, (ii) hash the appended metric to obtain an updated metric that is 0 representative of the received metric and previously metrics recorded by the identified PCR register 210, and (iii) store the updated metric in the PCR register 210.
- the fixed token 110 and the portable token 112 both provide support for establishing sessions between a requester and the 5 tokens 110, 112.
- the fixed token 110 and the portable token 112 in one embodiment both implement the Object-Specific Authentication Protocol (OS- AP) described in the TCPA SPEC to establish sessions.
- OS- AP Object-Specific Authentication Protocol
- both the fixed token 110 and the portable token 112 both implement the TPMJDSAP command of the TCPA SPEC results in the token 110, 112 establishing a session in 0 accordance with the OS-AP protocol.
- the OS-AP protocol requires that a requester provide a key handle that identifies a key of the token 110, 112.
- the key handle is merely a label that indicates that the key is loaded and a mechanism to locate the loaded key.
- the token 110, 112 then provides the requester with an authorization handle that identifies the key and a shared secret computed from usage authorization data associated with the key.
- the 5 requester provides the token 110, 112 with the authorization handle and a message authentication code (MAC) that both provides proof of possessing the usage authorization data associated with the key and attestation to the parameters of the message/request.
- the requester and tokens 110, 112 further compute the authentication code based upon a rolling 0 nonce paradigm where the requester and tokens 110, 112 both generate random values or nonces which are included in a request and its reply in order to help prevent replay attacks.
- the processing units 200 of the fixed token 110 may further support a seal operation.
- the seal operation in general results in the fixed token 110 sealing 5 a blob to a specified environment and providing a requesting component such as, for example, the monitor 310, the kernel 332, trusted applets 334, operating system 322, and/or application 324 with the sealed blob.
- the requesting component may establish a session for an asymmetric key pair of the fixed token 110.
- the requesting component may further provide the fixed token 0 110 via the established session with a blob to seal, one or more indexes that identify PCR registers 210 to which to seal the blob, and expected metrics of the identified PCR registers 210.
- the fixed token 110 may generate a seal record that specifies the environment criteria (e.g. quotes of identified PCR registers 210), a proof value that the fixed token 110 may later use to verify that the fixed 5 token 110 created the sealed blob, and possibly further sensitive data to which to seal the blob.
- the fixed token 110 may further hash one or more portions of the blob to obtain a digest value that attests to the integrity of the one or more hashed portions of the blob.
- the fixed token 110 may then generate the sealed blob by encrypting sensitive portions of the blob such as, usage authorization data, private 0 keys, and the digest value using an asymmetric cryptographic algorithm and the public key of the established session.
- the fixed token 110 may then provide the requesting component with the sealed blob.
- the processing units 200 of the fixed token 110 may also support an unseal operation.
- the unseal operation in general results in the fixed token 110 unsealing a blob only if the blob was sealed with a key of the fixed token 110 and the current environment satisfies criteria specified for the sealed blob.
- the requesting component may establish a session for an asymmetric key pair of the fixed token 110, and may provide the fixed token 110 with a sealed blob via the established session.
- the fixed token 110 may decrypt one or more portions of the sealed blob using the private key of the established session.
- the 0 fixed token 110 may obtain plain-text versions of the encrypted data from the blob. Otherwise, the fixed token 110 may encounter an error condition and/or may obtain corrupted representations of the encrypted data. The fixed token 110 may further hash one or more portions of the blob to obtain a computed digest value for the blob. The fixed token 110 may then return the blob to the requesting 5 component in response to determining that the computed digest value equals the digest value obtained from the sealed blob, the metrics of the PCR registers 210 satisfy the criteria specified by the seal record obtained from the sealed blob, and the proof value indicates that the fixed token 110 created the sealed blob. Otherwise, the fixed token 110 may abort the unseal operation and erase the blob, 0 the seal record, the digest value, and the computed digest value from the fixed token 110.
- the above example seal and unseal operations use a public key to seal a blob and a private key to unseal a blob via an asymmetric cryptographic algorithm.
- the fixed token 110 may use a single key to both seal a blob 5 and unseal a blob using a symmetric cryptographic algorithm.
- the fixed token 110 may comprise an embedded key that is used to seal and unseal blobs via a symmetric cryptographic algorithm, such as, for example DES, 3DES, AES, and/or other algorithms.
- the fixed token 110 and portable token 112 0 may be implemented in a number of different manners.
- the fixed token 110 and portable token 112 may be implemented in a manner similar to Trusted Platform Module (TPM) described in detail in the TCPA SPEC.
- TPM Trusted Platform Module
- a cheaper implementation of the portable token 112 with substantially fewer features and functionality than the TPM of the TCPA SPEC may be suitable for some usage models such as local attestation.
- the fixed token 110 and the 5 portable token 112 may establish sessions and/or authorize use of its keys in a number of different manners beyond the OS-AP protocol described above.
- An example trusted environment 300 is shown in FIG. 3.
- the computing device 100 may utilize the operating modes and the privilege levels of the processors 102 ⁇ ... 102 P to establish the trusted environment 300.
- the 0 trusted environment 300 may comprise a trusted virtual machine kernel or monitor 302, one or more standard virtual machines (standard VMs) 304, and one or more trusted virtual machines (trusted VMs) 306.
- the monitor 302 of the trusted environment 300 executes in the protected mode at the most privileged processor ring (e.g. OP) to manage security and privilege barriers between the virtual 5 machines 304, 306.
- the most privileged processor ring e.g. OP
- the standard VM 304 may comprise an operating system 308 that executes at the most privileged processor ring of the VMX mode (e.g. 0D), and one or more applications 310 that execute at a lower privileged processor ring of the VMX mode (e.g. 3D). Since the processor ring in which the monitor 302 0 executes is more privileged than the processor ring in which the operating system 308 executes, the operating system 308 does not have unfettered control of the computing device 100 but instead is subject to the control and restraints of the monitor 302. In particular, the monitor 302 may prevent the operating system 308 and its applications 310 from accessing protected memory 116 and the fixed 5 token 110.
- the monitor 302 may prevent the operating system 308 and its applications 310 from accessing protected memory 116 and the fixed 5 token 110.
- the monitor 302 may perform one or more measurements of the trusted kernel 312 such as a hash of the kernel code to obtain one or more metrics, may cause the fixed token 110 to extend an identified PCR register 210 with the metrics of the trusted kernel 312, and may record the metrics in an associated 0 PCR log stored in protected memory 116. Further, the monitor 302 may establish the trusted VM 306 in protected memory 116 and launch the trusted kernel 312 in the established trusted VM 306.
- the trusted kernel 312 such as a hash of the kernel code
- the trusted kernel 312 may take one or more measurements of an applet or application 314 such as a hash of the applet code to obtain one or
- the trusted kernel 312 via the monitor 302 may then cause the fixed token 110 to extend an identified PCR register 210 with the metrics of the applet 314.
- the trusted kernel 312 may further record the metrics in an associated PCR log stored in protected memory 116. Further, the trusted kernel 312 may launch the trusted applet 314 in the established trusted VM 306 of the protected 0 memory 116.
- the computing device 100 may further record metrics of the monitor 302, the processors 102 ⁇ ... 102 P , the chipset 104, BIOS firmware (not shown), and/or other hardware/software components of the computing device 100. Further, the 5 computing device 100 may initiate the trusted environment 300 in response to various events such as, for example, system startup, an application request, an operating system request, etc.
- the 0 sealed key blob 400 may comprise one or more integrity data areas 404 and one or more encrypted data areas 406.
- the integrity data areas 404 may comprise a public key 408, a seal record 410, and possibly other non-sensitive data such as a blob header that aids in identifying the blob and/or loading the keys of the blob.
- the encrypted data areas 406 may comprise usage authorization data 5 412, a private key 414, and a digest value 416.
- the seal record 410 of the integrity data areas 404 may indicate to which PCR registers 210, corresponding metrics, proof values, and possible other sensitive data the asymmetric key pair 408, 414 was sealed. Further, the digest value 416 may attest to the data of the integrity data areas 404 and may also attest to the data of the encrypted data 0 areas 406 to help prevent attacks obtaining access to data of the encrypted data areas 406 by altering one or more portions of the sealed key blob 400. In one embodiment, the digest value 416 may be generated by performing a hash of the integrity data areas 404, the usage authorization data 412, and the private key 414.
- data is stored in the integrity data areas 404 in a plaintext or not encrypted form thus allowing the data of the integrity data area to be read or changed without requiring a key to decrypt the data.
- the data of the encrypted data areas 406 in one embodiment is encrypted with a public key 206 of the fixed token 110.
- a requesting component is unable to successfully load the asymmetric key pair 408, 414 of the sealed key blob 400 into the fixed token 110 without establishing a session with the fixed token 110 to use the private key 206 corresponding to the public key 206 used to encrypt the data.
- the requesting component is unable to successfully load the asymmetric key pair 408, 416 without providing the fixed token 110 with the usage authorization data 412 or proof of having the usage authorization data 412 for the sealed key blob 400 and the environment satisfying criteria specified by the seal record 410.
- the protected key blob 402 may comprise one or more integrity data areas 418 and one or more encrypted data areas 420.
- the integrity data areas 418 may comprise non-sensitive data such as a blob header that aids in identifying the blob.
- the encrypted data areas 420 may comprise usage authorization data 422, the sealed key blob 400, and a digest value 424.
- the digest value 424 may attest to the data of the integrity data areas 418 and may also attest to the data of the encrypted data areas 420 to help prevent attacks obtaining access to data of the encrypted data areas 420 by altering one or more portions of the protected key blob 402.
- the digest value 424 may be generated by performing a hash of the integrity data areas 418, the sealed key blob 400, and the usage authorization data 422.
- data is stored in the integrity data areas 418 in a plain-text or not encrypted form thus allowing the data of the integrity data area to be read or changed without requiring a key to decrypt the data.
- the data of the encrypted data areas 420 in one embodiment is encrypted with a public key 216 of the portable token 112.
- a requesting component is unable to successfully obtain the sealed key blob 400 from the protected key blob 402 without establishing a session with the portable token 112 to use the corresponding private key 216. Further, the requesting component is unable to successfully obtain the sealed key blob 400 without providing the portable token 112 with the usage authorization data 422 or proof of having the usage 5 authorization data 422 for the protected key blob 402.
- FIG. 5 and FIG. 6 there is shown a method to create a protected key blob 402 and a method to use the sealed key blob.
- the methods of FIG. 5 and FIG. 6 are initiated by a requester.
- the requester is assumed to be the monitor 302. However, 0 the requester may be other modules such as, for example, the trusted kernel 312 and/or trusted applets 314 under the permission of the monitor 302. Further, the following assumes the requester and the tokens 110, 112 already have one or more key handles that identify keys 206, 218 stored in protected storage 204, 214 and associated usage authorization data.
- the requester and the 5 tokens 110, 112 may have obtained such information as a result of previously executed key creation and/or key loading commands.
- the requester is able to successfully establish sessions to use key pairs of the tokens 110, 112.
- the requester will be unable 0 to establish the sessions, and therefore will be unable to generate the respective key blobs using such key pairs and will be unable to load key pairs of key blobs created with such key pairs.
- FIG. 5 a method to generate the sealed key blob of FIG. 4 is shown.
- the monitor 302 and the fixed token 110 may establish a session for 5 an asymmetric key pair of the fixed token 110 that comprises a private key 206 and a corresponding public key 206 stored in protected storage 204 of the fixed token 110.
- the monitor 302 may request via the established session that the fixed token 110 create a sealed key blob 400.
- the monitor 302 may provide the fixed token 110 with usage authorization data 412 for the 0 sealed key blob 400.
- the monitor 302 may provide the fixed token 110 with one or more indexes or identifiers that identify PCR registers 210 to which the fixed token 110 is to seal the keys 408, 414 of the sealed key blob 400 and may provide the fixed token 110 with metrics that are expected to be stored in identified PCR registers 210
- the fixed token 110 in block 504 may create and return the requested
- the fixed token 110 may generate a asymmetric key pair 408, 414 comprising a private key 414 and a corresponding public key 408 and may store the asymmetric key pair 408, 414 in its protected storage 204. Further, the fixed token 110 may seal the asymmetric key pair 408, 414 and the usage authorization data 412 to an environment specified by metrics of the PCR 0 registers 210 that were identified by the monitor 302.
- the fixed token 110 may generate a seal record 410 that identifies PCR registers 210, metrics of the identified PCR registers 210, a proof value, and a digest value 416 that attests to asymmetric key pair 408, 414, the usage authorization data 412, and the seal record 410.
- the fixed token 110 may further create the encrypted 5 data areas 406 of the sealed key blob 400 by encrypting the private key 414, the usage authorization data 412, the digest value 416, and any other sensitive data of the sealed key blob 400 with the public key 206 of the established session.
- the fixed token 110 may prevent access to the data of the encrypted data areas 406 0 since such data may only be decrypted with the corresponding private key 206 which is under the control of the fixed token 110. The fixed token 110 may then return to the monitor 302 the requested sealed key blob 400.
- the monitor 302 and the portable token 112 may establish a session for an asymmetric key pair that comprises a private key 218 and a 5 corresponding public key 218 stored in protected storage 216 of the portable token 112.
- the monitor 302 in block 508 may request via the established session that the portable token 112 generate from the sealed key blob 400 a protected key blob 402 which has usage authorization data 422.
- the monitor 302 may provide the portable token 112 with the sealed key blob 400 and the usage 0 authorization data 422.
- the portable token 112 in block 510 may create and return the requested protected key blob 402.
- the portable token 112 may seal the usage authorization data 422 and the sealed key blob 400 to the portable token 112.
- the portable token 112 may generate a digest 5 value 424 that attests to the usage authorization data 422 and the sealed key blob 400.
- the portable token 112 may further create encrypted data areas 420 by encrypting the usage authorization data 422, the sealed key blob, the digest value 424, and any other sensitive data of the protected key blob 402 with the public key 218 of the established session. By creating the encrypted data areas 420 with the
- the portable token 112 may prevent access to the data of the encrypted data areas 420 since such data may only be decrypted with the corresponding private key 218 which is under the control of the portable token 112. The portable token 112 may then return to the monitor 302 the requested protected key blob 402.
- FIG. 6 there is shown a method of loading the asymmetric key pair 408, 414 of the protected key blob 402.
- the monitor 302 and portable token 112 may establish a session for the asymmetric key pair of the portable token 112 that was used to create the protected key blob 402.
- the monitor 302 may request the portable token 112 to return
- the monitor 302 may provide the portable token 112 with the protected key blob 402 and an authentication code that provides proof of possessing or having knowledge of the usage authorization data 422 for the protected key blob 402.
- the monitor 302 may provide the portable token 112 with the authentication code in a number 5 of different manners.
- the monitor 302 may simply encrypt its copy of the usage authorization data 422 using the public key 218 of the established session and may provide the portable token 112 with the encrypted copy of its usage authorization data 422.
- the monitor 302 may generate a message 0 authentication code (MAC) that provides both proof of possessing the usage authorization data 422 and attestation of one or more parameters of the request.
- the monitor 302 may provide the portable token 112 with a MAC resulting from applying the HMAC algorithm to a shared secret comprising or based upon the second usage authorization data and a message comprising one or more parameters of the request.
- MAC message 0 authentication code
- the HMAC algorithm is described in detail in Request for Comments (RFC) 2104 entitled “HMAC: Keyed-Hashing for Message Authentication.”
- the HMAC algorithm utilizes a cryptographic hash function such as, for example, the MD5 or SHA-1 algorithms to generate a MAC based upon a shared secret and the message being transmitted.
- the monitor 302 and portable token 112 may generate a shared secret for the HMAC calculation that is based upon the second usage authorization data and rolling nonces generated by the monitor 302 and the portable token 112 for the established session.
- the monitor 302 may generate one or more hashes of the parameters of the request and may compute the MAC via the HMAC algorithm using the computed shared secret and the parameter hashes as the message.
- the portable token 112 may validate the protected key blob
- the portable token 112 may compute the authentication code that the portable token 112 expects to receive from the monitor 302.
- the portable token 112 may decrypt the protected key blob 402 to obtain the sealed key blob 400 and the usage authorization data 422 for the protected key blob 402.
- the portable token 112 may then compute the authentication code or MAC in the same manner as the monitor 302 using the parameters received from the request and the usage authorization data 422 obtained from the protected key blob 402.
- the computed authentication code or MAC does not have the predetermined relationship (e.g.
- the portable token 112 may return an error message, may close the established session, may scrub the protected key blob 402 and associated data from the portable token 112, and may deactivate the portable token 112 in block 606. Further, the portable token 112 in block 604 may verify that protected key blob 402 has not been altered. In particular, the portable token 112 may compute a digest value based upon the usage authorization data 422 and the sealed key blob 400 and may determine whether the computed digest value has a predetermined relationship (e.g. equal) to the digest value 424 of the protected key blob 402.
- the 5 portable token 112 may return an error message, may close the established session, may scrub the protected key blob 402 and associated data from the portable token 112, and may deactivate the portable token 112 in block 604.
- 112 in block 608 may provide the monitor 302 with the sealed key blob 400.
- the 0 monitor 302 and the fixed token 110 may then establish in block 610 a session for the asymmetric key of the fixed token 110 that was used to create the sealed key blob 400.
- the monitor 302 may request that the fixed token 110 load the asymmetric key pair 408, 414 of the sealed key blob 400.
- the monitor 302 may provide the fixed token 110 with the sealed key blob 400 and an 5 authentication code or MAC that provides proof of possessing or having knowledge of the usage authorization data 412 associated with the sealed key blob 400.
- the monitor 302 may provide the fixed token 110 with a MAC resulting from an HMAC calculation using a shared secret based upon the usage authorization data 412 in a manner as described above in regard to 0 block 602.
- the fixed token 110 may validate the request for loading the asymmetric key pair 408, 414 of the sealed key blob 400.
- the fixed token 110 may compute the authentication code that the fixed token 110 expects to receive from the monitor 302.
- the fixed token 110 may 5 decrypt the sealed key blob 400 using the private key 206 of the established session to obtain the asymmetric key pair 408, 414, the usage authorization data 412, the seal record 410, and the digest value 416 of the sealed key blob 400.
- the fixed token 110 may then compute the authentication code or MAC in the same manner as the monitor 302 using the parameters received from the request 0 and the first usage authorization data obtained from the first sealed key blob.
- the fixed token 110 may return an error message, may close the established session, may scrub the first sealed key blob and associated data from the fixed token 110, and may deactivate the portable 5 token 112 in block 616. Further, the fixed token 110 in block 614 may verify that sealed key blob 400 has not been altered. In particular, the fixed token 110 may compute a digest value based upon the usage authorization data 412, the asymmetric key pair 408, 414, and the seal record 410 and may determine whether the computed digest value has a predetermined relationship (e.g.
- the fixed token 110 may return an error message, may close the established session, may scrub the sealed key blob 400 and associated data from the fixed token 110, and may deactivate the portable token 112 in block 616.
- the fixed token 110 in block 618 may further verify that the environment
- the fixed token 110 may determine whether the metrics of the seal record 410 have a predetermined relationship (e.g. equal) to the metrics of the PCR registers 210 and may determine whether the proof value of the seal record
- the fixed token 110 may return an error message, may close the established session, may scrub
- the sealed key blob 400 and associated data from the fixed token 110 may deactivate the portable token 112 in block 616.
- the fixed token 110 in block 620 may provide the monitor 302 with the public key 408 of the sealed key blob 400 and a key handle to reference the asymmetric key
- the monitor 302 may later provide the key handle to the fixed token 110 to establish a session to use the asymmetric key pair 408, 414 identified by the key handle.
- FIG. 5 and FIG. 6 in general result in establishing an asymmetric key pair that may be used only if the portable token 112 is present
- the computing device 100 and/or remote agents 118 ⁇ ... 118 R therefore may determine that the user of the portable token 112 is present based upon whether the keys 408 of the sealed key blob 400 are successfully loaded by the fixed token 110 and/or the ability to decrypt a secret that may only 0 be decrypted by the keys 408 of the sealed key blob 400.
- the user may use the portable token 112 to determine that the computing device 100 satisfies the environment criteria to which the keys 408 of the sealed key blob 400 were sealed.
- the user may determine that computing device 100 satisfies the environment criteria based upon whether the 5 keys 408 of the sealed key blob 400 are successfully loaded by the fixed token 110 and/or the ability to decrypt a secret that may only be decrypted by the keys 408 of the sealed key blob 400.
- the computing device 100 may perform all or a subset of the methods shown in FIG. 5 and FIG. 6 in response to executing instructions of a machine 0 readable medium such as, for example, read only memory (ROM); random access memory (RAM); magnetic disk storage media; optical storage media; flash memory devices; and/or electrical, optical, acoustical or other form of propagated signals such as, for example, carrier waves, infrared signals, digital signals, analog signals.
- ROM read only memory
- RAM random access memory
- magnetic disk storage media such as, for example, magnetic disk storage media
- optical storage media such as, for example, carrier waves, infrared signals, digital signals, analog signals.
- FIG. 5 and FIG. 6 are 5 illustrated as a sequence of operations, the computing device 100 in some embodiments may perform various illustrated operations of the methods in parallel or in a different order.
Abstract
Description
Claims
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
AU2003290767A AU2003290767A1 (en) | 2002-12-16 | 2003-11-12 | Attestation using both fixed token and portable token |
EP03783350A EP1573468A2 (en) | 2002-12-16 | 2003-11-12 | Attestation using both fixed token and portable token |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US10/321,751 US7318235B2 (en) | 2002-12-16 | 2002-12-16 | Attestation using both fixed token and portable token |
US10/321,751 | 2002-12-16 |
Publications (2)
Publication Number | Publication Date |
---|---|
WO2004061628A2 true WO2004061628A2 (en) | 2004-07-22 |
WO2004061628A3 WO2004061628A3 (en) | 2005-01-27 |
Family
ID=32507124
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US2003/036110 WO2004061628A2 (en) | 2002-12-16 | 2003-11-12 | Attestation using both fixed token and portable token |
Country Status (7)
Country | Link |
---|---|
US (1) | US7318235B2 (en) |
EP (1) | EP1573468A2 (en) |
KR (1) | KR100737628B1 (en) |
CN (1) | CN100566243C (en) |
AU (1) | AU2003290767A1 (en) |
TW (1) | TWI255122B (en) |
WO (1) | WO2004061628A2 (en) |
Families Citing this family (43)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7480806B2 (en) * | 2002-02-22 | 2009-01-20 | Intel Corporation | Multi-token seal and unseal |
US7890771B2 (en) | 2002-04-17 | 2011-02-15 | Microsoft Corporation | Saving and retrieving data based on public key encryption |
US7571472B2 (en) * | 2002-12-30 | 2009-08-04 | American Express Travel Related Services Company, Inc. | Methods and apparatus for credential validation |
US7454622B2 (en) * | 2002-12-31 | 2008-11-18 | American Express Travel Related Services Company, Inc. | Method and system for modular authentication and session management |
US7181016B2 (en) * | 2003-01-27 | 2007-02-20 | Microsoft Corporation | Deriving a symmetric key from an asymmetric key for file encryption or decryption |
US7210034B2 (en) * | 2003-01-30 | 2007-04-24 | Intel Corporation | Distributed control of integrity measurement using a trusted fixed token |
US20050044408A1 (en) * | 2003-08-18 | 2005-02-24 | Bajikar Sundeep M. | Low pin count docking architecture for a trusted platform |
US8190893B2 (en) * | 2003-10-27 | 2012-05-29 | Jp Morgan Chase Bank | Portable security transaction protocol |
US7797544B2 (en) * | 2003-12-11 | 2010-09-14 | Microsoft Corporation | Attesting to establish trust between computer entities |
US7421588B2 (en) * | 2003-12-30 | 2008-09-02 | Lenovo Pte Ltd | Apparatus, system, and method for sealing a data repository to a trusted computing platform |
US7318150B2 (en) * | 2004-02-25 | 2008-01-08 | Intel Corporation | System and method to support platform firmware as a trusted process |
US7631360B2 (en) * | 2004-06-12 | 2009-12-08 | Microsoft Corporation | Hardware protection |
WO2006044717A2 (en) * | 2004-10-15 | 2006-04-27 | Verisign, Inc. | One time password |
US7412596B2 (en) * | 2004-10-16 | 2008-08-12 | Lenovo (Singapore) Pte. Ltd. | Method for preventing system wake up from a sleep state if a boot log returned during the system wake up cannot be authenticated |
US20060090078A1 (en) * | 2004-10-21 | 2006-04-27 | Blythe Michael M | Initiation of an application |
US7475247B2 (en) * | 2004-12-16 | 2009-01-06 | International Business Machines Corporation | Method for using a portable computing device as a smart key device |
US8761400B2 (en) * | 2005-07-15 | 2014-06-24 | Microsoft Corporation | Hardware linked product key |
US7809957B2 (en) * | 2005-09-29 | 2010-10-05 | Intel Corporation | Trusted platform module for generating sealed data |
US8090939B2 (en) * | 2005-10-21 | 2012-01-03 | Hewlett-Packard Development Company, L.P. | Digital certificate that indicates a parameter of an associated cryptographic token |
US9258124B2 (en) | 2006-04-21 | 2016-02-09 | Symantec Corporation | Time and event based one time password |
US8332637B2 (en) * | 2006-06-06 | 2012-12-11 | Red Hat, Inc. | Methods and systems for nonce generation in a token |
US20080040613A1 (en) * | 2006-08-14 | 2008-02-14 | David Carroll Challener | Apparatus, system, and method for secure password reset |
WO2008074366A1 (en) * | 2006-12-19 | 2008-06-26 | Telefonaktiebolaget Lm Ericsson (Publ) | Managing user access in a communications network |
US7913086B2 (en) * | 2007-06-20 | 2011-03-22 | Nokia Corporation | Method for remote message attestation in a communication system |
US20080320263A1 (en) * | 2007-06-20 | 2008-12-25 | Daniel Nemiroff | Method, system, and apparatus for encrypting, integrity, and anti-replay protecting data in non-volatile memory in a fault tolerant manner |
US8620818B2 (en) * | 2007-06-25 | 2013-12-31 | Microsoft Corporation | Activation system architecture |
US7853804B2 (en) * | 2007-09-10 | 2010-12-14 | Lenovo (Singapore) Pte. Ltd. | System and method for secure data disposal |
JP5230797B2 (en) * | 2008-04-02 | 2013-07-10 | ヒューレット−パッカード デベロップメント カンパニー エル.ピー. | Disk drive data encryption |
FR2929788B1 (en) * | 2008-04-08 | 2011-11-04 | Eads Secure Networks | SECURE USE OF TERMINAL MANAGEMENT |
US9276750B2 (en) * | 2013-07-23 | 2016-03-01 | Intel Corporation | Secure processing environment measurement and attestation |
US20160012430A1 (en) * | 2014-07-11 | 2016-01-14 | Google Inc. | Hands-free offline communications |
US10185960B2 (en) | 2014-07-11 | 2019-01-22 | Google Llc | Hands-free transactions verified by location |
US20160012423A1 (en) | 2014-07-11 | 2016-01-14 | Google Inc. | Hands-free transactions with voice recognition |
WO2017151825A1 (en) | 2016-03-01 | 2017-09-08 | Google Inc. | Facial profile modification for hands free transactions |
JP6907315B2 (en) | 2016-07-31 | 2021-07-21 | グーグル エルエルシーGoogle LLC | Automatic hands-free service request |
US10459664B1 (en) | 2017-04-10 | 2019-10-29 | Pure Storage, Inc. | Virtualized copy-by-reference |
KR102644767B1 (en) * | 2019-07-12 | 2024-03-06 | 에도패스, 엘엘씨 | Data protection and recovery systems and methods |
US10474809B1 (en) * | 2019-07-12 | 2019-11-12 | Capital One Services, Llc | Computer-based systems and computing devices configured to utilize one or more authentication servers for securing device commands transmissions and methods of use thereof |
CN111143084B (en) * | 2019-11-19 | 2023-05-09 | 厦门天锐科技股份有限公司 | Interaction method, device, equipment and medium of service program and interface program |
US20200127850A1 (en) * | 2019-12-20 | 2020-04-23 | Intel Corporation | Certifying a trusted platform module without privacy certification authority infrastructure |
EP4042312B1 (en) * | 2020-10-26 | 2023-10-11 | Google LLC | Multi-recipient secure communication |
US11521206B2 (en) * | 2020-12-07 | 2022-12-06 | Jpmorgan Chase Bank, N.A. | Systems and methods for providing immutable identifiers for aggregated data structures |
CN116522300B (en) * | 2023-07-04 | 2023-09-08 | 北京点聚信息技术有限公司 | Intelligent management system for electronic seal |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6351813B1 (en) * | 1996-02-09 | 2002-02-26 | Digital Privacy, Inc. | Access control/crypto system |
Family Cites Families (144)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US3699532A (en) | 1970-04-21 | 1972-10-17 | Singer Co | Multiprogramming control for a data handling system |
US3996449A (en) | 1975-08-25 | 1976-12-07 | International Business Machines Corporation | Operating system authenticator |
US4162536A (en) | 1976-01-02 | 1979-07-24 | Gould Inc., Modicon Div. | Digital input/output system and method |
US4037214A (en) | 1976-04-30 | 1977-07-19 | International Business Machines Corporation | Key register controlled accessing system |
US4278837A (en) | 1977-10-31 | 1981-07-14 | Best Robert M | Crypto microprocessor for executing enciphered programs |
US4276594A (en) | 1978-01-27 | 1981-06-30 | Gould Inc. Modicon Division | Digital computer with multi-processor capability utilizing intelligent composite memory and input/output modules and method for performing the same |
US4207609A (en) | 1978-05-08 | 1980-06-10 | International Business Machines Corporation | Method and means for path independent device reservation and reconnection in a multi-CPU and shared device access system |
JPS5823570B2 (en) | 1978-11-30 | 1983-05-16 | 国産電機株式会社 | Liquid level detection device |
US4307447A (en) | 1979-06-19 | 1981-12-22 | Gould Inc. | Programmable controller |
US4529870A (en) | 1980-03-10 | 1985-07-16 | David Chaum | Cryptographic identification, financial transaction, and credential device |
US4319323A (en) | 1980-04-04 | 1982-03-09 | Digital Equipment Corporation | Communications device for data processing system |
US4419724A (en) | 1980-04-14 | 1983-12-06 | Sperry Corporation | Main bus interface package |
US4366537A (en) | 1980-05-23 | 1982-12-28 | International Business Machines Corp. | Authorization mechanism for transfer of program control or data between different address spaces having different storage protect keys |
US4403283A (en) | 1980-07-28 | 1983-09-06 | Ncr Corporation | Extended memory system and method |
DE3034581A1 (en) | 1980-09-13 | 1982-04-22 | Robert Bosch Gmbh, 7000 Stuttgart | READ-OUT LOCK FOR ONE-CHIP MICROPROCESSORS |
JPS58140862A (en) | 1982-02-16 | 1983-08-20 | Toshiba Corp | Mutual exclusion system |
US4521852A (en) | 1982-06-30 | 1985-06-04 | Texas Instruments Incorporated | Data processing device formed on a single semiconductor substrate having secure memory |
JPS59111561A (en) | 1982-12-17 | 1984-06-27 | Hitachi Ltd | Access controlling system of composite processor system |
US4759064A (en) | 1985-10-07 | 1988-07-19 | Chaum David L | Blind unanticipated signature systems |
US4975836A (en) | 1984-12-19 | 1990-12-04 | Hitachi, Ltd. | Virtual computer system |
JPS61206057A (en) | 1985-03-11 | 1986-09-12 | Hitachi Ltd | Address converting device |
FR2601525B1 (en) | 1986-07-11 | 1988-10-21 | Bull Cp8 | SECURITY DEVICE PROHIBITING THE OPERATION OF AN ELECTRONIC ASSEMBLY AFTER A FIRST SHUTDOWN OF ITS POWER SUPPLY |
US4843541A (en) | 1987-07-29 | 1989-06-27 | International Business Machines Corporation | Logical resource partitioning of a data processing system |
US5007082A (en) | 1988-08-03 | 1991-04-09 | Kelly Services, Inc. | Computer software encryption apparatus |
US4974159A (en) | 1988-09-13 | 1990-11-27 | Microsoft Corporation | Method of transferring control in a multitasking computer system |
US5079737A (en) | 1988-10-25 | 1992-01-07 | United Technologies Corporation | Memory management unit for the MIL-STD 1750 bus |
JPH02171934A (en) | 1988-12-26 | 1990-07-03 | Hitachi Ltd | Virtual machine system |
JPH02208740A (en) | 1989-02-09 | 1990-08-20 | Fujitsu Ltd | Virtual computer control system |
JP2590267B2 (en) | 1989-06-30 | 1997-03-12 | 株式会社日立製作所 | Display control method in virtual machine |
US5022077A (en) | 1989-08-25 | 1991-06-04 | International Business Machines Corp. | Apparatus and method for preventing unauthorized access to BIOS in a personal computer system |
JP2825550B2 (en) | 1989-09-21 | 1998-11-18 | 株式会社日立製作所 | Multiple virtual space address control method and computer system |
CA2010591C (en) | 1989-10-20 | 1999-01-26 | Phillip M. Adams | Kernels, description tables and device drivers |
US5075842A (en) | 1989-12-22 | 1991-12-24 | Intel Corporation | Disabling tag bit recognition and allowing privileged operations to occur in an object-oriented memory protection mechanism |
US5108590A (en) | 1990-09-12 | 1992-04-28 | Disanto Dennis | Water dispenser |
US5230069A (en) | 1990-10-02 | 1993-07-20 | International Business Machines Corporation | Apparatus and method for providing private and shared access to host address and data spaces by guest programs in a virtual machine computer system |
US5317705A (en) | 1990-10-24 | 1994-05-31 | International Business Machines Corporation | Apparatus and method for TLB purge reduction in a multi-level machine system |
US5287363A (en) | 1991-07-01 | 1994-02-15 | Disk Technician Corporation | System for locating and anticipating data storage media failures |
US5255379A (en) | 1990-12-28 | 1993-10-19 | Sun Microsystems, Inc. | Method for automatically transitioning from V86 mode to protected mode in a computer system using an Intel 80386 or 80486 processor |
US5319760A (en) | 1991-06-28 | 1994-06-07 | Digital Equipment Corporation | Translation buffer for virtual machines with address space match |
US5455909A (en) | 1991-07-05 | 1995-10-03 | Chips And Technologies Inc. | Microprocessor with operation capture facility |
JPH06236284A (en) | 1991-10-21 | 1994-08-23 | Intel Corp | Method for preservation and restoration of computer-system processing state and computer system |
US5627987A (en) | 1991-11-29 | 1997-05-06 | Kabushiki Kaisha Toshiba | Memory management and protection system for virtual memory in computer system |
US5574936A (en) | 1992-01-02 | 1996-11-12 | Amdahl Corporation | Access control mechanism controlling access to and logical purging of access register translation lookaside buffer (ALB) in a computer system |
US5421006A (en) | 1992-05-07 | 1995-05-30 | Compaq Computer Corp. | Method and apparatus for assessing integrity of computer system software |
US5237616A (en) | 1992-09-21 | 1993-08-17 | International Business Machines Corporation | Secure computer system having privileged and unprivileged memories |
US5293424A (en) | 1992-10-14 | 1994-03-08 | Bull Hn Information Systems Inc. | Secure memory card |
US5668971A (en) | 1992-12-01 | 1997-09-16 | Compaq Computer Corporation | Posted disk read operations performed by signalling a disk read complete to the system prior to completion of data transfer |
JPH06187178A (en) | 1992-12-18 | 1994-07-08 | Hitachi Ltd | Input and output interruption control method for virtual computer system |
US5483656A (en) | 1993-01-14 | 1996-01-09 | Apple Computer, Inc. | System for managing power consumption of devices coupled to a common bus |
US5469557A (en) | 1993-03-05 | 1995-11-21 | Microchip Technology Incorporated | Code protection in microcontroller with EEPROM fuses |
FR2703800B1 (en) | 1993-04-06 | 1995-05-24 | Bull Cp8 | Method for signing a computer file, and device for implementing it. |
US5628023A (en) | 1993-04-19 | 1997-05-06 | International Business Machines Corporation | Virtual storage computer system having methods and apparatus for providing token-controlled access to protected pages of memory via a token-accessible view |
JPH06348867A (en) | 1993-06-04 | 1994-12-22 | Hitachi Ltd | Microcomputer |
US5444850A (en) | 1993-08-04 | 1995-08-22 | Trend Micro Devices Incorporated | Method and apparatus for controlling network and workstation access prior to workstation boot |
US5555385A (en) | 1993-10-27 | 1996-09-10 | International Business Machines Corporation | Allocation of address spaces within virtual machine compute system |
US5825880A (en) | 1994-01-13 | 1998-10-20 | Sudia; Frank W. | Multi-step digital signature method and system |
US5459869A (en) | 1994-02-17 | 1995-10-17 | Spilo; Michael L. | Method for providing protected mode services for device drivers and other resident software |
US5604805A (en) | 1994-02-28 | 1997-02-18 | Brands; Stefanus A. | Privacy-protected transfer of electronic information |
US5684881A (en) | 1994-05-23 | 1997-11-04 | Matsushita Electric Industrial Co., Ltd. | Sound field and sound image control apparatus and method |
US5473692A (en) | 1994-09-07 | 1995-12-05 | Intel Corporation | Roving software license for a hardware agent |
US5539828A (en) | 1994-05-31 | 1996-07-23 | Intel Corporation | Apparatus and method for providing secured communications |
US5978481A (en) | 1994-08-16 | 1999-11-02 | Intel Corporation | Modem compatible method and apparatus for encrypting data that is transparent to software applications |
JPH0883211A (en) | 1994-09-12 | 1996-03-26 | Mitsubishi Electric Corp | Data processor |
DE69534757T2 (en) | 1994-09-15 | 2006-08-31 | International Business Machines Corp. | System and method for secure storage and distribution of data using digital signatures |
US6741991B2 (en) * | 1994-09-30 | 2004-05-25 | Mitsubishi Corporation | Data management system |
US6058478A (en) * | 1994-09-30 | 2000-05-02 | Intel Corporation | Apparatus and method for a vetted field upgrade |
US5606617A (en) | 1994-10-14 | 1997-02-25 | Brands; Stefanus A. | Secret-key certificates |
US5564040A (en) | 1994-11-08 | 1996-10-08 | International Business Machines Corporation | Method and apparatus for providing a server function in a logically partitioned hardware machine |
US5560013A (en) | 1994-12-06 | 1996-09-24 | International Business Machines Corporation | Method of using a target processor to execute programs of a source architecture that uses multiple address spaces |
US5555414A (en) | 1994-12-14 | 1996-09-10 | International Business Machines Corporation | Multiprocessing system including gating of host I/O and external enablement to guest enablement at polling intervals |
US5615263A (en) | 1995-01-06 | 1997-03-25 | Vlsi Technology, Inc. | Dual purpose security architecture with protected internal operating system |
US5764969A (en) | 1995-02-10 | 1998-06-09 | International Business Machines Corporation | Method and system for enhanced management operation utilizing intermixed user level and supervisory level instructions with partial concept synchronization |
US5727061A (en) * | 1995-02-13 | 1998-03-10 | Eta Technologies Corporation | Personal access management systems |
US5717903A (en) | 1995-05-15 | 1998-02-10 | Compaq Computer Corporation | Method and appartus for emulating a peripheral device to allow device driver development before availability of the peripheral device |
US5684948A (en) | 1995-09-01 | 1997-11-04 | National Semiconductor Corporation | Memory management circuit which provides simulated privilege levels |
US5633929A (en) | 1995-09-15 | 1997-05-27 | Rsa Data Security, Inc | Cryptographic key escrow system having reduced vulnerability to harvesting attacks |
US6093213A (en) * | 1995-10-06 | 2000-07-25 | Advanced Micro Devices, Inc. | Flexible implementation of a system management mode (SMM) in a processor |
US5737760A (en) | 1995-10-06 | 1998-04-07 | Motorola Inc. | Microcontroller with security logic circuit which prevents reading of internal memory by external program |
JP3693721B2 (en) | 1995-11-10 | 2005-09-07 | Necエレクトロニクス株式会社 | Microcomputer with built-in flash memory and test method thereof |
US5790668A (en) * | 1995-12-19 | 1998-08-04 | Mytec Technologies Inc. | Method and apparatus for securely handling data in a database of biometrics and associated data |
US5657445A (en) | 1996-01-26 | 1997-08-12 | Dell Usa, L.P. | Apparatus and method for limiting access to mass storage devices in a computer system |
US5835594A (en) | 1996-02-09 | 1998-11-10 | Intel Corporation | Methods and apparatus for preventing unauthorized write access to a protected non-volatile storage |
US5815665A (en) | 1996-04-03 | 1998-09-29 | Microsoft Corporation | System and method for providing trusted brokering services over a distributed network |
US5809546A (en) | 1996-05-23 | 1998-09-15 | International Business Machines Corporation | Method for managing I/O buffers in shared storage by structuring buffer table having entries including storage keys for controlling accesses to the buffers |
US6175925B1 (en) * | 1996-06-13 | 2001-01-16 | Intel Corporation | Tamper resistant player for scrambled contents |
US6205550B1 (en) * | 1996-06-13 | 2001-03-20 | Intel Corporation | Tamper resistant methods and apparatus |
US6178509B1 (en) * | 1996-06-13 | 2001-01-23 | Intel Corporation | Tamper resistant methods and apparatus |
US5729760A (en) | 1996-06-21 | 1998-03-17 | Intel Corporation | System for providing first type access to register if processor in first mode and second type access to register if processor not in first mode |
US5944821A (en) | 1996-07-11 | 1999-08-31 | Compaq Computer Corporation | Secure software registration and integrity assessment in a computer system |
US6199152B1 (en) * | 1996-08-22 | 2001-03-06 | Transmeta Corporation | Translated memory protection apparatus for an advanced microprocessor |
US5740178A (en) | 1996-08-29 | 1998-04-14 | Lucent Technologies Inc. | Software for controlling a reliable backup memory |
US6055637A (en) | 1996-09-27 | 2000-04-25 | Electronic Data Systems Corporation | System and method for accessing enterprise-wide resources by presenting to the resource a temporary credential |
US5844986A (en) | 1996-09-30 | 1998-12-01 | Intel Corporation | Secure BIOS |
US5937063A (en) | 1996-09-30 | 1999-08-10 | Intel Corporation | Secure boot |
US5935242A (en) | 1996-10-28 | 1999-08-10 | Sun Microsystems, Inc. | Method and apparatus for initializing a device |
JPH10134008A (en) * | 1996-11-05 | 1998-05-22 | Mitsubishi Electric Corp | Semiconductor device and computer system |
US5852717A (en) | 1996-11-20 | 1998-12-22 | Shiva Corporation | Performance optimizations for computer networks utilizing HTTP |
US5901225A (en) | 1996-12-05 | 1999-05-04 | Advanced Micro Devices, Inc. | System and method for performing software patches in embedded systems |
US5757919A (en) | 1996-12-12 | 1998-05-26 | Intel Corporation | Cryptographically protected paging subsystem |
US5953502A (en) | 1997-02-13 | 1999-09-14 | Helbig, Sr.; Walter A | Method and apparatus for enhancing computer system security |
US6044478A (en) | 1997-05-30 | 2000-03-28 | National Semiconductor Corporation | Cache with finely granular locked-down regions |
US5987557A (en) | 1997-06-19 | 1999-11-16 | Sun Microsystems, Inc. | Method and apparatus for implementing hardware protection domains in a system with no memory management unit (MMU) |
US6035374A (en) | 1997-06-25 | 2000-03-07 | Sun Microsystems, Inc. | Method of executing coded instructions in a multiprocessor having shared execution resources including active, nap, and sleep states in accordance with cache miss latency |
US6014745A (en) | 1997-07-17 | 2000-01-11 | Silicon Systems Design Ltd. | Protection for customer programs (EPROM) |
US5978475A (en) | 1997-07-18 | 1999-11-02 | Counterpane Internet Security, Inc. | Event auditing system |
US5919257A (en) | 1997-08-08 | 1999-07-06 | Novell, Inc. | Networked workstation intrusion detection system |
US6282657B1 (en) * | 1997-09-16 | 2001-08-28 | Safenet, Inc. | Kernel mode protection |
US5935247A (en) | 1997-09-18 | 1999-08-10 | Geneticware Co., Ltd. | Computer system having a genetic code that cannot be directly accessed and a method of maintaining the same |
US5970147A (en) | 1997-09-30 | 1999-10-19 | Intel Corporation | System and method for configuring and registering a cryptographic device |
US6108644A (en) * | 1998-02-19 | 2000-08-22 | At&T Corp. | System and method for electronic transactions |
US6131166A (en) * | 1998-03-13 | 2000-10-10 | Sun Microsystems, Inc. | System and method for cross-platform application level power management |
US6473800B1 (en) * | 1998-07-15 | 2002-10-29 | Microsoft Corporation | Declarative permission requests in a computer system |
US6393565B1 (en) * | 1998-08-03 | 2002-05-21 | Entrust Technologies Limited | Data management system and method for a limited capacity cryptographic storage unit |
US20020004900A1 (en) * | 1998-09-04 | 2002-01-10 | Baiju V. Patel | Method for secure anonymous communication |
US7194092B1 (en) * | 1998-10-26 | 2007-03-20 | Microsoft Corporation | Key-based secure storage |
US6609199B1 (en) * | 1998-10-26 | 2003-08-19 | Microsoft Corporation | Method and apparatus for authenticating an open system application to a portable IC device |
US6138239A (en) * | 1998-11-13 | 2000-10-24 | N★Able Technologies, Inc. | Method and system for authenticating and utilizing secure resources in a computer system |
US6473508B1 (en) * | 1998-12-22 | 2002-10-29 | Adam Lucas Young | Auto-recoverable auto-certifiable cryptosystems with unescrowed signature-only keys |
US6560627B1 (en) * | 1999-01-28 | 2003-05-06 | Cisco Technology, Inc. | Mutual exclusion at the record level with priority inheritance for embedded systems using one semaphore |
US7111290B1 (en) * | 1999-01-28 | 2006-09-19 | Ati International Srl | Profiling program execution to identify frequently-executed portions and to assist binary translation |
JP4812168B2 (en) * | 1999-02-15 | 2011-11-09 | ヒューレット・パッカード・カンパニー | Trusted computing platform |
US7225333B2 (en) * | 1999-03-27 | 2007-05-29 | Microsoft Corporation | Secure processor architecture for use with a digital rights management (DRM) system on a computing device |
US6615278B1 (en) * | 1999-03-29 | 2003-09-02 | International Business Machines Corporation | Cross-platform program, system, and method having a global registry object for mapping registry equivalent functions in an OS/2 operating system environment |
US6684326B1 (en) * | 1999-03-31 | 2004-01-27 | International Business Machines Corporation | Method and system for authenticated boot operations in a computer system of a networked computing environment |
US6529909B1 (en) * | 1999-08-31 | 2003-03-04 | Accenture Llp | Method for translating an object attribute converter in an information services patterns environment |
JP3710671B2 (en) * | 2000-03-14 | 2005-10-26 | シャープ株式会社 | One-chip microcomputer, IC card using the same, and access control method for one-chip microcomputer |
US6678825B1 (en) * | 2000-03-31 | 2004-01-13 | Intel Corporation | Controlling access to multiple isolated memories in an isolated execution environment |
GB0020416D0 (en) * | 2000-08-18 | 2000-10-04 | Hewlett Packard Co | Trusted system |
US20020129261A1 (en) * | 2001-03-08 | 2002-09-12 | Cromer Daryl Carvis | Apparatus and method for encrypting and decrypting data recorded on portable cryptographic tokens |
US7631160B2 (en) * | 2001-04-04 | 2009-12-08 | Advanced Micro Devices, Inc. | Method and apparatus for securing portions of memory |
US20030005317A1 (en) * | 2001-06-28 | 2003-01-02 | Audebert Yves Louis Gabriel | Method and system for generating and verifying a key protection certificate |
US20030002668A1 (en) * | 2001-06-30 | 2003-01-02 | Gary Graunke | Multi-level, multi-dimensional content protections |
US7191464B2 (en) * | 2001-10-16 | 2007-03-13 | Lenovo Pte. Ltd. | Method and system for tracking a secure boot in a trusted computing environment |
DE10158531B4 (en) * | 2001-11-29 | 2006-09-28 | Universitätsklinikum Freiburg | Method for measuring magnetic resonance (NMR) by means of spin echoes |
US7103771B2 (en) * | 2001-12-17 | 2006-09-05 | Intel Corporation | Connecting a virtual token to a physical token |
US7475250B2 (en) * | 2001-12-19 | 2009-01-06 | Northrop Grumman Corporation | Assignment of user certificates/private keys in token enabled public key infrastructure system |
US20030126453A1 (en) * | 2001-12-31 | 2003-07-03 | Glew Andrew F. | Processor supporting execution of an authenticated code instruction |
US7308576B2 (en) * | 2001-12-31 | 2007-12-11 | Intel Corporation | Authenticated code module |
US7242768B2 (en) * | 2002-01-14 | 2007-07-10 | Lenovo (Singapore) Pte. Ltd. | Super secure migratable keys in TCPA |
US7107460B2 (en) * | 2002-02-15 | 2006-09-12 | International Business Machines Corporation | Method and system for securing enablement access to a data security device |
US7130999B2 (en) * | 2002-03-27 | 2006-10-31 | Intel Corporation | Using authentication certificates for authorization |
US7343493B2 (en) * | 2002-03-28 | 2008-03-11 | Lenovo (Singapore) Pte. Ltd. | Encrypted file system using TCPA |
US7028149B2 (en) * | 2002-03-29 | 2006-04-11 | Intel Corporation | System and method for resetting a platform configuration register |
US7165181B2 (en) * | 2002-11-27 | 2007-01-16 | Intel Corporation | System and method for establishing trust without revealing identity |
-
2002
- 2002-12-16 US US10/321,751 patent/US7318235B2/en not_active Expired - Fee Related
-
2003
- 2003-11-12 KR KR1020057010996A patent/KR100737628B1/en not_active IP Right Cessation
- 2003-11-12 AU AU2003290767A patent/AU2003290767A1/en not_active Abandoned
- 2003-11-12 EP EP03783350A patent/EP1573468A2/en not_active Withdrawn
- 2003-11-12 WO PCT/US2003/036110 patent/WO2004061628A2/en not_active Application Discontinuation
- 2003-11-13 TW TW092131848A patent/TWI255122B/en not_active IP Right Cessation
- 2003-12-15 CN CNB2003101212131A patent/CN100566243C/en not_active Expired - Fee Related
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6351813B1 (en) * | 1996-02-09 | 2002-02-26 | Digital Privacy, Inc. | Access control/crypto system |
Non-Patent Citations (1)
Title |
---|
"Trusted Computing Platform Alliance (TCPA) Main Specification Version 1.1b" TCPA MAIN SPECIFICATION, XX, XX, 22 February 2002 (2002-02-22), page COMPLETE332, XP002294897 cited in the application * |
Also Published As
Publication number | Publication date |
---|---|
US20040117625A1 (en) | 2004-06-17 |
KR20050085678A (en) | 2005-08-29 |
WO2004061628A3 (en) | 2005-01-27 |
EP1573468A2 (en) | 2005-09-14 |
KR100737628B1 (en) | 2007-07-10 |
TW200423672A (en) | 2004-11-01 |
AU2003290767A1 (en) | 2004-07-29 |
CN100566243C (en) | 2009-12-02 |
US7318235B2 (en) | 2008-01-08 |
CN1514571A (en) | 2004-07-21 |
TWI255122B (en) | 2006-05-11 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7318235B2 (en) | Attestation using both fixed token and portable token | |
US20040117318A1 (en) | Portable token controlling trusted environment launch | |
JP6370722B2 (en) | Inclusive verification of platform to data center | |
US7103771B2 (en) | Connecting a virtual token to a physical token | |
US7480806B2 (en) | Multi-token seal and unseal | |
US8462955B2 (en) | Key protectors based on online keys | |
US5953422A (en) | Secure two-piece user authentication in a computer network | |
US20050283826A1 (en) | Systems and methods for performing secure communications between an authorized computing platform and a hardware component | |
US20050283601A1 (en) | Systems and methods for securing a computer boot | |
US7095859B2 (en) | Managing private keys in a free seating environment | |
US10897360B2 (en) | Addressing a trusted execution environment using clean room provisioning | |
US11405201B2 (en) | Secure transfer of protected application storage keys with change of trusted computing base | |
KR101069500B1 (en) | Method for processing secret data based on virtualization and trusted platform module in network system, and computer readable recording medium | |
CA3042984C (en) | Balancing public and personal security needs | |
CN117648703A (en) | Data controllable use method | |
CN114978490A (en) | Encryption method and device for private data, processor and electronic equipment | |
Reimair | Trusted virtual security module |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A2 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A2 Designated state(s): BW GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWE | Wipo information: entry into national phase |
Ref document number: 2003783350 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 1020057010996 Country of ref document: KR |
|
WWP | Wipo information: published in national office |
Ref document number: 1020057010996 Country of ref document: KR |
|
WWP | Wipo information: published in national office |
Ref document number: 2003783350 Country of ref document: EP |
|
NENP | Non-entry into the national phase |
Ref country code: JP |
|
WWW | Wipo information: withdrawn in national office |
Country of ref document: JP |