Secure authentication protocol systems and methods

US 10,073,964 B2
Filed: 09/25/2015
Issued: 09/11/2018
Est. Priority Date: 09/25/2015
Status: Active Grant

First Claim

Patent Images

1. A system for transferring authentication protocols between a sensor and a platform, the system comprising:

a first input device to, during a pre-boot session;

verify received data representative of a first authentication factor;

store the verified first authentication factor; and

store a credential logically associated with a prior session;

verify the prior session against a credential logically associated with an immediately previous post-boot environment that includes a defined change, alternation or modification including at least incrementing or decrementing the immediately previous post-boot environment by a defined value;

upon verifying the prior session, indicate the presence of the credential using a logical indicator;

at least one circuit communicably coupled to the first input device;

a data storage device communicably coupled to the at least one circuit, the data storage device including machine-readable instructions that, when executed by the at least one circuit, causes the at least one circuit to provide an authentication engine and causes the authentication engine to, during a current post-boot session;

communicate a challenge to the first input device;

receive a payload that includes the verified first authentication factor and the prior session credential from the first input device in response to the communicated challenge;

verify the prior session credential received from the first input device; and

generate a credential that is logically associated with the post-boot session, wherein the post-boot session credential includes a pseudorandom alphanumeric string of defined length.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An input device of a secure authentication protocol system may receive at least one user authentication factor in a pre-boot session. The input device may verify the received authentication factors and may store the verified authentication factors. During a post-boot session, the input device may communicate the verified authentication factor and a stored post-boot session credential received during a prior post-boot session to an authentication engine executing in a trusted execution environment. The authentication engine verifies the received post-boot session credential is logically associated with an immediately preceding post-boot session. Upon successful verification of the received post-boot session credential, the verified authentication factors or data indicative of a successfully verified authentication factor received during the pre-boot session are used in the current post-boot session.

Citations

25 Claims

1. A system for transferring authentication protocols between a sensor and a platform, the system comprising:
- a first input device to, during a pre-boot session;
  
  verify received data representative of a first authentication factor;
  
  store the verified first authentication factor; and
  
  store a credential logically associated with a prior session;
  
  verify the prior session against a credential logically associated with an immediately previous post-boot environment that includes a defined change, alternation or modification including at least incrementing or decrementing the immediately previous post-boot environment by a defined value;
  
  upon verifying the prior session, indicate the presence of the credential using a logical indicator;
  
  at least one circuit communicably coupled to the first input device;
  
  a data storage device communicably coupled to the at least one circuit, the data storage device including machine-readable instructions that, when executed by the at least one circuit, causes the at least one circuit to provide an authentication engine and causes the authentication engine to, during a current post-boot session;
  
  communicate a challenge to the first input device;
  
  receive a payload that includes the verified first authentication factor and the prior session credential from the first input device in response to the communicated challenge;
  
  verify the prior session credential received from the first input device; and
  
  generate a credential that is logically associated with the post-boot session, wherein the post-boot session credential includes a pseudorandom alphanumeric string of defined length.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1 wherein the at least one circuit provides the authentication engine in a trusted execution environment.
  - 3. The system of claim 2 wherein the machine-readable instructions cause the at least one circuit to cause the authentication engine to further:
    - cause a credential generator to generate a current post-boot session credential; and
      
      replace the stored prior post-boot session credential with the current post-boot session credential.
  - 4. The system of claim 3 wherein the machine-readable instructions cause the at least one circuit to cause the authentication engine to further:
    - provide user access to the post-boot environment responsive to a successful verification of the prior post-boot session credential by the authentication engine.
  - 5. The system of claim 4 wherein the machine-readable instructions cause the at least one circuit to cause the authentication engine to further:
    - request a second authentication factor responsive to an unsuccessful verification of the prior post-boot session credential by the authentication engine.
  - 6. The system of claim 5 wherein the machine-readable instructions cause the at least one circuit to cause the authentication engine to further:
    - provide user access to the current post-boot session responsive to a successful verification of the second authentication factor by the authentication engine.
  - 7. The system of any of claims 1 through 6, the first input device to further:
    - receive data representative of a user-supplied first authentication factor.
  - 8. The system of claim 7 wherein the first input device comprises at least one of:
    - a knowledge factor input device, a possession factor input device, an inherence factor input device, a location factor input device, or a time factor input device.
  - 9. The system of any of claims 1 through 6 wherein the credential includes a nonce previously supplied by the authentication engine to the data acquisition device.
  - 10. The system of any of claims 1 through 6 wherein the credential includes a calculated value based at least in part on a known value previously supplied by the authentication engine to the data acquisition device.

11. An authentication method, comprising:
- during a pre-boot session;
  
  verifying, by a first input device, a first authentication factor;
  
  storing, by the first input device, the verified first authentication factor; and
  
  storing, by the first input device, a credential logically associated with a prior post-boot session;
  
  verifying the prior session against a credential logically associated with an immediately previous post-boot environment that includes a defined change, alternation or modification including at least incrementing or decrementing the immediately previous post-boot environment by a defined value;
  
  upon verifying the prior session, indicating the presence of the credential using a logical indicator;
  
  during a current post-boot session;
  
  generating, by an authentication engine, a query;
  
  communicating, by the authentication engine, the query to the first input device;
  
  receiving, by the authentication engine, the verified first user authentication data and the prior post-boot session credential from the first input device in response to the communicated query;
  
  verifying, by the authentication engine, the received prior post-boot session credential; and
  
  generating a credential that is logically associated with the post-boot session, wherein the post-boot session credential includes a pseudorandom alphanumeric string of defined length.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 12. The method of claim 11 wherein verifying the prior post-boot session credential comprises:
    - verifying, by the authentication engine, the prior post-boot session credential includes at least one credential representative of an immediately preceding post-boot session.
  - 13. The method of claim 12, further comprising:
    - during the current post-boot session;
      
      generating, by a credential generator, a credential logically associated with the current post-boot session; and
      
      overwriting, by the authentication engine, the prior post-boot session credential with the current post-boot session credential.
  - 14. The method of claim 11, further comprising:
    - causing at least one circuit to execute at least one machine-readable instruction set that causes the at least one circuit to provide at least a portion of the authentication engine.
  - 15. The method of claim 14 wherein causing at least one circuit to execute at least one machine-readable instruction set that causes the at least one circuit to provide at least a portion of the authentication engine comprises:
    - causing the at least one circuit to execute, in a trusted execution environment, at least one machine-readable instruction set that causes the at least one circuit to provide at least a portion of the authentication engine.
  - 16. The method of claim 11, further comprising:
    - in the pre-boot session;
      
      receiving, by the first input device, a user-supplied first authentication factor.
  - 17. The method of claim 16 wherein receiving the user-supplied first authentication factor comprises:
    - receiving, by the first input device, at least one of;
      
      a knowledge factor, a possession factor, an inherence factor, a location factor, or a time factor.
  - 18. The method of any of claims 11 through 17, further comprising:
    - providing, by the authentication engine, user access to the current post-boot session responsive to successful verification of the first user authentication factor by the authentication engine.
  - 19. The method of any of claims 11 through 17, further comprising:
    - requesting, by the authentication engine, a second authentication factor responsive to an unsuccessful verification of the stored prior post-boot session credential; and
      
      verifying, by the authentication engine, the second authentication factor prior to providing user access to the current post-boot session.
  - 20. The method of claim 19 wherein requesting a second authentication factor comprises:
    - requesting, by the authentication engine, at least one of;
      
      the first authentication factor or the second authentication factor.
  - 21. The method of claim 20 wherein verifying the second user supplied authentication factor comprises:
    - verifying, by the authentication engine, at least one of;
      
      the first authentication factor or the second authentication factor.

22. An authentication system, comprising:
- during a pre-boot session;
  
  a means for verifying a first authentication factor;
  
  a means for storing the first authentication factor; and
  
  a means for storing a credential logically associated with a prior post-boot session;
  
  means for verifying the prior session against a credential logically associated with an immediately previous post-boot environment that includes a defined change, alternation or modification including at least incrementing or decrementing the immediately previous post-boot environment by a defined value;
  
  means for, upon verifying the prior session, indicating the presence of the credential using a logical indicator;
  
  during a current post-boot session;
  
  a means for generating a query;
  
  a means for communicating the generated query to a first input device;
  
  a means for receiving the verified first user authentication data and the prior post-boot session credential from the first input device in response to the communicated query;
  
  a means for verifying the received prior post-boot session credential; and
  
  means for generating a credential that is logically associated with the post-boot session, wherein the post-boot session credential includes a pseudorandom alphanumeric string of defined length.
- View Dependent Claims (23)
- - 23. The system of claim 22 wherein the means for verifying the prior post-boot session credential comprises:
    - a means for verifying the prior post-boot session credential includes at least one credential logically associated with an immediately preceding post-boot session.

24. A storage device that includes machine-readable instructions, that when executed by a circuit, cause the circuit to:
- during a pre-boot session, cause a first input device to;
  
  verify a first authentication factor;
  
  store the first authentication factor; and
  
  store a credential logically associated with a prior post-boot session;
  
  verify the prior session against a credential logically associated with an immediately previous post-boot environment that includes a defined change, alternation or modification including at least incrementing or decrementing the immediately previous post-boot environment by a defined value;
  
  during a current post-boot session, cause an authentication engine to;
  
  generate a query;
  
  communicate the generated query to the first input device;
  
  receive the verified first user authentication data and the prior post-boot session credential from the first input device in response to the communicated query;
  
  verify the received prior post-boot session credential; and
  
  generate a credential that is logically associated with the post-boot session, wherein the post-boot session credential includes a pseudorandom alphanumeric string of defined length.
- View Dependent Claims (25)
- - 25. The storage device of claim 24 wherein the machine-readable instructions that cause the authentication engine to verify the received prior session credential further cause the authentication engine to:
    - verify the stored prior post-boot session credential includes at least one credential logically associated with an immediately preceding post-boot session.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Raziel, Michael, Bhargav-Spantzel, Abhilasha, Khosravi, Hormuzd M.
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Saadoun, Hassan

Application Number

US14/866,502
Publication Number

US 20170091438A1
Time in Patent Office

1,082 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/40   by quorum, i.e. whereby two...

G06F 21/57   Certifying or maintaining t...

G06F 21/575   Secure boot

Secure authentication protocol systems and methods

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Secure authentication protocol systems and methods

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links