Method and system for enterprise network single-sign-on by a manageability engine
First Claim
Patent Images
1. A computer system that is capable, when the computer system is in operation, of communicating with at least one server system via an Internet network, the computer system comprising:
- a network interface controller for use in communicating, when the computer system is in the operation, with the at least one server system via the Internet network;
at least one storage drive comprising flash storage and/or disk storage, the at least one storage drive being to store drive data that is capable of comprising user data and an operating system (OS); and
at least one multicore processor that is capable of executing, at least in part, when the computer system is in the operation, instructions, the instructions when executed, at least in part, by the at least one processor resulting in performance of operations comprising;
fully encrypting the user data and the OS in the at least one storage drive; and
after successful completion of a single-sign-on user authentication process, decrypting, at least in part, at least one portion of the drive data so as to permit, at least in part, booting of the OS at the computer system;
wherein, when the computer system is in the operation;
the successful completion of the single-sign-on user authentication process results in authentication of a user of the computer system to both the at least one server system and the OS;
the single-sign-on user authentication process comprises;
prior to the booting of the OS, generating by execution of an extensible firmware interface basic input/output system extension module of the computer system a user prompt requesting user input of at least one user authentication credential that is capable of being used by the module to;
authenticate, at least in part, the user of the computer system to the at least one server system based, at least in part, upon whether the at least one user authentication credential corresponds, at least in part, to user credential information stored at the at least one server system; and
obtain, at least in part, permission from the at least one server system to access at least one service that is capable of being provided, at least in part, by the at least one server system;
the computer system is to store at least one key that is capable of being rendered accessible, at least in part, for use in association with the encrypting and/or decrypting based, at least in part upon, the successful completion of the single-sign-on user authentication process;
the at least one key comprises at least one wrap key and at least one key encryption key, the at least one wrap key being based, at least in part, upon at least one authentication parameter; and
the at least one wrap key and the at least one key encryption key are to be (1) obtained prior to booting of the operating system and (2) stored and accessible in non-volatile storage of the computer system.
1 Assignment
0 Petitions
Accused Products
Abstract
A manageability engine (ME) receives an authentication response from a user during pre-boot authentication and registers the user with a key distribution center (KDC), indicating that the user has successfully authenticated to the PC. The KDC supplies the ME with single-sign-on credentials in the form of a Key Encryption Key (KEK). The KEK may later be used by the PC to obtain a credential used to establish secure access to Enterprise servers.
-
Citations
30 Claims
-
1. A computer system that is capable, when the computer system is in operation, of communicating with at least one server system via an Internet network, the computer system comprising:
-
a network interface controller for use in communicating, when the computer system is in the operation, with the at least one server system via the Internet network; at least one storage drive comprising flash storage and/or disk storage, the at least one storage drive being to store drive data that is capable of comprising user data and an operating system (OS); and at least one multicore processor that is capable of executing, at least in part, when the computer system is in the operation, instructions, the instructions when executed, at least in part, by the at least one processor resulting in performance of operations comprising; fully encrypting the user data and the OS in the at least one storage drive; and after successful completion of a single-sign-on user authentication process, decrypting, at least in part, at least one portion of the drive data so as to permit, at least in part, booting of the OS at the computer system; wherein, when the computer system is in the operation; the successful completion of the single-sign-on user authentication process results in authentication of a user of the computer system to both the at least one server system and the OS; the single-sign-on user authentication process comprises; prior to the booting of the OS, generating by execution of an extensible firmware interface basic input/output system extension module of the computer system a user prompt requesting user input of at least one user authentication credential that is capable of being used by the module to; authenticate, at least in part, the user of the computer system to the at least one server system based, at least in part, upon whether the at least one user authentication credential corresponds, at least in part, to user credential information stored at the at least one server system; and obtain, at least in part, permission from the at least one server system to access at least one service that is capable of being provided, at least in part, by the at least one server system; the computer system is to store at least one key that is capable of being rendered accessible, at least in part, for use in association with the encrypting and/or decrypting based, at least in part upon, the successful completion of the single-sign-on user authentication process; the at least one key comprises at least one wrap key and at least one key encryption key, the at least one wrap key being based, at least in part, upon at least one authentication parameter; and the at least one wrap key and the at least one key encryption key are to be (1) obtained prior to booting of the operating system and (2) stored and accessible in non-volatile storage of the computer system. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method implemented, at least in part, using a computer system, the computer system being capable, when the computer system is in operation, of communicating with at least one server system via an Internet network, the method comprising:
-
using a network interface controller of the computer system to communicate with the at least one server system via the Internet network, the computer system also comprising at least one storage drive that comprises flash storage and/or disk storage, the at least one storage drive being to store drive data that is capable of comprising user data and an operating system (OS); and executing, at least in part, by at least one multicore processor of the computer system, instructions, the instructions when executed, at least in part, by the at least one processor resulting in performance of operations comprising; fully encrypting the user data and the OS in the at least one storage drive; and after successful completion of a single-sign-on user authentication process, decrypting, at least in part, at least one portion of the drive data so as to permit, at least in part, booting of the OS at the computer system; wherein, when the computer system is in the operation; the successful completion of the single-sign-on user authentication process results in authentication of a user of the computer system to both the at least one server system and the OS; the single-sign-on user authentication process comprises; prior to the booting of the OS, generating by execution of an extensible firmware interface basic input/output system extension module of the computer system a user prompt requesting user input of at least one user authentication credential that is capable of being used by the module to; authenticate, at least in part, the user of the computer system to the at least one server system based, at least in part, upon whether the at least one user authentication credential corresponds, at least in part, to user credential information stored at the at least one server system; and obtain, at least in part, permission from the at least one server system to access at least one service that is capable of being provided, at least in part, by the at least one server system; the computer system is to store at least one key that is capable of being rendered accessible, at least in part, for use in association with the encrypting and/or decrypting based, at least in part upon, the successful completion of the single-sign-on user authentication process; the at least one key comprises at least one wrap key and at least one key encryption key, the at least one wrap key being based, at least in part, upon at least one authentication parameter; and the at least one wrap key and the at least one key encryption key are to be (1) obtained prior to booting of the operating system and (2) stored and accessible in non-volatile storage of the computer system. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. Non-transitory machine-readable storage medium storing program instructions to be executed, at least in part, by at least one multicore processor of a computer system, the computer system being capable, when the computer system is in operation, of communicating with at least one server system via an Internet network, the computer system also comprising at least one storage drive that comprises flash storage and/or disk storage, the at least one storage drive being to store drive data that is capable of comprising user data and an operating system (OS), the program instructions when executed, at least in part, by the at least one multicore processor resulting in the computer system being capable of performing operations comprising:
-
using a network interface controller of the computer system to communicate with the at least one server system via the Internet network; fully encrypting the user data and the OS in the at least one storage drive; and after successful completion of a single-sign-on user authentication process, decrypting, at least in part, at least one portion of the drive data so as to permit, at least in part, booting of the OS at the computer system; wherein, when the computer system is in the operation; the successful completion of the single-sign-on user authentication process results in authentication of a user of the computer system to both the at least one server system and the OS; the single-sign-on user authentication process comprises; prior to the booting of the OS, generating by execution of an extensible firmware interface basic input/output system extension module of the computer system a user prompt requesting user input of at least one user authentication credential that is capable of being used by the module to; authenticate, at least in part, the user of the computer system to the at least one server system based, at least in part, upon whether the at least one user authentication credential corresponds, at least in part, to user credential information stored at the at least one server system; and obtain, at least in part, permission from the at least one server system to access at least one service that is capable of being provided, at least in part, by the at least one server system; the computer system is to store at least one key that is capable of being rendered accessible, at least in part, for use in association with the encrypting and/or decrypting based, at least in part upon, the successful completion of the single-sign-on user authentication process; the at least one key comprises at least one wrap key and at least one key encryption key, the at least one wrap key being based, at least in part, upon at least one authentication parameter; and the at least one wrap key and the at least one key encryption key are to be (1) obtained prior to booting of the operating system and (2) stored and accessible in non-volatile storage of the computer system. - View Dependent Claims (14, 15, 16, 17, 18)
-
-
19. A computer system that is capable, when the computer system is in operation, of communicating with at least one server system via an Internet network, the computer system comprising:
-
a network interface controller means for use in communicating, when the computer system is in the operation, with the at least one server system via the Internet network; at least one storage drive means comprising flash storage and/or disk storage, the at least one storage drive means being for storing drive data that is capable of comprising user data and an operating system (OS); and at least one multicore processor means that is capable of executing, at least in part, when the computer system is in the operation, instructions, the instructions when executed, at least in part, by the at least one processor means resulting in performance of operations comprising; fully encrypting the user data and the OS in the at least one storage drive means; and after successful completion of a single-sign-on user authentication process, decrypting, at least in part, at least one portion of the drive data so as to permit, at least in part, booting of the OS at the computer system; wherein, when the computer system is in the operation; the successful completion of the single-sign-on user authentication process results in authentication of a user of the computer system to both the at least one server system and the OS; the single-sign-on user authentication process comprises; prior to the booting of the OS, generating by execution of an extensible firmware interface basic input/output system extension module of the computer system a user prompt requesting user input of at least one user authentication credential that is capable of being used by the module to; authenticate, at least in part, the user of the computer system to the at least one server system based, at least in part, upon whether the at least one user authentication credential corresponds, at least in part, to user credential information stored at the at least one server system; and obtain, at least in part, permission from the at least one server system to access at least one service that is capable of being provided, at least in part, by the at least one server system; the computer system is to store at least one key that is capable of being rendered accessible, at least in part, for use in association with the encrypting and/or decrypting based, at least in part upon, the successful completion of the single-sign-on user authentication process; the at least one key comprises at least one wrap key and at least one key encryption key, the at least one wrap key being based, at least in part, upon at least one authentication parameter; and the at least one wrap key and the at least one key encryption key are to be (1) obtained prior to booting of the operating system and (2) stored and accessible in non-volatile storage of the computer system. - View Dependent Claims (20, 21, 22, 23, 24)
-
-
25. A computer system that is capable, when the computer system is in operation, of communicating with one or more server systems via an Internet network, the computer system comprising:
-
a network interface controller for use in communicating, when the computer system is in the operation, with the one or more server systems via the Internet network; one or more storage drives comprising flash storage and/or disk storage, the one or more storage drives being to store drive data that is capable of comprising user data and an operating system (OS); and one or more multicore processors that are capable of executing, at least in part, when the computer system is in the operation, instructions, the instructions when executed, at least in part, by the one or more processors resulting in performance of operations comprising; fully encrypting the user data and the OS in the one or more storage drives; and after successful completion of a single-sign-on user authentication process, decrypting one or more portions of the drive data so as to permit booting of the OS at the computer system; wherein, when the computer system is in the operation; the successful completion of the single-sign-on user authentication process results in authentication of a user of the computer system to both the one or more server systems and the OS; the single-sign-on user authentication process comprises; prior to the booting of the OS, generating by execution of an extensible firmware interface basic input/output system extension module of the computer system a user prompt requesting user input of one or more user authentication credentials that are capable of being used by the module to; authenticate the user of the computer system to the one or more server systems based upon whether the one or more user authentication credentials correspond, at least in part, to user credential information stored at the one or more server systems; and obtain permission from the one or more server systems to access one or more services that are capable of being provided by the one or more server systems; the computer system is to store one or more keys that are capable of being rendered accessible for use in association with the encrypting and/or decrypting based upon the successful completion of the single-sign-on user authentication process; the one or more keys comprise one or more wrap keys and one or more key encryption keys, the one or more wrap keys being based, at least in part, upon one or more authentication parameters; and the one or more wraps keys and the one or more key encryption keys are to be (1) obtained prior to booting of the operating system, and (2) stored and accessible in non-volatile storage of the computer system. - View Dependent Claims (26, 27, 28, 29, 30)
-
Specification