Method and system for enterprise network single-sign-on by a manageability engine

US 10,489,574 B2
Filed: 04/11/2017
Issued: 11/26/2019
Est. Priority Date: 12/30/2008
Status: Active Grant

First Claim

Patent Images

1. A computer system that is capable, when the computer system is in operation, of communicating with at least one server system via an Internet network, the computer system comprising:

a network interface controller for use in communicating, when the computer system is in the operation, with the at least one server system via the Internet network;

at least one storage drive comprising flash storage and/or disk storage, the at least one storage drive being to store drive data that is capable of comprising user data and an operating system (OS); and

at least one multicore processor that is capable of executing, at least in part, when the computer system is in the operation, instructions, the instructions when executed, at least in part, by the at least one processor resulting in performance of operations comprising;

fully encrypting the user data and the OS in the at least one storage drive; and

after successful completion of a single-sign-on user authentication process, decrypting, at least in part, at least one portion of the drive data so as to permit, at least in part, booting of the OS at the computer system;

wherein, when the computer system is in the operation;

the successful completion of the single-sign-on user authentication process results in authentication of a user of the computer system to both the at least one server system and the OS;

the single-sign-on user authentication process comprises;

prior to the booting of the OS, generating by execution of an extensible firmware interface basic input/output system extension module of the computer system a user prompt requesting user input of at least one user authentication credential that is capable of being used by the module to;

authenticate, at least in part, the user of the computer system to the at least one server system based, at least in part, upon whether the at least one user authentication credential corresponds, at least in part, to user credential information stored at the at least one server system; and

obtain, at least in part, permission from the at least one server system to access at least one service that is capable of being provided, at least in part, by the at least one server system;

the computer system is to store at least one key that is capable of being rendered accessible, at least in part, for use in association with the encrypting and/or decrypting based, at least in part upon, the successful completion of the single-sign-on user authentication process;

the at least one key comprises at least one wrap key and at least one key encryption key, the at least one wrap key being based, at least in part, upon at least one authentication parameter; and

the at least one wrap key and the at least one key encryption key are to be (1) obtained prior to booting of the operating system and (2) stored and accessible in non-volatile storage of the computer system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A manageability engine (ME) receives an authentication response from a user during pre-boot authentication and registers the user with a key distribution center (KDC), indicating that the user has successfully authenticated to the PC. The KDC supplies the ME with single-sign-on credentials in the form of a Key Encryption Key (KEK). The KEK may later be used by the PC to obtain a credential used to establish secure access to Enterprise servers.

Citations

30 Claims

1. A computer system that is capable, when the computer system is in operation, of communicating with at least one server system via an Internet network, the computer system comprising:
- a network interface controller for use in communicating, when the computer system is in the operation, with the at least one server system via the Internet network;
  
  at least one storage drive comprising flash storage and/or disk storage, the at least one storage drive being to store drive data that is capable of comprising user data and an operating system (OS); and
  
  at least one multicore processor that is capable of executing, at least in part, when the computer system is in the operation, instructions, the instructions when executed, at least in part, by the at least one processor resulting in performance of operations comprising;
  
  fully encrypting the user data and the OS in the at least one storage drive; and
  
  after successful completion of a single-sign-on user authentication process, decrypting, at least in part, at least one portion of the drive data so as to permit, at least in part, booting of the OS at the computer system;
  
  wherein, when the computer system is in the operation;
  
  the successful completion of the single-sign-on user authentication process results in authentication of a user of the computer system to both the at least one server system and the OS;
  
  the single-sign-on user authentication process comprises;
  
  prior to the booting of the OS, generating by execution of an extensible firmware interface basic input/output system extension module of the computer system a user prompt requesting user input of at least one user authentication credential that is capable of being used by the module to;
  
  authenticate, at least in part, the user of the computer system to the at least one server system based, at least in part, upon whether the at least one user authentication credential corresponds, at least in part, to user credential information stored at the at least one server system; and
  
  obtain, at least in part, permission from the at least one server system to access at least one service that is capable of being provided, at least in part, by the at least one server system;
  
  the computer system is to store at least one key that is capable of being rendered accessible, at least in part, for use in association with the encrypting and/or decrypting based, at least in part upon, the successful completion of the single-sign-on user authentication process;
  
  the at least one key comprises at least one wrap key and at least one key encryption key, the at least one wrap key being based, at least in part, upon at least one authentication parameter; and
  
  the at least one wrap key and the at least one key encryption key are to be (1) obtained prior to booting of the operating system and (2) stored and accessible in non-volatile storage of the computer system.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer system of claim 1, wherein:
    - the at least one server system is capable of supplying other data that is capable of being used to decrypt, at least in part, the drive data.
  - 3. The computer system of claim 1, wherein:
    - the user credential information stored at the at least one server system comprises user identification and user password.
  - 4. The computer system of claim 1, wherein:
    - the network interface controller is capable of establishing, at least in part, during the operation of the computer system, a secure communication channel between the computer system and the at least one server system.
  - 5. The computer system of claim 1, wherein:
    - at least one server system comprises a plurality of servers.
  - 6. The computer system of claim 1, wherein:
    - the computer system comprises;
      
      a mobile computer;
      
      a personal digital assistant computing system;
      
      a cellular telephone computing system; and
      
      /ora multiprocessor computing system.

7. A method implemented, at least in part, using a computer system, the computer system being capable, when the computer system is in operation, of communicating with at least one server system via an Internet network, the method comprising:
- using a network interface controller of the computer system to communicate with the at least one server system via the Internet network, the computer system also comprising at least one storage drive that comprises flash storage and/or disk storage, the at least one storage drive being to store drive data that is capable of comprising user data and an operating system (OS); and
  
  executing, at least in part, by at least one multicore processor of the computer system, instructions, the instructions when executed, at least in part, by the at least one processor resulting in performance of operations comprising;
  
  fully encrypting the user data and the OS in the at least one storage drive; and
  
  after successful completion of a single-sign-on user authentication process, decrypting, at least in part, at least one portion of the drive data so as to permit, at least in part, booting of the OS at the computer system;
  
  wherein, when the computer system is in the operation;
  
  the successful completion of the single-sign-on user authentication process results in authentication of a user of the computer system to both the at least one server system and the OS;
  
  the single-sign-on user authentication process comprises;
  
  prior to the booting of the OS, generating by execution of an extensible firmware interface basic input/output system extension module of the computer system a user prompt requesting user input of at least one user authentication credential that is capable of being used by the module to;
  
  authenticate, at least in part, the user of the computer system to the at least one server system based, at least in part, upon whether the at least one user authentication credential corresponds, at least in part, to user credential information stored at the at least one server system; and
  
  obtain, at least in part, permission from the at least one server system to access at least one service that is capable of being provided, at least in part, by the at least one server system;
  
  the computer system is to store at least one key that is capable of being rendered accessible, at least in part, for use in association with the encrypting and/or decrypting based, at least in part upon, the successful completion of the single-sign-on user authentication process;
  
  the at least one key comprises at least one wrap key and at least one key encryption key, the at least one wrap key being based, at least in part, upon at least one authentication parameter; and
  
  the at least one wrap key and the at least one key encryption key are to be (1) obtained prior to booting of the operating system and (2) stored and accessible in non-volatile storage of the computer system.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7, wherein:
    - the at least one server system is capable of supplying other data that is capable of being used to decrypt, at least in part, the drive data.
  - 9. The method of claim 7, wherein:
    - the user credential information stored at the at least one server system comprises user identification and user password.
  - 10. The method of claim 7, wherein:
    - the network interface controller is capable of establishing, at least in part, during the operation of the computer system, a secure communication channel between the computer system and the at least one server system.
  - 11. The method of claim 7, wherein:
    - at least one server system comprises a plurality of servers.
  - 12. The method of claim 7, wherein:
    - the computer system comprises;
      
      a mobile computer;
      
      a personal digital assistant computing system;
      
      a cellular telephone computing system; and
      
      /ora multiprocessor computing system.

13. Non-transitory machine-readable storage medium storing program instructions to be executed, at least in part, by at least one multicore processor of a computer system, the computer system being capable, when the computer system is in operation, of communicating with at least one server system via an Internet network, the computer system also comprising at least one storage drive that comprises flash storage and/or disk storage, the at least one storage drive being to store drive data that is capable of comprising user data and an operating system (OS), the program instructions when executed, at least in part, by the at least one multicore processor resulting in the computer system being capable of performing operations comprising:
- using a network interface controller of the computer system to communicate with the at least one server system via the Internet network;
  
  fully encrypting the user data and the OS in the at least one storage drive; and
  
  after successful completion of a single-sign-on user authentication process, decrypting, at least in part, at least one portion of the drive data so as to permit, at least in part, booting of the OS at the computer system;
  
  wherein, when the computer system is in the operation;
  
  the successful completion of the single-sign-on user authentication process results in authentication of a user of the computer system to both the at least one server system and the OS;
  
  the single-sign-on user authentication process comprises;
  
  prior to the booting of the OS, generating by execution of an extensible firmware interface basic input/output system extension module of the computer system a user prompt requesting user input of at least one user authentication credential that is capable of being used by the module to;
  
  authenticate, at least in part, the user of the computer system to the at least one server system based, at least in part, upon whether the at least one user authentication credential corresponds, at least in part, to user credential information stored at the at least one server system; and
  
  obtain, at least in part, permission from the at least one server system to access at least one service that is capable of being provided, at least in part, by the at least one server system;
  
  the computer system is to store at least one key that is capable of being rendered accessible, at least in part, for use in association with the encrypting and/or decrypting based, at least in part upon, the successful completion of the single-sign-on user authentication process;
  
  the at least one key comprises at least one wrap key and at least one key encryption key, the at least one wrap key being based, at least in part, upon at least one authentication parameter; and
  
  the at least one wrap key and the at least one key encryption key are to be (1) obtained prior to booting of the operating system and (2) stored and accessible in non-volatile storage of the computer system.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The machine-readable storage medium of claim 13, wherein:
    - the at least one server system is capable of supplying other data that is capable of being used to decrypt, at least in part, the drive data.
  - 15. The machine-readable storage medium of claim 13, wherein:
    - the user credential information stored at the at least one server system comprises user identification and user password.
  - 16. The machine-readable storage medium of claim 13, wherein:
    - the network interface controller is capable of establishing, at least in part, during the operation of the computer system, a secure communication channel between the computer system and the at least one server system.
  - 17. The machine-readable storage medium of claim 13, wherein:
    - at least one server system comprises a plurality of servers.
  - 18. The machine-readable storage medium of claim 13, wherein:
    - the computer system comprises;
      
      a mobile computer;
      
      a personal digital assistant computing system;
      
      a cellular telephone computing system; and
      
      /ora multiprocessor computing system.

19. A computer system that is capable, when the computer system is in operation, of communicating with at least one server system via an Internet network, the computer system comprising:
- a network interface controller means for use in communicating, when the computer system is in the operation, with the at least one server system via the Internet network;
  
  at least one storage drive means comprising flash storage and/or disk storage, the at least one storage drive means being for storing drive data that is capable of comprising user data and an operating system (OS); and
  
  at least one multicore processor means that is capable of executing, at least in part, when the computer system is in the operation, instructions, the instructions when executed, at least in part, by the at least one processor means resulting in performance of operations comprising;
  
  fully encrypting the user data and the OS in the at least one storage drive means; and
  
  after successful completion of a single-sign-on user authentication process, decrypting, at least in part, at least one portion of the drive data so as to permit, at least in part, booting of the OS at the computer system;
  
  wherein, when the computer system is in the operation;
  
  the successful completion of the single-sign-on user authentication process results in authentication of a user of the computer system to both the at least one server system and the OS;
  
  the single-sign-on user authentication process comprises;
  
  prior to the booting of the OS, generating by execution of an extensible firmware interface basic input/output system extension module of the computer system a user prompt requesting user input of at least one user authentication credential that is capable of being used by the module to;
  
  authenticate, at least in part, the user of the computer system to the at least one server system based, at least in part, upon whether the at least one user authentication credential corresponds, at least in part, to user credential information stored at the at least one server system; and
  
  obtain, at least in part, permission from the at least one server system to access at least one service that is capable of being provided, at least in part, by the at least one server system;
  
  the computer system is to store at least one key that is capable of being rendered accessible, at least in part, for use in association with the encrypting and/or decrypting based, at least in part upon, the successful completion of the single-sign-on user authentication process;
  
  the at least one key comprises at least one wrap key and at least one key encryption key, the at least one wrap key being based, at least in part, upon at least one authentication parameter; and
  
  the at least one wrap key and the at least one key encryption key are to be (1) obtained prior to booting of the operating system and (2) stored and accessible in non-volatile storage of the computer system.
- View Dependent Claims (20, 21, 22, 23, 24)
- - 20. The computer system of claim 19, wherein:
    - the at least one server system is capable of supplying other data that is capable of being used to decrypt, at least in part, the drive data.
  - 21. The computer system of claim 19, wherein:
    - the user credential information stored at the at least one server system comprises user identification and user password.
  - 22. The computer system of claim 19, wherein:
    - the network interface controller means is capable of establishing, at least in part, during the operation of the computer system, a secure communication channel between the computer system and the at least one server system.
  - 23. The computer system of claim 19, wherein:
    - at least one server system comprises a plurality of servers.
  - 24. The computer system of claim 19, wherein:
    - the computer system comprises;
      
      a mobile computer;
      
      a personal digital assistant computing system;
      
      a cellular telephone computing system; and
      
      /ora multiprocessor computing system.

25. A computer system that is capable, when the computer system is in operation, of communicating with one or more server systems via an Internet network, the computer system comprising:
- a network interface controller for use in communicating, when the computer system is in the operation, with the one or more server systems via the Internet network;
  
  one or more storage drives comprising flash storage and/or disk storage, the one or more storage drives being to store drive data that is capable of comprising user data and an operating system (OS); and
  
  one or more multicore processors that are capable of executing, at least in part, when the computer system is in the operation, instructions, the instructions when executed, at least in part, by the one or more processors resulting in performance of operations comprising;
  
  fully encrypting the user data and the OS in the one or more storage drives; and
  
  after successful completion of a single-sign-on user authentication process, decrypting one or more portions of the drive data so as to permit booting of the OS at the computer system;
  
  wherein, when the computer system is in the operation;
  
  the successful completion of the single-sign-on user authentication process results in authentication of a user of the computer system to both the one or more server systems and the OS;
  
  the single-sign-on user authentication process comprises;
  
  prior to the booting of the OS, generating by execution of an extensible firmware interface basic input/output system extension module of the computer system a user prompt requesting user input of one or more user authentication credentials that are capable of being used by the module to;
  
  authenticate the user of the computer system to the one or more server systems based upon whether the one or more user authentication credentials correspond, at least in part, to user credential information stored at the one or more server systems; and
  
  obtain permission from the one or more server systems to access one or more services that are capable of being provided by the one or more server systems;
  
  the computer system is to store one or more keys that are capable of being rendered accessible for use in association with the encrypting and/or decrypting based upon the successful completion of the single-sign-on user authentication process;
  
  the one or more keys comprise one or more wrap keys and one or more key encryption keys, the one or more wrap keys being based, at least in part, upon one or more authentication parameters; and
  
  the one or more wraps keys and the one or more key encryption keys are to be (1) obtained prior to booting of the operating system, and (2) stored and accessible in non-volatile storage of the computer system.
- View Dependent Claims (26, 27, 28, 29, 30)
- - 26. The computer system of claim 25, wherein:
    - the one or more server systems are capable of supplying other data that is capable of being used to decrypt, at least in part, the drive data.
  - 27. The computer system of claim 25, wherein:
    - the user credential information stored at the one or more server systems comprise user identification and user password.
  - 28. The computer system of claim 25, wherein:
    - the network interface controller is capable of establishing during the operation of the computer system, a secure communication channel between the computer system and the one or more server systems.
  - 29. The computer system of claim 25, wherein:
    - one or more server systems comprise a plurality of servers.
  - 30. The computer system of claim 25, wherein:
    - the computer system comprises;
      
      a mobile computer;
      
      a personal digital assistant computing system;
      
      a cellular telephone computing system; and
      
      /ora multiprocessor computing system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Smith, Ned M., Goel, Purushottam
Primary Examiner(s)
Leung, Robert B

Application Number

US15/484,660
Publication Number

US 20170323095A1
Time in Patent Office

959 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/31   User authentication

G06F 21/33   using certificates

G06F 21/335   for accessing specific reso...

G06F 21/41   where a single sign-on prov...

G06F 21/575   Secure boot

G06F 21/72   in cryptographic circuits

G06F 21/80   in storage media based on m...

G06F 2221/034   Test or assess a computer o...

G06F 2221/2103   Challenge-response

G09G 2358/00   Arrangements for display da...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 9/0822   using key encryption key

H04L 9/083   involving central third par...

H04L 9/3213   using tickets or tokens, e....

Method and system for enterprise network single-sign-on by a manageability engine

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for enterprise network single-sign-on by a manageability engine

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links