Trusted execution of an executable object on a local device

US 10,678,908 B2
Filed: 12/21/2013
Issued: 06/09/2020
Est. Priority Date: 09/27/2013
Status: Active Grant

First Claim

Patent Images

1. An electronic client device, comprising:

an enclave;

at least one processor;

at least one memory;

at least one driver, wherein the electronic client device is configured to;

obtain an authentication signing key from an attestation server;

store the authentication signing key in the enclave, wherein the authentication signing key verifies the identity of the enclave;

acquire, after storing the authentication signing key, authentication data for an authorized user;

store the authentication data in the enclave;

acquire identification data for a potential user;

compare, by locally executing, with the processor, a biometric algorithm in the enclave, the identification data to the authentication data to determine if the potential user is the authorized user; and

send results of the comparison and the authentication signing key to an authentication server.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one example embodiment, an electronic device is provided and configured to: acquire authentication data for an authorized user; store the authentication data in an enclave; acquire identification data for a potential user; and compare, in the enclave, the identification data to the authentication data for recognizing if the potential user is the authorized user. In another embodiment, a server is provided and includes at least one processor; at least one memory; at least one driver, where the server is configured to: receive assertion data from an electronic device, where the assertion includes an authentication signing key and results from a comparison of acquired data and reference data; and determine if the assertion data is valid by: comparing the results to a threshold; and comparing the authentication signing key to an authentication signing key assigned to the electronic device.

22 Citations

View as Search Results

17 Claims

1. An electronic client device, comprising:
- an enclave;
  
  at least one processor;
  
  at least one memory;
  
  at least one driver, wherein the electronic client device is configured to;
  
  obtain an authentication signing key from an attestation server;
  
  store the authentication signing key in the enclave, wherein the authentication signing key verifies the identity of the enclave;
  
  acquire, after storing the authentication signing key, authentication data for an authorized user;
  
  store the authentication data in the enclave;
  
  acquire identification data for a potential user;
  
  compare, by locally executing, with the processor, a biometric algorithm in the enclave, the identification data to the authentication data to determine if the potential user is the authorized user; and
  
  send results of the comparison and the authentication signing key to an authentication server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The electronic client device of claim 1, wherein the electronic client device is further configured to:
    - generate an assertion claim for the potential user using a claim building algorithm.
  - 3. The electronic client device of claim 1, wherein the results of the comparison are encrypted.
  - 4. The electronic client device of claim 1, wherein the results of the comparison are encrypted and stored in an untrusted memory that is separate from the enclave.
  - 5. The electronic client device of claim 1, wherein the identification data is biometric data.
  - 6. The electronic client device of claim 1, wherein the identification data is acquired outside of the enclave and a trusted services application program interface is used to bring the identification data into the enclave.
  - 7. The electronic client device of claim 1, wherein the electronic client device is further configured to:
    - access a secure application based on the results of the comparison.
  - 8. The electronic client device of claim 1, wherein the enclave operates in a trusted execution environment.
  - 9. The electronic client device of claim 1, wherein the enclave is a protected region of memory that is accessible through a trusted services application program interface.
  - 10. The electronic client device of claim 1, wherein the identification data is acquired by a hardware sensor.

11. One or more non-transitory computer readable medium having instructions stored thereon, the instructions, when executed by a processor, cause the processor to:
- obtain an authentication signing key from an attestation server;
  
  store the authentication signing key in the enclave, wherein the authentication signing key verifies the identity of the enclave;
  
  acquire, after storing the authentication signing key, authentication data for an authorized user;
  
  store the authentication data in an enclave on an electronic client device;
  
  acquire identification data for a potential user; and
  
  compare, by locally executing a biometric algorithm in the enclave, the identification data to the authentication data to determine if the potential user is the authorized user; and
  
  send results of the comparison and the authentication signing key to an authentication server.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The medium of claim 11, further including instructions that, when executed by the processor, cause the processor to:
    - generate an assertion claim for the potential user using a claim building algorithm.
  - 13. The medium of claim 11, wherein results of the comparison are encrypted and stored in an untrusted memory that is separate from the enclave.
  - 14. The medium of claim 11, wherein the identification data is biometric data.
  - 15. The medium of claim 11, wherein the identification data is acquired outside of the enclave and a trusted services application program interface is used to bring the identification data into the enclave.
  - 16. The medium of claim 11, further including instructions that, when executed by the processor, cause the processor to:
    - access a secure application based on results of the comparison.
  - 17. The medium of claim 11, wherein the enclave is a trusted execution environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, LLC
Inventors
Grobman, Steve, Woodward, Carl, Beaney, Jr., James D., Raynor, Jimmy Scott
Primary Examiner(s)
Harris, Christopher C

Application Number

US14/913,805
Publication Number

US 20170039368A1
Time in Patent Office

2,362 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/31   User authentication

G06F 21/32   using biometric data, e.g. ...

G06F 21/53   by executing in a restricte...

G06F 21/74   operating in dual or compar...

G06F 2221/2105   Dual mode as a secondary as...

H04L 63/0861   using biometrical features,...

H04L 63/0884   by delegation of authentica...

H04W 12/06   Authentication

H04W 12/37   Managing security policies ...

Trusted execution of an executable object on a local device

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

22 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Trusted execution of an executable object on a local device

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links