Attestation using both fixed token and portable token
First Claim
1. A method comprising requesting a fixed token to create a sealed key blob comprising a first key pair and first usage authorization data, knowledge of which is required in order to use a private key of the first key pair, and requesting a portable token to create a protected key blob comprising the sealed key blob and second usage authorization data, knowledge of which is required in order to obtain the sealed key blob from the protected key blob.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods, apparatus and machine readable medium are described for creating and using protected key blobs that require a particular portable token be present before use of the key or keys of the protected key blob is granted. Such protected key blobs may be used to establish a level of trust between a local user and the computing device.
-
Citations
31 Claims
-
1. A method comprising
requesting a fixed token to create a sealed key blob comprising a first key pair and first usage authorization data, knowledge of which is required in order to use a private key of the first key pair, and requesting a portable token to create a protected key blob comprising the sealed key blob and second usage authorization data, knowledge of which is required in order to obtain the sealed key blob from the protected key blob.
-
14. A machine-readable medium comprising a plurality of instructions that, in response to being executed, result in a processor
requesting a portable token to provide a sealed key blob from a protected key blob that comprises usage authorization data, providing the portable token with an authentication code that is based upon usage authorization data that the processor has for the protected key blob, and receiving the sealed key blob from the portable token only if the authentication code indicates that the usage authorization data of the processor has a predetermined relationship to the authorization data of the protected key blob.
-
23. A computing device, comprising
a fixed token comprising a first processing unit and first protected storage, the first processing unit to load a first key pair of a sealed key blob into the first protected storage in response to determining that a first authentication code has a predetermined relationship to first usage authorization data of the sealed key blob, a portable token comprising a second processing unit and second protected storage, the second processing unit to return the sealed key blob from a protected key blob in response to determining that a second authentication code has a predetermined relationship to second usage authorization data of the protected key blob, a portable token interface that enables the portable token to be coupled to and removed from the computing device, a processor to provide the portable token with a request for the sealed key blob that comprises the protected key blob and the second authentication code and to provide the fixed token with a request to load the first key pair that comprises the sealed key blob and the first authentication code.
Specification