Online trusted platform module

US 20040250126A1
Filed: 06/03/2003
Published: 12/09/2004
Est. Priority Date: 06/03/2003
Status: Active Grant

First Claim

Patent Images

1. A system for remote performance of network security functions, comprising:

an online trusted platform module (TPM) located at a client machine;

at least one application that sends commands to said online TPM; and

a security module in communication with said online TPM and located at a server machine, such that at least one command received by said online TPM from said application is proxied out to said security module for execution.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An online trusted platform module (TPM) in communication with a security module that can be located elsewhere in the network in a server machine. In an embodiment, the online TPM is connected directly to a network interface card (NIC) that is also resident at the client. This allows the online TPM to communicate directly to the network, and therefore to the security module (without having to deal with the TCP/IP stack at the client machine in some circumstances, e.g., the boot process). In an embodiment, the communications channel between the online TPM and the security module is implemented using the transport layer security (TLS) protocol. A secure boot process is performed in advance of security processing. Typical security processing includes receipt, by the online TPM, of one or more commands from an application. The online TPM then proxies out the commands to the security module. After the security module has completed its processing of the commands, results of the processing and any related status information is returned to the online TPM.

Citations

23 Claims

1. A system for remote performance of network security functions, comprising:
- an online trusted platform module (TPM) located at a client machine;
  
  at least one application that sends commands to said online TPM; and
  
  a security module in communication with said online TPM and located at a server machine, such that at least one command received by said online TPM from said application is proxied out to said security module for execution.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The system of claim 1, wherein said security module and said online TPM are connected via a communication path that employs the transport layer security (TLS) protocol.
  - 3. The system of claim 1, further comprising an untrusted software stack that contains logic for intermediate processing between said application and said online TPM.
  - 4. The system of claim 1, wherein said online TPM and said security module are compliant with a version of the Trusted Computing Platform Architecture (TCPA) Main Specification.
  - 5. The system of claim 1, wherein said security module stores cryptographic state information on behalf of said online TPM.
  - 6. The system of claim 5, wherein said security module stores all cryptographic state information on behalf of said online TPM.
  - 7. The system of claim 6, wherein said online TPM is implemented without non-volatile memory (NVM).
  - 8. The system of claim 1, wherein said security module executes commands that are proxied out from at least one additional online TPM located at least one corresponding additional client machine.
  - 9. The system of claim 1, wherein said security module and said online TPM are authenticated to each other.
  - 10. The system of claim 1, wherein said online TPM is in direct communication with a network interface device at said client machine, such that cryptographic state information can be retrieved by said online TPM from said security module via said network interface device while circumventing network protocol processing.
  - 11. The system of claim 10, wherein said network protocol processing comprises processing related to the transmission control protocol/internet protocol (TCP/IP).
  - 12. The system of claim 10, wherein said online TPM and said network interface device are embodied in an ethernet controller.
  - 13. The system of claim 1, wherein the system is compatible with a version of the TCPA Main Specification.
  - 14. The system of claim 1, wherein said security module is implemented in hardware.
  - 15. The system of claim 1, wherein said security module comprises logic implemented in software.
  - 16. The system of claim 15, wherein said software is upgradable independent of said client.
  - 17. The system of claim 1, wherein said security module is incorporated in a server.

18. A method of proxying a command in a network security system, from an online trusted platform module (TPM) in a client machine to a security module at a server machine, comprising the steps of:
- (a) receiving the command from an application;
  
  (b) sending the command to the security module; and
  
  (c) receiving result and status data from the security module.
- View Dependent Claims (19, 20)
- - 19. The method of claim 18, wherein steps (b) and (c) are performed via a communications path that employs the transport layer security (TLS) protocol.
  - 20. The method of claim 18, further comprising the step of:
    - (d) performing a boot sequence, performed prior to step (a).

21. The method of step 20, wherein step (d) comprises:
- (i) executing a block of basic input output system (BIOS) code; and
  
  (ii) performing integrity measurements.

22. The method of step 21, wherein step (i) comprises retrieval of cryptographic state information from the security module.
- View Dependent Claims (23)
- - 23. The method of claim 22, wherein said retrieval of cryptographic state information is performed via a direct connection between the online TPM and a network interface device at the client machine while circumventing network protocol processing at the client machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avago Technologies International Sales Pte Limited (Broadcom, Inc.)
Original Assignee
Broadcom Corporation (Broadcom, Inc.)
Inventors
Dubey, Pradeep, Buer, Mark

Granted Patent

US 8,086,844 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

G06F 21/57   Certifying or maintaining t...

G06F 21/629   to features or functions of...

G06F 2221/2107   File encryption

G06F 2221/2153   Using hardware token as a s...

H04L 63/0428   wherein the data content is...

H04L 63/166   at the transport layer

Online trusted platform module

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Online trusted platform module

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links