Shared cryptographic key in networks with an embedded agent
First Claim
Patent Images
1. A method comprising:
- provisioning a symmetric cryptographic key across multiple clients through multiple embedded agents, each client having one of the embedded agents, one embedded agent in each client having an embedded agent to store the symmetric cryptographic key in a storage accessible to the embedded agent and not directly accessible to a host processor on the client; and
providing access to an encrypted traffic flow in a network to a client if the client is authenticated with the key.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods and apparatuses associated with sharing cryptographic keys in a network domain. An embedded agent on a network endpoint participates in the distribution of cryptographic keys. In one embodiment the embedded agent receives and stores a shared symmetric key, as do embedded agents on other network endpoints in the same network domain. The embedded agent causes the shared key to be stored in a secure storage not directly accessible by the host. When the host wants to transmit enciphered data, the embedded agent may provide access to cryptographic services. The embedded agent provides isolation of the shared key from parts of the host that are subject to compromise by attack or infection.
-
Citations
38 Claims
-
1. A method comprising:
-
provisioning a symmetric cryptographic key across multiple clients through multiple embedded agents, each client having one of the embedded agents, one embedded agent in each client having an embedded agent to store the symmetric cryptographic key in a storage accessible to the embedded agent and not directly accessible to a host processor on the client; and
providing access to an encrypted traffic flow in a network to a client if the client is authenticated with the key. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. An apparatus comprising:
-
a host platform on the apparatus including a host processor;
a secure memory not visible to applications and an operating system (OS) running on the host platform; and
an embedded computational device communicatively coupled with the host platform, the embedded device to have a network link transparent to the OS, the embedded device to manage a cryptographic key shared among the apparatus and network endpoints to be used to communicate with a server over the network, to receive the cryptographic key on the transparent link and authenticate the apparatus, and to store the cryptographic key in the secure memory. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A system comprising:
-
a host platform including a host processor;
a digital signal processor (DSP) coupled with the host platform; and
an embedded chipset including a secure key storage module to perform cryptographic key management of a shared cryptographic key with the secure key storage module and a private communication channel accessible to the chipset and not the host platform, and to access the image of the host platform on the flash to determine the integrity of the host platform, the shared cryptographic key to be used by the host platform to encipher data and other networked devices within a virtual private network. - View Dependent Claims (23, 24, 25, 26, 27, 28)
-
-
29. An article of manufacture comprising a machine accessible medium having content to provide instructions to cause a machine to perform operations including:
-
provisioning a symmetric cryptographic key across multiple clients through multiple embedded agents, each client having one of the embedded agents, one embedded agent in each client having an embedded agent to store the symmetric cryptographic key in a storage accessible to the embedded agent and not directly accessible to a host processor on the client; and
providing access to an encrypted traffic flow in a network to a client if the client is authenticated with the key. - View Dependent Claims (30, 32, 33, 34, 35, 36, 37, 38)
-
-
31. An article of manufacture according to claim 31, wherein the content to provide instruction to cause the machine to perform operations including providing access to the traffic flow if the client is authenticated comprises the content to provide instruction to cause the machine to perform operations including authenticating the client with the embedded agent over the network line not visible to the host OS.
Specification