System and method for combining user and platform authentication in negotiated channel security protocols
First Claim
Patent Images
1. A security protocol method comprising:
- simultaneously authenticating multiple facets of an endpoint;
combining the multiple facets of the endpoint with a pre-master secret;
cryptographically hashing a platform configuration;
mixing the cryptographically hashed platform configuration with the pre-master secret via hash to generate a master secret; and
encrypting the master secret to authenticate a negotiated channel.
2 Assignments
0 Petitions
Accused Products
Abstract
A security protocol for combining user and platform authentication. The security protocol includes a first handshake phase to issue attestation identity credentials, and a second handshake phase to authenticate based on the attestation identity credentials issued in the first handshake phase. The security protocol also includes a session resumption phase to resume a previous session.
-
Citations
47 Claims
-
1. A security protocol method comprising:
-
simultaneously authenticating multiple facets of an endpoint;
combining the multiple facets of the endpoint with a pre-master secret;
cryptographically hashing a platform configuration;
mixing the cryptographically hashed platform configuration with the pre-master secret via hash to generate a master secret; and
encrypting the master secret to authenticate a negotiated channel. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A security protocol comprising:
-
a first handshake phase to issue attestation identity credentials; and
a second handshake phase to authenticate based on the attestation identity credentials issued in the first handshake phase. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A network security handshake exchange method comprising:
-
receiving a pre-master secret, wherein the pre-master secret contains a nonce generated by a server, the pre-master secret including server platform configuration data in the form of a server stored measurement log;
augmenting the pre-master secret with a hash of server platform configuration register values;
modifying the server platform configuration register values to incorporate a handshake state by measuring the pre-master secret into the server platform configuration register values;
authenticating the modified pre-master secret by digitally signing the modified pre-master secret with a server platform identity key and a server user identity key; and
sending a first message to a client, wherein the message comprises the pre-master secret, the modified pre-master secret, the modified pre-master secret digitally signed with the server platform identity key and the modified pre-master secret digitally signed with the server user identity key. - View Dependent Claims (26, 27, 28)
-
-
29. A network security handshake exchange method comprising:
-
receiving a first message from a server, the first message comprising a server modified pre-master secret;
augmenting the server modified pre-master secret with a hash of client platform configuration register values;
modifying the client platform configuration register values to incorporate a handshake state by measuring the server modified pre-master secret into the server platform configuration register values, wherein modifying the client platform configuration results in a master secret;
digitally signing the master secret with a client user key and a client platform key; and
sending a second message to the server, wherein the second message comprises the master secret, master secret digitally signed with the client platform identity key and the master secret digitally signed with the client user identity key. - View Dependent Claims (30, 31, 32)
-
-
33. An article comprising:
- a storage medium having a plurality of machine accessible instructions, wherein when the instructions are executed by a processor, the instructions provide for simultaneously authenticating multiple facets of an endpoint;
combining the multiple facets of the endpoint with a pre-master secret;
cryptographically hashing a platform configuration;
mixing the cryptographically hashed platform configuration with the pre-master secret via hash to generate a master secret; and
encrypting the master secret to authenticate a negotiated channel. - View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47)
- a storage medium having a plurality of machine accessible instructions, wherein when the instructions are executed by a processor, the instructions provide for simultaneously authenticating multiple facets of an endpoint;
Specification