Methods and apparatus for generating endorsement credentials for software-based security coprocessors

US 20060256107A1
Filed: 06/29/2005
Published: 11/16/2006
Est. Priority Date: 05/13/2005
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

launching a virtual manufacturer authority in a protected portion of a processing system;

creating a key for the virtual manufacturer authority, wherein the key is protected by a trusted platform module (TPM) of the processing system, and the key is bound to a current state of the virtual manufacturer authority;

creating a virtual security coprocessor in the processing system;

transmitting a delegation request from the processing system to an external certificate authority (CA); and

after transmitting the delegation request, using the key to attest to trustworthiness of the virtual security coprocessor.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A virtual manufacturer authority is launched in a protected portion of a processing system. A key for the virtual manufacturer authority is created. The key is protected by a security coprocessor of the processing system, such as a trusted platform module (TPM). Also, the key is bound to a current state of the virtual manufacturer authority. A virtual security coprocessor is created in the processing system. A delegation request is transmitted from the processing system to an external processing system, such as a certificate authority (CA). After transmission of the delegation request, the key is used to attest to trustworthiness of the virtual security coprocessor. Other embodiments are described and claimed.

Citations

20 Claims

1. A method comprising:
- launching a virtual manufacturer authority in a protected portion of a processing system;
  
  creating a key for the virtual manufacturer authority, wherein the key is protected by a trusted platform module (TPM) of the processing system, and the key is bound to a current state of the virtual manufacturer authority;
  
  creating a virtual security coprocessor in the processing system;
  
  transmitting a delegation request from the processing system to an external certificate authority (CA); and
  
  after transmitting the delegation request, using the key to attest to trustworthiness of the virtual security coprocessor.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. A method according to claim 1, further comprising:
    - obtaining an identity credential associated with the virtual manufacturer authority; and
      
      using the identity credential to support the delegation request.
  - 3. A method according to claim 1, comprising:
    - creating an identity key for the virtual manufacturer authority;
      
      obtaining an identity credential for the identity key; and
      
      using the identity key and the identity credential to support the delegation request.
  - 4. A method according to claim 3, wherein the operation of obtaining an identity credential for the identity key comprises obtaining the identity credential from a privacy CA.
  - 5. A method according to claim 1, wherein the processing system comprises a first processing system, the method comprising:
    - obtaining, from a second processing system, an identity credential for an identity key;
      
      creating a signing key for the virtual manufacturer authority; and
      
      using the identity key to certify the signing key.
  - 6. A method according to claim 1, wherein the processing system comprises a first processing system, the method comprising:
    - obtaining, from a second processing system, an identity credential for an identity key;
      
      creating a signing key for the virtual manufacturer authority;
      
      using the identity key to certify the signing key; and
      
      using the signing key to certify credentials for the virtual security coprocessor.
  - 7. A method according to claim 1, further comprising:
    - measuring the virtual manufacturer authority, wherein the current state of the virtual manufacturer authority is based at least in part on the measurement of the virtual manufacturer authority.
  - 8. A method according to claim 1, further comprising:
    - measuring the virtual manufacturer authority; and
      
      before transmitting the delegation request to the external CA, extending data stored in the TPM to reflect the measurement of the virtual manufacturer authority.
  - 9. A method according to claim 1, further comprising:
    - measuring the virtual manufacturer authority; and
      
      before creating a key for the virtual manufacturer authority, extending data stored in the TPM to reflect the measurement of the virtual manufacturer authority.

10. An apparatus comprising:
- a machine accessible medium; and
  
  instructions encoded in the machine accessible medium, wherein the instructions, when executed by a processing system having a hardware trusted platform module (TPM), cause the processing system to perform operations comprising;
  
  launching a virtual manufacturer authority in a protected portion of the processing system;
  
  creating a key for the virtual manufacturer authority, wherein the key is protected by the TPM, and the key is bound to a current state of the virtual manufacturer authority;
  
  creating a virtual security coprocessor in the processing system;
  
  transmitting a delegation request from the processing system to an external certificate authority (CA); and
  
  after transmitting the delegation request, using the key to attest to trustworthiness of the virtual security coprocessor.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. An apparatus according to claim 10, wherein the processing system comprises a first processing system and the instructions cause the first processing system to perform operations comprising:
    - obtaining, from a second processing system, an identity credential for an identity key;
      
      creating a signing key for the virtual manufacturer authority;
      
      using the identity key to certify the signing key; and
      
      using the signing key to certify credentials for the virtual security coprocessor.
  - 12. An apparatus according to claim 10, wherein the instructions cause the processing system to perform operations comprising:
    - obtaining an identity credential associated with the virtual manufacturer authority; and
      
      using the identity credential to support the delegation request.
  - 13. An apparatus according to claim 10, wherein the instructions cause the processing system to perform operations comprising:
    - creating an identity key for the virtual manufacturer authority;
      
      obtaining an identity credential for the identity key; and
      
      using the identity key and the identity credential to support the delegation request.
  - 14. An apparatus according to claim 13, wherein the operation of obtaining an identity credential for the identity key comprises obtaining the identity credential from a privacy CA.
  - 15. An apparatus according to claim 13, wherein the instructions cause the processing system to perform operations comprising:
    - obtaining, from a privacy CA, an identity credential for an identity key;
      
      creating a signing key for the virtual manufacturer authority; and
      
      using the identity key to certify the signing key.
  - 16. An apparatus according to claim 13, wherein the processing system comprises a first processing system, the method comprising:
    - obtaining, from a second processing system, an identity credential for an identity key;
      
      creating a signing key for the virtual manufacturer authority;
      
      using the identity key to certify the signing key; and
      
      using the signing key to certify credentials for the virtual security coprocessor.
  - 17. An apparatus according to claim 13, further comprising:
    - measuring the virtual manufacturer authority; and
      
      before transmitting the delegation request to the external CA, extending data stored in the TPM to reflect the measurement of the virtual manufacturer authority.

18. A processing system comprising:
- a processor;
  
  a security coprocessor communicatively coupled to the processor;
  
  a machine accessible medium communicatively coupled to the processor; and
  
  instructions in the machine accessible medium, wherein the instructions, when executed, cause the processing system to perform operations comprising;
  
  launching a virtual manufacturer authority in a protected portion of the processing system;
  
  creating a key for the virtual manufacturer authority, wherein the key is protected by the security coprocessor, and the key is bound to a current state of the virtual manufacturer authority;
  
  creating a virtual security coprocessor in the processing system;
  
  transmitting a delegation request from the processing system to an external processing system; and
  
  after transmitting the delegation request, using the key to attest to trustworthiness of the virtual security coprocessor.
- View Dependent Claims (19, 20)
- - 19. A processing system according to claim 18, wherein the instructions cause the processing system to perform operations comprising:
    - obtaining, from a second processing system, an identity credential for an identity key;
      
      creating a signing key for the virtual manufacturer authority;
      
      using the identity key to certify the signing key; and
      
      using the signing key to certify credentials for the virtual security coprocessor.
  - 20. An apparatus according to claim 18, wherein:
    - the security coprocessor comprises as trusted platform module (TPM); and
      
      the instructions cause the processing system to perform operations comprising;
      
      measuring the virtual manufacturer authority; and
      
      before transmitting the delegation request to the external processing system, extending data stored in the TPM to reflect the measurement of the virtual manufacturer authority.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tahoe Research Limited (f/k/a Learndale Limited) (Vector Capital Corporation)
Original Assignee
Intel Corporation
Inventors
Scarlata, Vincent R., Wiseman, Willard M.

Granted Patent

US 7,571,312 B2
Time in Patent Office

Days
Field of Search
US Class Current

345/418
CPC Class Codes

G06F 21/53 by executing in a restricte...

G06F 21/57 Certifying or maintaining t...

Methods and apparatus for generating endorsement credentials for software-based security coprocessors

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for generating endorsement credentials for software-based security coprocessors

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links