Using a trusted-platform-based shared-secret derivation and WWAN infrastructure-based enrollment to establish a secure local channel

US 20070154014A1
Filed: 12/30/2005
Published: 07/05/2007
Est. Priority Date: 12/30/2005
Status: Active Grant

First Claim

Patent Images

1. A method for establishing a connection on a mobile computing device, comprising:

generating a secret, wherein the secret is generated on a trusted platform;

transporting the secret to a secure channel application, the secure channel application for establishing a trusted local communication channel between the trusted platform and a SIM(subscriber identity module)/Smartcard;

receiving the secret directly into the SIM/Smartcard; and

providing the secret to a secure channel applet on the SIM/Smartcard, the secure channel applet for establishing the trusted local communication channel between the SIM/Smartcard and the trusted platform, wherein the secret is shared by the trusted platform and the SIM/Smartcard.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for establishing a trusted connection on a mobile computing device. A shared secret is generated on a trusted platform of the mobile computing device. The shared secret is transported to a secure channel application. The secure channel application establishes a secure local communication channel between the trusted platform and a SIM (subscriber identity module)/Smartcard on the mobile computing device. The shared secret is received by the SlM/Smartcard. In one embodiment, the mobile computing device includes a GSM (Global Systems for Mobile Communications) 03.48 application that sends the shared secret to a GSM 03.48 network infrastructure for storage, management, and verification by the GSM 03.48 network infrastructure, and in turn sends the shared secret to the SIM/Smartcard on the mobile computing device. In an alternative embodiment, a Diffie-Hellman key exchange is performed by the trusted platform to send the shared secret to the SIM/Smartcard. The shared secret, after being received by the SlM/Smartcard, is provided to a secure channel applet on the SIM/Smartcard. The secure channel applet establishes the local communication channel between the SlM/Smartcard and the trusted platform. Once the secure channel application on the trusted platform and the secure channel applet on the SIM/Smartcard both have the shared secret, a transport layer security (TLS)-based handshake can take place to establish the secure local communication channel.

Citations

39 Claims

1. A method for establishing a connection on a mobile computing device, comprising:
- generating a secret, wherein the secret is generated on a trusted platform;
  
  transporting the secret to a secure channel application, the secure channel application for establishing a trusted local communication channel between the trusted platform and a SIM(subscriber identity module)/Smartcard;
  
  receiving the secret directly into the SIM/Smartcard; and
  
  providing the secret to a secure channel applet on the SIM/Smartcard, the secure channel applet for establishing the trusted local communication channel between the SIM/Smartcard and the trusted platform, wherein the secret is shared by the trusted platform and the SIM/Smartcard.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1, wherein prior to transporting the secret to a secure channel application and to a mobile application, the method comprises transporting the secret into a trusted container on the trusted platform and sealing the trusted container.
  - 3. The method of claim 2, wherein the trusted container is sealed by a Trusted Platform Module (TPM).
  - 4. The method of claim 1, wherein prior to providing the secret to a secure channel applet, the method comprises transporting the secret into a trusted container on the SIM/Smartcard and sealing the trusted container.
  - 5. The method of claim 1, wherein prior to receiving the secret directly into the SIM/Smartcard, the method comprises:
    - transporting the secret to a mobile communications application to enable the secret to be transferred to a mobile service provider operating a mobile communication network on which the mobile computing device operates, the mobile service provider to store, manage, and verify the secret.
  - 6. The method of claim 5, wherein the mobile communications application comprises a GSM (Global Systems for Mobile Communications) 03.48 application and the mobile communication network comprises a GSM network infrastructure.
  - 7. The method of claim 5, wherein the SIM/Smartcard receives the secret directly from the mobile service provider.
  - 8. The method of claim 1, wherein the SIM/Smartcard receives the secret directly from the trusted platform using a Diffie-Hellman key exchange.
  - 9. The method of claim 8, wherein prior to providing the secret to a secure channel applet, the method comprises transporting the secret to a mobile communications applet on the SIM/Smartcard and sending, via the mobile communications applet, the secret to a mobile service provider operating a mobile communication network on which the mobile computing device operates, the mobile service provider to store, manage, and verify the secret.
  - 10. The method of claim 9, wherein the mobile communications applet is a GSM (Global Systems for Mobile Communications) 03.48 applet and the mobile communications network comprises a GSM network infrastructure.
  - 11. The method of claim 1, wherein the secret comprises a concatenation of a high-entropy random number, a key derived from a specific measure of a platform state of the trusted platform, a key that anonymously represents an identity of the trusted platform, and a time/date stamp.
  - 12. The method of claim 11, wherein the high-entropy random number comprises a random number generated by a hardware-based true random-number generator.
  - 13. The method of claim 11, wherein the key derived from a specific measure of the platform state of the trusted platform comprises a key derived from one of hardware, software, or firmware.
  - 14. The method of claim 11, wherein the key that anonymously represents an identity of the trusted platform comprises a key derived from one of hardware, software, or firmware.
  - 15. The method of claim 11, wherein the key that anonymously represents an identity of the trusted platform comprises a key derived from an attestation identity key.
  - 16. The method of claim 1, wherein the secret is generated using a Trusted Platform Module (TPM).
  - 17. The method of claim 1, wherein when the Trusted Platform and the SIM/Smartcard both have the secret, the method further comprising performing a transport layer security (TLS)-based handshake to establish the secure trusted local communication channel.
  - 18. The method of claim 1, further comprising generating a new secret when a new session begins.

19. A system for establishing a connection on a mobile computing device, comprising:
- a computing device, the computing device having a Trusted platform architecture with a Trusted Partition, the Trusted Partition comprising a trusted key generator to generate a secret, a trusted storage to store the secret, a secure channel application to establish a secure local communication channel between the Trusted Partition and a SIM(subscriber identity module)/Smartcard card on the computing device, and an application to enable the secret to be passed to the SIM/Smartcard to establish trust between the SIM/Smartcard and the Trusted Partition;
  
  wherein when the Trusted Partition and the SIM/Smartcard both possess the secret, the occurrence of a transport layer security (TLS)-based handshake establishes a secure local channel.
- View Dependent Claims (20, 21, 22)
- - 20. The system of claim 19, wherein the application for enabling the secret to be passed to the SIM/Smartcard comprises a GSM (Global System for Mobile Communications) 03.48 application to transfer the secret to a GSM network infrastructure for storage, management, and verification by the GSM network infrastructure.
  - 21. The system of claim 19, wherein the application for enabling the secret to be passed to the SIM/Smartcard comprises a Diffie-Hellman key exchange application that when executed enables the secret to be passed to the SIM card.
  - 22. The system of claim 19, wherein the SIM/Smartcard comprises a GSM 03.48 applet to receive the secret from a GSM network infrastructure, a trusted storage to store the secret, and a secure channel applet to establish the secure local channel, wherein when the secure channel applet receives the secret, the trust is established to enable the performance of the TLS-based handshake.

23. An article comprising:
- a storage medium having a plurality of machine accessible instructions, wherein when the instructions are executed by a processor, the instructions provide for generating a secret, wherein the secret is generated on a trusted platform;
  
  transporting the secret to a secure channel application, the secure channel application for establishing a trusted local communication channel between the trusted platform and a SIM(subscriber identity module)/Smartcard;
  
  receiving the secret directly into the SIM/Smartcard; and
  
  providing the secret to a secure channel applet on the SIM/Smartcard, the secure channel applet for establishing the trusted local communication channel between the SIM/Smartcard and the trusted platform, wherein the secret is shared by the trusted platform and the SIM/Smartcard.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
- - 24. The article of claim 23, wherein prior to instructions for transporting the secret to a secure channel application and to a mobile application, the instructions provide for transporting the secret into a trusted container on the trusted platform and sealing the trusted container.
  - 25. The article of claim 24, wherein the trusted container is sealed by a Trusted Platform Module (TPM).
  - 26. The article of claim 23, wherein prior to instructions for providing the secret to a secure channel applet, the instructions provide for transporting the secret into a trusted container on the SIM/Smartcard and sealing the trusted container.
  - 27. The article of claim 23, wherein prior to instructions for receiving the secret directly into the SIM/Smartcard, the instructions further provide for:
    - transporting the secret to a mobile communications application to enable the secret to be transferred to a mobile service provider operating a mobile communication network on which the mobile computing device operates, the mobile service provider to store, manage, and verify the secret.
  - 28. The article of claim 27, wherein the mobile communications application comprises a GSM (Global Systems for Mobile Communications) 03.48 application and the mobile communication network comprises a GSM network infrastructure.
  - 29. The article of claim 27, wherein the SIM/Smartcard receives the secret directly from the mobile service provider.
  - 30. The article of claim 23, wherein the SIM/Smartcard receives the secret directly from the trusted platform using a Diffie-Hellman key exchange.
  - 31. The article of claim 30, wherein prior to instructions for providing the secret to a secure channel applet, the instructions provide for transporting the secret to a mobile communications applet on the SIM/Smartcard and sending, via the mobile communications applet, the secret to a mobile service provider operating a mobile communication network on which the mobile computing device operates, the mobile service provider to store, manage, and verify the secret.
  - 32. The article of claim 31, wherein the mobile communications applet is a GSM (Global Systems for Mobile Communications) 03.48 applet and the mobile communications network comprises a GSM network infrastructure.
  - 33. The article of claim 23, wherein the secret comprises a concatenation of a high-entropy random number, a key derived from a specific measure of a platform state of the trusted platform, a key that anonymously represents an identity of the trusted platform, and a time/date stamp.
  - 34. The article of claim 33, wherein the high-entropy random number comprises a random number generated by a hardware-based true random-number generator.
  - 35. The article of claim 33, wherein the key derived from a specific measure of the platform state of the trusted platform comprises a key derived from one of hardware, software, or firmware.
  - 36. The article of claim 33, wherein the key that anonymously represents an identity of the trusted platform comprises a key derived from one of hardware, software, or firmware.
  - 37. The article of claim 33, wherein the key that anonymously represents an identity of the trusted platform comprises a key derived from an attestation identity key.
  - 38. The article of claim 23, wherein the secret is generated using a Trusted Platform Module (TPM).
  - 39. The article of claim 23, wherein when the Trusted Platform and the SIM/Smartcard both have the secret, the instructions further providing for performing a transport layer security (TLS)-based handshake to establish the trusted local communication channel.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Aissi, Selim, Matasar, Benjamin, Abhinkar, Sameer, Dharmadhikari, Abhay, Yelamanchi, Mrudula, Bajikar, Sundeep, Blum, Scott, Dashevsky, Jane

Granted Patent

US 8,027,472 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/249
CPC Class Codes

G06F 21/445   by mutual authentication, e...

H04L 2209/127   Trusted platform modules [TPM]

H04L 2209/80   Wireless

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0853   using an additional device,...

H04L 9/0844   with user authentication or...

H04L 9/3234   involving additional secure...

Using a trusted-platform-based shared-secret derivation and WWAN infrastructure-based enrollment to establish a secure local channel

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

Using a trusted-platform-based shared-secret derivation and WWAN infrastructure-based enrollment to establish a secure local channel

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links