Hardware platform authentication and multi-purpose validation

US 20080005798A1
Filed: 06/30/2006
Published: 01/03/2008
Est. Priority Date: 06/30/2006
Status: Active Grant

First Claim

Patent Images

1. A method for network authentication, comprising:

authenticating a hardware platform of a device with a network authentication authority of a network of devices to produce a hardware platform network authentication, the network authentication produced independently of an operating system of the device, the hardware platform having multiple partitions that execute on the hardware platform;

validating one or more partitions of the authenticated hardware platform; and

controlling network access of the one or more partitions with the authenticated hardware platform based at least in part on a result of the validating of the partition.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatuses enable authentication of a hardware platform on a network. The authenticated hardware platform can validate the credentials of virtual machines executing on the hardware platform. The authentication of the hardware platform on the network enables network access to the validated virtual machines. The network access of the virtual machines is managed by the hardware platform, including allowing differentiated access based on, for example, the security posture of each virtual machine.

173 Citations

20 Claims

1. A method for network authentication, comprising:
- authenticating a hardware platform of a device with a network authentication authority of a network of devices to produce a hardware platform network authentication, the network authentication produced independently of an operating system of the device, the hardware platform having multiple partitions that execute on the hardware platform;
  
  validating one or more partitions of the authenticated hardware platform; and
  
  controlling network access of the one or more partitions with the authenticated hardware platform based at least in part on a result of the validating of the partition.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein authenticating the hardware platform comprises:
    - accessing identity credentials associated with the hardware platform;
      
      presenting the identity credentials from the hardware platform to a network authentication entity; and
      
      receiving a network access assignment for the hardware platform in response to presenting the identity credentials.
  - 3. The method of claim 1, wherein validating the partition comprises:
    - validating at the authenticated hardware platform a non-primary partition that executes on the hardware platform.
  - 4. The method of claim 1, wherein validating the partition comprises:
    - presenting credentials of the partition from the partition to the authenticated hardware platform;
      
      receiving confirmation of the credentials at the partition from the hardware platform; and
      
      enabling the partition to access the network via the authentication of the hardware platform.
  - 5. The method of claim 1, wherein controlling network access of the partition with the authenticated hardware platform comprises:
    - preventing network access to the partition.
  - 6. The method of claim 1, wherein controlling network access of the partition with the authenticated hardware platform further comprises:
    - enforcing a network security policy to network access of the partition with the authenticated hardware platform.
  - 7. The method of claim 6, wherein enforcing the network security policy comprises:
    - applying access filters to a network access interface to restrict the network access of the partition.
  - 8. The method of claim 7, wherein applying the access filters to restrict the network access of the partition comprises:
    - restricting the network access of the partition based on a defect in a security posture of the partition.
  - 9. The method of claim 6, wherein enforcing the network security policy comprises:
    - determining that the partition includes an application subject to an enclave use restriction; and
      
      limiting the network access of the partition in accordance with the enclave use restriction.

10. An article of manufacture comprising a machine readable medium having content stored thereon to provide instructions to cause a device to perform operations, including:
- transmitting to a network authentication authority for authentication credentials associated with a hardware component of the device, the hardware component being a component of a hardware platform on which multiple partitions execute, the hardware component being inaccessible by a host operating system of the device, the credentials provided for authentication on behalf of multiple partitions executing on the hardware platform;
  
  receiving an authentication message and a network access assignment in response to providing the authentication credentials;
  
  validating a partition of the hardware platform with the hardware component, the validated partition to access the network with the network access assignment of the hardware component; and
  
  managing the network access of the partition with the hardware component based at least in part on a network security policy.
- View Dependent Claims (11, 12, 13)
- - 11. The article of manufacture of claim 10, wherein the content to provide instructions for transmitting the credentials associated with the hardware component comprises content to provide instructions for:
    - transmitting credentials associated with an active management technology microprocessor of the hardware platform.
  - 12. The article of manufacture of claim 10, wherein the content to provide instructions for transmitting the credentials for authentication on behalf of multiple partitions executing on the hardware platform comprises content to provide instructions for:
    - transmitting the credentials for authentication prior to provisioning the partition.
  - 13. The article of manufacture of claim 10, wherein the content to provide instructions for validating the partition of the hardware platform comprises content to provide instructions for:
    - identifying an authorization of the partition; and
      
      wherein the content to provide instructions for managing the network access of the partition with the hardware component comprises content to provide instructions for;
      
      managing the access based at least in part on the identified authorization of the partition.

14. An authentication agent comprising:
- a hardware authentication module to identify authentication credentials associated with a hardware platform of a device and present the credentials to a network authentication entity to authenticate the hardware platform on behalf of multiple partitions executing on the hardware platform; and
  
  a partition authentication module coupled to the hardware authentication module, the partition authentication module to receive credentials from the multiple partitions executing on the hardware platform and validate the partitions without presenting the partition credentials to the network authentication entity, to enable the partitions to obtain network access via an authentication of the hardware platform.
- View Dependent Claims (15, 16, 17)
- - 15. The authentication agent of claim 14, further comprising:
    - a policy enforcement point coupled to the partition authentication module, to apply a network security policy to the network access of the partitions.
  - 16. The authentication agent of claim 15, the policy enforcement point further comprising:
    - a firewall that executes out-of-band to a host operating system of the device.
  - 17. The authentication agent of claim 15, the policy enforcement point further comprising:
    - a platform connection manager to manage all network connections originating from partitions on the hardware platform.

18. A system comprising:
- a hardware platform on which to execute multiple virtual machines;
  
  an authentication agent coupled to the hardware platform, the authentication agent having a hardware authentication module to authenticate the hardware platform with a network authenticator on behalf of the virtual machines that execute on the hardware platform, and a partition authentication module to validate the virtual machines to the authentication agent, to enable the virtual machines to obtain network access via an authentication of the hardware platform;
  
  a non-volatile memory coupled to the authentication agent to store credentials associated with the hardware platform; and
  
  a network interface coupled to the hardware platform and the authentication agent, the network interface to interface the hardware platform to a network.
- View Dependent Claims (19, 20)
- - 19. The system of claim 18, wherein the authentication agent comprises a microcontroller on an input/output control hub of the hardware platform.
  - 20. The system of claim 18, the authentication agent further comprising:
    - a network interface filter to apply to the network interface, to restrict network access of a virtual machine based at least in part on a security posture of a virtual machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Ross, Alan D.

Granted Patent

US 8,365,294 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/26
CPC Class Codes

G06F 21/33   using certificates

G06F 2221/2129   Authenticate client device ...

H04L 63/08   for authentication of entit...

H04L 63/0876   based on the identity of th...

Hardware platform authentication and multi-purpose validation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

173 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Hardware platform authentication and multi-purpose validation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

173 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links