Mechanisms to control access to cryptographic keys and to attest to the approved configurations of computer platforms
First Claim
1. A method for controlling access to a cryptographic key, the method comprising:
- receiving a configuration of a computing platform, the computing platform comprising a Trusted Platform Module (TPM);
receiving the cryptographic key;
receiving authorization data for accessing the cryptographic key; and
creating an authorization blob, the authorization blob locking the authorization data to a measurement of the configuration.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods and arrangements to control access to cryptographic keys and to attest to the approved configurations of computer platforms able to access these keys, which include trusted platform modules (TPMs) are contemplated. Embodiments include transformations, code, state machines or other logic to control access to a cryptographic key by creating an authorization blob locking authorization data to access the cryptographic key to platform configuration register (PCR) values of a TPM, the PCR values representing a configuration of a computing platform. Embodiments may also involve generating a first TPM cryptographic key bound to PCR values, receiving a second TPM cryptographic key owned by software, and receiving evidence of the identity of an upgrade service controlling the upgrading of the software. Embodiment may also include certifying the first TPM cryptographic key; certifying the second TPM cryptographic key; concatenating the first certification, the second certification, and the evidence of the identity of the upgrade service; and signing the concatenation.
137 Citations
30 Claims
-
1. A method for controlling access to a cryptographic key, the method comprising:
-
receiving a configuration of a computing platform, the computing platform comprising a Trusted Platform Module (TPM); receiving the cryptographic key; receiving authorization data for accessing the cryptographic key; and creating an authorization blob, the authorization blob locking the authorization data to a measurement of the configuration. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method for attesting to approved configurations of a computing platform, the method comprising:
-
generating a first Trusted Platform Module (TPM) cryptographic key, the key bound to platform configuration register (PCR) values representing a current configuration of a trusted computing base and software; receiving a second TPM cryptographic key owned by the software; receiving evidence of an identity of an upgrade service controlling the upgrading of the software; certifying the first TPM cryptographic key, thereby producing a first certification; certifying the second TPM cryptographic key, thereby producing a second certification; concatenating the first certification, the second certification, and the evidence of the identity of the upgrade service, thereby producing a concatenation; and signing the concatenation. - View Dependent Claims (13, 14)
-
-
15. A trusted platform module (TPM), the TPM comprising:
-
a configuration module to receive a configuration of a computing platform; a cryptographic module to receive a cryptographic key and to receive authorization data for accessing the cryptographic key; and a storage module to create an authorization blob, wherein the authorization blob locks the authorization data to the configuration of the computing platform. - View Dependent Claims (16, 17)
-
-
18. A machine-accessible medium to control access to a cryptographic key, the medium having one or more associated instructions, wherein the one or more instructions, when executed, cause a machine to:
-
receive a configuration of a computer platform, the computer platform comprising a Trusted Platform Module (TPM); receive a cryptographic key; receive authorization data for accessing the cryptographic key; and create an authorization blob, the authorization blob locking the authorization data to a measurement of the configuration. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
-
Specification