Secure credential management

US 20090006848A1
Filed: 06/29/2007
Published: 01/01/2009
Est. Priority Date: 06/29/2007
Status: Active Grant

First Claim

Patent Images

1. An apparatus, comprising:

a data store to store an authentication data associated with a connectivity authentication process (CAP);

an authentication supplicant (AS) logic to provide a response to an authentication communication (ACM) associated with the CAP;

an authentication management (AM) logic to receive the ACM from a connection management (CM) logic associated with a host operating system (HOS) to which the apparatus is operably connected, where the AM logic is to selectively provide the ACM to the AS logic, and where the AM logic is to provide the response from the AS logic to the CM logic; and

a device management (DM) client logic to provide a secure connection to an operator DM server associated with the CAP and to selectively provide authentication data to a network module associated with the HOS;

the AS logic, the AM logic, and the DM client logic being resident in firmware that is not executable by the HOS.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Apparatus and methods associated with providing secure credential management are described. One apparatus embodiment includes a data store to store authentication data and an authentication supplicant (AS) logic to provide a response to an authentication communication (ACM) received from an authentication process. An authentication management (AM) logic may receive the ACM from a connection management (CM) logic associated with a host operating system (HOS), provide the ACM to the AS logic, and provide the response back to the CM logic. The apparatus may include a device management (DM) client logic to provide a secure connection to an operator DM server associated with the authentication process and to store authentication data provided by the operator DM server in the data store. The AS logic, AM logic, and DM logic may reside in firmware that is not accessible to the HOS.

Citations

15 Claims

1. An apparatus, comprising:
- a data store to store an authentication data associated with a connectivity authentication process (CAP);
  
  an authentication supplicant (AS) logic to provide a response to an authentication communication (ACM) associated with the CAP;
  
  an authentication management (AM) logic to receive the ACM from a connection management (CM) logic associated with a host operating system (HOS) to which the apparatus is operably connected, where the AM logic is to selectively provide the ACM to the AS logic, and where the AM logic is to provide the response from the AS logic to the CM logic; and
  
  a device management (DM) client logic to provide a secure connection to an operator DM server associated with the CAP and to selectively provide authentication data to a network module associated with the HOS;
  
  the AS logic, the AM logic, and the DM client logic being resident in firmware that is not executable by the HOS.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The apparatus of claim 1, the authentication data including one or more of, an identity, a password, a key, a certificate, and a credential.
  - 3. The apparatus of claim 1, the data store being a FLASH memory to which access is controlled by a firmware based manageability engine (ME), the FLASH memory not being directly accessible by the HOS.
  - 4. The apparatus of claim 1, the ACM being associated with an Extensible Authentication Protocol (EAP) method.
  - 5. The apparatus of claim 4, the EAP method being one or more of, an EAP for GSM (Global System for Mobile Communications) Subscriber Identity (EAP-SIM) method, and an EAP for UMTS (Universal Mobile Telecommunications System) Authentication and Key Agreement (EAP-AKA) method.
  - 6. The apparatus of claim 5, where the AS logic is to process an ACM associated with an EAP authentication process, a WLAN (wireless local area network) authentication process, a WWAN (wireless wide area network) authentication process, a WWAN HSDPA (high speed downlink packet access) authentication process, a WiMAX (Worldwide Interoperability for Microwave Access) authentication process, and a GSM authentication process, where the AS logic is to decrypt the ACM and to encrypt the response.
  - 7. The apparatus of claim 6, where the AM logic is to communicate ACMs from two or more different authentication processes and where the AS logic is to process ACMs from two or more different authentication processes.
  - 8. The apparatus of claim 1, where the DM client logic is to receive the authentication data from the operator DM server, to selectively store the authentication data in the data store, and to selectively control a DM agent associated with the HOS to provision a networking module supported by the HOS with data selected from authentication data stored in the data store.
  - 9. The apparatus of claim 1, comprising a Universal Integrated Circuit Card (UICC) logic to provide a firmware-based virtual SIM (Subscriber Identity Module).
  - 10. The apparatus of claim 1, comprising:
    - a host embedded control interface (HECI) logic to provide bidirectional communication between the HOS and the apparatus.
  - 11. The apparatus of claim 10, where the HOS is to support a connection management (CM) logic to proxy communications between an external network authentication logic and the apparatus, and an HECI logic to provide bidirectional communication between the apparatus and the HOS.
  - 12. The apparatus of claim 11, where the HOS is to support a plurality of network communication logics including one or more of, a WWAN logic to provide WWAN connectivity, and a WiMAX logic to provide WiMAX connectivity.
  - 13. The apparatus of claim 1, the AS logic, the AM logic, and the DM client logic being resident in a micro-controller in a graphics and memory controller hub, the hub being part of a chipset, the chipset being part of a computing platform on which the HOS is to run, the firmware not being accessible to a central processing unit (CPU) in the chipset, the data store not being accessible to the CPU, the micro-controller and the CPU to have different power sources.

14. A method, comprising:
- controlling a logic to proxy communications between an external authentication challenger and an internal silicon-based authentication responder.
- View Dependent Claims (15)
- - 15. The method of claim 14, comprising:
    - receiving in the authentication responder a data packet related to an authentication message received by a HOS, the authentication message being associated with an authentication process associated with the external authentication challenger;
      
      selectively processing the data packet;
      
      providing an encrypted response to the data packet to the HOS, where the HOS is to provide an authentication response to the external authentication challenger, the authentication response being based, at least in part, on the encrypted response to the data packet; and
      
      providing a session key to the HOS upon determining that the external authentication challenger has successfully concluded an authentication process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Narjala, Ranjit, Elgebaly, Hani, Adrangi, Farid

Granted Patent

US 8,510,553 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/168
CPC Class Codes

G06F 21/31   User authentication

H04L 63/0815   providing single-sign-on or...

H04L 63/0853   using an additional device,...

H04L 63/162   at the data link layer

H04W 12/068   using credential vaults, e....

H04W 12/069   using certificates or pre-s...

Secure credential management

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Secure credential management

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links