APPARATUS AND METHOD FOR GROUP SESSION KEY AND ESTABLISHMENT USING A CERTIFIED MIGRATION KEY

US 20090249073A1
Filed: 06/12/2009
Published: 10/01/2009
Est. Priority Date: 06/30/2005
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

exporting a protected certified migration key (CMK) to a target platform if the platform is authorized to participate in a group and meets a group security policy;

encrypting a group master key with a public portion of the CMK to form a protected group master key; and

transmitting the protected group master key to the target platform.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for group session key and establishment using a certified migration key are described. In one embodiment, the method includes exporting of a protected certified migration key (CMK) to a target platform. In one embodiment, exporting of the protected CMK requires that the target platform is authorized for participation in a group and has a storage key, including attributes that comply with the group security policy. Once the protected CMK is exported, in one embodiment, a group master key is encrypted with a public portion of the CMK to form a protected group master key. Subsequently, the protected group master key is transmitted to the target platform. In one embodiment, possession of the group master key enables the target platform to participate in a secure group communication session. Other embodiments are described and claimed.

31 Citations

View as Search Results

20 Claims

1. A method comprising:
- exporting a protected certified migration key (CMK) to a target platform if the platform is authorized to participate in a group and meets a group security policy;
  
  encrypting a group master key with a public portion of the CMK to form a protected group master key; and
  
  transmitting the protected group master key to the target platform.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein exporting further comprises:
    - verifying that the platform is authorized for participation in the group;
      
      requesting signed attributes of a key selected by the target platform as a parent key of the CMK if the platform is verified as authorized to participate in the group;
      
      comparing signed attributes received from the target platform against the group security policy; and
      
      encrypting the CMK with a public portion of the parent key of the target platform if the signed attributes meet the group security policy to form the protected CMK.
  - 3. The method of claim 1, wherein prior to exporting, the method further comprises:
    - exporting the group CMK to a trusted group manager;
      
      creating, by the trusted group manager, the group master key; and
      
      responding to request a from the target platform to join the group.
  - 4. The method of claim 1, further comprising:
    - encrypting a data stream according to a session key derived from the group master key;
      
      encrypting the session key using the group CMK; and
      
      transmitting the encrypted data stream, including the session key, to the platform and at least one group member platform.
  - 5. The method of claim 1, wherein the protected group master key is transmitted to the target platform by a group member platform.

6. A method comprising:
- providing, according to a key certification request from a group manager, signed attributes of key selected by a target platform as a parent key of a certified migration key (CMK) held by the trusted group manager;
  
  receiving the CMK from the group manager if the signed attributes meet a group security policy; and
  
  participating in a group communications session with at least one group member platform by decrypting an encrypted data stream using a session key received with the encrypted stream and protected by the CMK.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The method of claim 6, wherein prior to providing the signed attributes, the method further comprises:
    - issuing, by the target platform, a request to the group manager to join a group; and
      
      receiving the key certification request if the target platform is authorized for participation in the group.
  - 8. The method of claim 6, wherein receiving the CMK further comprises:
    - decrypting the CMK according to the key selected by the platform as the parent key of the CMK; and
      
      loading the CMK under the selected parent key.
  - 9. The method of claim 6, further comprising:
    - receiving a group master key, wherein the group master key is encrypted with a public portion of the CMK;
      
      decrypting the group master key with a private portion of the CMK; and
      
      deriving a group session key from the master key to enable participation in a group communication session.
  - 10. The method of claim 6, wherein participating in the group communication session comprises:
    - receiving the encrypted group session key with encrypted content;
      
      decrypting the session key with a private portion of the CMK; and
      
      decrypting the encrypted content using the decrypted session key.

11. A system, comprising:
- at least one group member platform;
  
  a target platform; and
  
  a group manager platform, the group manager platform to export a protected, certified migration key (CMK) to the target platform if the target platform is authorized for participation in a group with the group member platform and meets a group security policy, wherein the target platform is to receive a group master key form one of the group manager platform and the group member platform to enable participation in a secure group communication session with the group member platform.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, wherein the group member platform further comprises:
    - a trusted platform module (TPM) to provide sealed storage of the group master key with the CMK as a parent key, the TPM to encrypt the group master key with a public portion of the CMK to form a protected group master key and to transmit the protected group master key to the target platform.
  - 13. The system of claim 11, wherein the group member platform further comprises:
    - a trusted platform module (TPM) to provide sealed storage of the group master key with the CMK as a parent key, the TPM to encrypt the group master key with a public portion of the CMK to form a protected group master key and to transmit the protected group master key to the target platform to enable the platform to participate in secure group communication sessions.
  - 14. The system of claim 13, wherein the group member platform is to request signed attributes of a key selected by the target platform as a parent key of the CMK if the platform is verified as authorized to participate in the group and to encrypt the CMK with a public portion of the parent key of the platform if the signed attributes meet the group security policy to form the protected CMK.
  - 15. The system of claim 11, wherein the group member platform is to encrypt a data stream according to a session key derived from the group master key, to encrypt the session key using the group CMK and to transmit the encrypted stream, including the session key to the target platform.
  - 16. The system of claim 11, wherein the target platform further comprises:
    - a trusted platform module to provide, according to a key certification request received from the group manager platform, signed attributes of a key selected by the target platform as a parent key of the CMK and to receive the protected CMK from the group manager platform if the signed attributes meet the group security policy.
  - 17. The system of claim 11, wherein the target platform is to participate in a secure communications session with the group member platform by decrypting an encrypted stream using a session key received with the encrypted stream and protected by the CMK.
  - 18. The system of claim 11, wherein the target platform is to receive a group master key encrypted with a public portion of the CMK, to decrypt the group master key with a private portion of the CMK and to derive a group session key from the decrypted group master key to enable participation in a secure group communication session.
  - 19. The system of claim 11, wherein the target platform is to receive an encrypted group session key with a encrypted content, to decrypt the session key with a private portion of the CMK and to decrypt the encrypted content using the decrypted session key.
  - 20. The system of claim 11, wherein the group member platform generates the CMK and exports the CMK to the group manager platform.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Wiseman, Williard M., McKown, Brett G.

Granted Patent

US 8,255,690 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/171
CPC Class Codes

H04L 9/0825 using asymmetric-key encryp...

H04L 9/0836 using tree structure or hie...

APPARATUS AND METHOD FOR GROUP SESSION KEY AND ESTABLISHMENT USING A CERTIFIED MIGRATION KEY

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

31 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

APPARATUS AND METHOD FOR GROUP SESSION KEY AND ESTABLISHMENT USING A CERTIFIED MIGRATION KEY

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

31 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links