POLICY BOUND KEY CREATION AND RE-WRAP SERVICE

US 20120297200A1
Filed: 05/17/2011
Published: 11/22/2012
Est. Priority Date: 05/17/2011
Status: Active Grant

First Claim

Patent Images

1. A method for provisioning an encrypted key blob and a client certificate, comprising:

encrypting a key blob using a cryptographic encryption key associated with a trusted execution environment on a first machine associated with a client to create an encrypted key blob, the cryptographic encryption key corresponding to a cryptographic decryption key accessible to the trusted execution environment; and

provisioning the encrypted key blob and the client certificate to the client at the first machine.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One or more techniques and/or systems are provided for provisioning encrypted key blobs and client certificates. That is, a trusted execution environment on a first machine may provide a key service provider with a cryptographic encryption key. The key service provider may encrypt a key blob using the cryptographic encryption key and/or wrap the encrypted key blob with one or more policies, such as a platform policy. The key service provider may provision the encrypted key blob to a client on the first machine. The client may submit the encrypted key blob to the trusted execution environment for validation so that the client may perform key actions, such as sign an email or encrypt data. Because the key blob may be specific to a particular trusted execution environment and/or machine, the key service provider may re-wrap the key blob if the client “roams” to a second machine.

101 Citations

View as Search Results

20 Claims

1. A method for provisioning an encrypted key blob and a client certificate, comprising:
- encrypting a key blob using a cryptographic encryption key associated with a trusted execution environment on a first machine associated with a client to create an encrypted key blob, the cryptographic encryption key corresponding to a cryptographic decryption key accessible to the trusted execution environment; and
  
  provisioning the encrypted key blob and the client certificate to the client at the first machine.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, the encrypting comprising:
    - wrapping the encrypted key blob with a platform policy corresponding to the platform boot state of the first machine.
  - 3. The method of claim 1, the encrypting comprising:
    - wrapping the encrypted key blob with at least one of a password policy associated with the client, a key usage number policy, and a time window policy.
  - 4. The method of claim 2, comprising:
    - receiving a request to re-wrap the encrypted key blob based upon a new platform boot state of the first machine;
      
      upon determining that the new platform boot state is in a valid state, re-wrapping the encrypted key blob with a new platform policy corresponding to the new platform boot state of the first machine to create a re-wrapped encrypted key blob; and
      
      provisioning the re-wrapped encrypted key blob to the client at the first machine.
  - 5. The method of claim 1, comprising:
    - receiving a request to re-wrap the encrypted key blob based upon a second trusted execution environment of a second machine;
      
      encrypting the key blob with a second cryptographic encryption key associated with the second trusted execution environment on the second machine to create a re-wrapped encrypted key blob; and
      
      provisioning the re-wrapped encrypted key blob to the client at the second machine.
  - 6. The method of claim 5, the encrypting the key blob with a second cryptographic encryption key comprising:
    - wrapping the re-wrapped encrypted key blob with a second platform policy corresponding to a second platform boot state of the second machine.
  - 7. The method of claim 1, comprising:
    - receiving a request to re-wrap the encrypted key blob based upon a new password of the client;
      
      upon validating the new password, re-wrapping the encrypted key blob with the new password; and
      
      provisioning the re-wrapped encrypted key blob to the client.
  - 8. The method of claim 2, comprising:
    - receiving a request to re-wrap the encrypted key blob based upon a new platform boot state of the first machine; and
      
      upon determining that the new platform boot state indicates that the first machine is not in a valid state, refusing to re-wrap the encrypted key blob.
  - 9. The method of claim 1, comprising:
    - receiving an endorsement key certificate associated with the trusted execution environment;
      
      providing an encrypted ownership request to the trusted execution environment, the encrypted ownership request encrypted using the endorsement key certificate; and
      
      receiving the cryptographic encryption key from the trusted execution environment.
  - 10. The method of claim 1, the client certificate indicating client usage compliance.

11. A method for obtaining a client key and a client certificate, comprising:
- receiving, at a client on a first machine, an encrypted key blob and a client certificate from a key service provider, the encrypted key blob encrypted by the key service provider using a cryptographic encryption key associated with a trusted execution environment on the first machine;
  
  submitting a key action request to the trusted execution environment, the key action request comprising the encrypted key blob; and
  
  performing a key action utilizing the trusted execution environment based upon the trusted execution environment validating the encrypted key blob with a cryptographic decryption key associated with the trusted execution environment.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The method of claim 11, the performing a key action comprising:
    - performing the key action to sign an object with a client signature; and
      
      providing the signed object and the client certificate to a recipient for validation, the client certificate configured for validating the client signature of the signed object.
  - 13. The method of claim 11, the encrypted key blob wrapped with a platform policy, the key action request comprising a current platform boot state of the first machine, and the key action performed based upon the trusted execution environment validating the current platform boot state with the platform policy.
  - 14. The method of claim 11, the encrypted key blob wrapped with a password policy associated with the client, the key action request comprising a user password, and the key action performed based upon the trusted execution environment validating the user password with the password policy.
  - 15. The method of claim 13, comprising:
    - sending, from the client on a second machine, a request to the key service provider to re-wrap the encrypted key blob based upon a second trusted execution environment of the second machine; and
      
      receiving a re-wrapped encrypted key blob from the key service provider, the re-wrapped encrypted key blob encrypted with a second cryptographic encryption key associated with the second trusted execution environment of the second machine and wrapped with a second platform policy corresponding to a second platform boot state of the second machine.
  - 16. The method of claim 15, comprising:
    - submitting a second key action request to the second trusted execution environment, the second key action request comprising the re-wrapped encrypted key blob and a second current platform boot state of the second machine; and
      
      performing a second key action utilizing the second trusted execution environment based upon the second trusted execution environment validating the re-wrapped encrypted key blob with a second cryptographic decryption key and validating the second current platform boot state with the second platform policy.

17. A system for provisioning encrypted key blobs and client certificates, comprising:
- a provisioning component configured to;
  
  encrypt a key blob using a cryptographic encryption key associated with a trusted execution environment on the a machine associated with a client to create an encrypted key blob, the cryptographic encryption key corresponding to a cryptographic decryption key accessible to the trusted execution environment; and
  
  provision the encrypted key blob and the client certificate to the client at the first machine.
- View Dependent Claims (18, 19, 20)
- - 18. The system of claim 17, the provisioning component configured to:
    - wrap the encrypted key blob with a platform policy corresponding to a platform boot state of the first machine.
  - 19. The system of claim 18, the provisioning component configured to:
    - receive a request to re-wrap the encrypted key blob based upon a second trusted execution environment of a second machine;
      
      upon determining that a second platform boot state indicates that the second machine is in a valid state, encrypt the key blob with a second cryptographic encryption key associated with the second trusted execution environment on the second machine to create a re-wrapped encrypted key blob; and
      
      provision the re-wrapped encrypted key blob to the client at the second machine.
  - 20. The method of claim 19, the provisioning component configured to:
    - wrap the re-wrapped encrypted key blob with a second platform policy corresponding to the second platform boot state of the second machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Thom, Stefan, Spiger, Robert Karl, Bays, Valerie Kathleen, Nyström, Bo Gustaf Magnus

Granted Patent

US 9,690,941 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/189
CPC Class Codes

G06F 21/57   Certifying or maintaining t...

G06F 21/602   Providing cryptographic fac...

G06F 21/6209   to a single file or object,...

H04L 2209/127   Trusted platform modules [TPM]

POLICY BOUND KEY CREATION AND RE-WRAP SERVICE

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

101 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

POLICY BOUND KEY CREATION AND RE-WRAP SERVICE

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

101 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links