POLICY BOUND KEY CREATION AND RE-WRAP SERVICE
First Claim
1. A method for provisioning an encrypted key blob and a client certificate, comprising:
- encrypting a key blob using a cryptographic encryption key associated with a trusted execution environment on a first machine associated with a client to create an encrypted key blob, the cryptographic encryption key corresponding to a cryptographic decryption key accessible to the trusted execution environment; and
provisioning the encrypted key blob and the client certificate to the client at the first machine.
2 Assignments
0 Petitions
Accused Products
Abstract
One or more techniques and/or systems are provided for provisioning encrypted key blobs and client certificates. That is, a trusted execution environment on a first machine may provide a key service provider with a cryptographic encryption key. The key service provider may encrypt a key blob using the cryptographic encryption key and/or wrap the encrypted key blob with one or more policies, such as a platform policy. The key service provider may provision the encrypted key blob to a client on the first machine. The client may submit the encrypted key blob to the trusted execution environment for validation so that the client may perform key actions, such as sign an email or encrypt data. Because the key blob may be specific to a particular trusted execution environment and/or machine, the key service provider may re-wrap the key blob if the client “roams” to a second machine.
101 Citations
20 Claims
-
1. A method for provisioning an encrypted key blob and a client certificate, comprising:
-
encrypting a key blob using a cryptographic encryption key associated with a trusted execution environment on a first machine associated with a client to create an encrypted key blob, the cryptographic encryption key corresponding to a cryptographic decryption key accessible to the trusted execution environment; and provisioning the encrypted key blob and the client certificate to the client at the first machine. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method for obtaining a client key and a client certificate, comprising:
-
receiving, at a client on a first machine, an encrypted key blob and a client certificate from a key service provider, the encrypted key blob encrypted by the key service provider using a cryptographic encryption key associated with a trusted execution environment on the first machine; submitting a key action request to the trusted execution environment, the key action request comprising the encrypted key blob; and performing a key action utilizing the trusted execution environment based upon the trusted execution environment validating the encrypted key blob with a cryptographic decryption key associated with the trusted execution environment. - View Dependent Claims (12, 13, 14, 15, 16)
-
-
17. A system for provisioning encrypted key blobs and client certificates, comprising:
a provisioning component configured to; encrypt a key blob using a cryptographic encryption key associated with a trusted execution environment on the a machine associated with a client to create an encrypted key blob, the cryptographic encryption key corresponding to a cryptographic decryption key accessible to the trusted execution environment; and provision the encrypted key blob and the client certificate to the client at the first machine. - View Dependent Claims (18, 19, 20)
Specification