Privacy Enhanced Key Management For A Web Service Provider Using A Converged Security Engine

US 20140181925A1
Filed: 12/20/2012
Published: 06/26/2014
Est. Priority Date: 12/20/2012
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a security engine including an identity provider logic to generate a first key pair of a key pairing associating a user of the system and a service provider that provides a web service and having a second system coupled to the system via a network, to perform a secure communication with the second system to enable the second system to verify that the identity provider logic is executing in a trusted execution environment, and responsive to the verification, to send a first key of the first key pair to the second system, the first key to enable the second system to verify an assertion communicated by the identity provider logic that the user has been authenticated to the system according to a multi-factor authentication; and

at least one sensor to provide sensed information regarding the user to the security engine, wherein the security engine is to authenticate the user using the sensed information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In an embodiment, a security engine of a processor includes an identity provider logic to generate a first key pair of a key pairing associating system user and a service provider that provides a web service and having a second system coupled to the system via a network, to perform a secure communication with the second system to enable the second system to verify that the identity provider logic is executing in a trusted execution environment, and responsive to the verification, to send a first key of the first key pair to the second system. This key may enable the second system to verify an assertion communicated by the identity provider logic that the user has been authenticated to the system according to a multi-factor authentication. Other embodiments are described and claimed.

Citations

20 Claims

1. A system comprising:
- a security engine including an identity provider logic to generate a first key pair of a key pairing associating a user of the system and a service provider that provides a web service and having a second system coupled to the system via a network, to perform a secure communication with the second system to enable the second system to verify that the identity provider logic is executing in a trusted execution environment, and responsive to the verification, to send a first key of the first key pair to the second system, the first key to enable the second system to verify an assertion communicated by the identity provider logic that the user has been authenticated to the system according to a multi-factor authentication; and
  
  at least one sensor to provide sensed information regarding the user to the security engine, wherein the security engine is to authenticate the user using the sensed information.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system of claim 1, wherein the identity provider logic is to generate the assertion and sign the assertion with a second key of the key pairing, wherein the service provider is to enable access to the web service via the second system responsive to verification of the signed assertion.
  - 3. The system of claim 2, wherein the security engine is to generate a request communicated along a trusted path of the system to confirm that the user seeks to generate the key pairing to associate the user and the service provider.
  - 4. The system of claim 2, wherein the security engine is to authenticate the user according to the multi-factor authentication before the user seeks to access the web service.
  - 5. The system of claim 1, wherein the identity provider logic is to receive an authentication request from the second system and generate the assertion responsive to the authentication request.
  - 6. The system of claim 1, wherein the security engine is to receive the sensed information from the at least one sensor corresponding to a presence detection sensor or a user authentication sensor.

7. A method comprising:
- receiving an authentication request in an identity provider logic of a security engine of a client system, the authentication request received from a service provider having a web service that a user of the client system seeks to access;
  
  generating an assertion that the user has been authenticated to the client system via a multi-factor authentication, and signing the assertion with a first key of a key pairing that associates the user and the service provider; and
  
  sending the signed assertion to the service provider, wherein the service provider is to enable the user to access to the web service responsive to verification of the signed assertion and without a challenge-response interaction with the user.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 8. The method of claim 7, further comprising authenticating the user according to the multi-factor authentication before the user seeks to access the web service.
  - 9. The method of claim 7, further comprising receiving the authentication request in a browser application of the client system and redirecting the authentication request to the security engine.
  - 10. The method of claim 7, further comprising confirming that the user seeks to access the web service via user input, responsive to a request communicated via a trusted path of the client system, the trusted path not accessible to malware executing on the client system.
  - 11. The method of claim 10, further comprising generating a first key pair in the security engine responsive to user approval for creating the key pairing.
  - 12. The method of claim 11, further comprising communicating, via a Sigma session between the client system and the service provider, to verify a trusted execution environment of the client system and to provide a public key of the first key pair and to receive a public key of a second key pair generated by the service provider.
  - 13. The method of claim 12, further comprising storing a data structure in the client system, the data structure including a private key and the public key of the first key pair and the public key of the second key pair.
  - 14. The method of claim 13, further comprising accessing the data structure to sign the assertion.
  - 15. The method of claim 7, further comprising enabling the user access to the web service without receipt of a username or password from the user.
  - 16. The method of claim 7, further comprising migrating a user account for the web service from a username and password mechanism to association via the key pairing.

17. At least one computer-readable medium including instructions that when executed enable a system to:
- receive, in the system of a service provider, a user request to access an account via a website of the service provider without a username or password;
  
  send an authorization request from the system to a client system of the user to obtain an assertion that the user has been authenticated to the client system via a multi-factor authentication, wherein the assertion is signed with a first key of a key pairing that associates the user and the service provider;
  
  receive the assertion from the client system; and
  
  verify the assertion and grant access to the account via the website responsive to the verification.
- View Dependent Claims (18, 19, 20)
- - 18. The at least one computer-readable medium of claim 17, further comprising instructions that enable the system to communicate with the client system via a Sigma session to verify a trusted execution environment of the client system and to receive a second key of the key pairing.
  - 19. The at least one computer-readable medium of claim 17, further comprising instructions that enable the system to perform a communication between the system and a remote online certificate status provider to obtain certificate information to provide to the client system.
  - 20. The at least one computer-readable medium of claim 17, further comprising instructions that enable the system to migrate association of the account via a username and password mechanism to association via the key pairing.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Smith, Ned M., Cahill, Conor P., Moore, Victoria C., Martin, Jason, Sheller, Micah J.

Granted Patent

US 9,064,109 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/6
CPC Class Codes

G06F 21/31   User authentication

G06F 21/33   using certificates

G06F 21/45   Structures or tools for the...

H04L 2209/127   Trusted platform modules [TPM]

H04L 2463/082   applying multi-factor authe...

H04L 63/0281   Proxies

H04L 63/061   for key exchange, e.g. in p...

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

H04L 63/0838   using one-time-passwords

H04L 63/1466   Active attacks involving in...

H04L 9/0861   Generation of secret inform...

H04L 9/3234   involving additional secure...

Privacy Enhanced Key Management For A Web Service Provider Using A Converged Security Engine

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Privacy Enhanced Key Management For A Web Service Provider Using A Converged Security Engine

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links