Privacy Enhanced Key Management For A Web Service Provider Using A Converged Security Engine
First Claim
1. A system comprising:
- a security engine including an identity provider logic to generate a first key pair of a key pairing associating a user of the system and a service provider that provides a web service and having a second system coupled to the system via a network, to perform a secure communication with the second system to enable the second system to verify that the identity provider logic is executing in a trusted execution environment, and responsive to the verification, to send a first key of the first key pair to the second system, the first key to enable the second system to verify an assertion communicated by the identity provider logic that the user has been authenticated to the system according to a multi-factor authentication; and
at least one sensor to provide sensed information regarding the user to the security engine, wherein the security engine is to authenticate the user using the sensed information.
1 Assignment
0 Petitions
Accused Products
Abstract
In an embodiment, a security engine of a processor includes an identity provider logic to generate a first key pair of a key pairing associating system user and a service provider that provides a web service and having a second system coupled to the system via a network, to perform a secure communication with the second system to enable the second system to verify that the identity provider logic is executing in a trusted execution environment, and responsive to the verification, to send a first key of the first key pair to the second system. This key may enable the second system to verify an assertion communicated by the identity provider logic that the user has been authenticated to the system according to a multi-factor authentication. Other embodiments are described and claimed.
-
Citations
20 Claims
-
1. A system comprising:
-
a security engine including an identity provider logic to generate a first key pair of a key pairing associating a user of the system and a service provider that provides a web service and having a second system coupled to the system via a network, to perform a secure communication with the second system to enable the second system to verify that the identity provider logic is executing in a trusted execution environment, and responsive to the verification, to send a first key of the first key pair to the second system, the first key to enable the second system to verify an assertion communicated by the identity provider logic that the user has been authenticated to the system according to a multi-factor authentication; and at least one sensor to provide sensed information regarding the user to the security engine, wherein the security engine is to authenticate the user using the sensed information. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method comprising:
-
receiving an authentication request in an identity provider logic of a security engine of a client system, the authentication request received from a service provider having a web service that a user of the client system seeks to access; generating an assertion that the user has been authenticated to the client system via a multi-factor authentication, and signing the assertion with a first key of a key pairing that associates the user and the service provider; and sending the signed assertion to the service provider, wherein the service provider is to enable the user to access to the web service responsive to verification of the signed assertion and without a challenge-response interaction with the user. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. At least one computer-readable medium including instructions that when executed enable a system to:
-
receive, in the system of a service provider, a user request to access an account via a website of the service provider without a username or password; send an authorization request from the system to a client system of the user to obtain an assertion that the user has been authenticated to the client system via a multi-factor authentication, wherein the assertion is signed with a first key of a key pairing that associates the user and the service provider; receive the assertion from the client system; and verify the assertion and grant access to the account via the website responsive to the verification. - View Dependent Claims (18, 19, 20)
-
Specification