HARDWARE-BASED DEVICE AUTHENTICATION

US 20150222629A1
Filed: 02/09/2015
Published: 08/06/2015
Est. Priority Date: 12/23/2012
Status: Active Grant

First Claim

Patent Images

1-29. -29. (canceled)

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An opportunity for a computing device to participate in a secure session with a particular domain is identified. A secured microcontroller of the computing device is used to identify a secured, persistent seed corresponding to the particular domain and stored in secured memory of the computing device. A secure identifier is derived based on the seed and sent for use by the particular domain in authenticating the computing device to the particular domain for the secure session. The particular domain can further apply security policies to transactions involving the computing device and particular domain based at least in part on the secure identifier.

34 Citations

View as Search Results

49 Claims

1-29. -29. (canceled)

30. At least one non-transitory machine accessible storage medium having instructions stored thereon, the instructions when executed on a machine, cause the machine to:
- access, in secured memory of a secured microcontroller of a computing device, a persistent seed corresponding to a particular domain, wherein the persistent seed is to be accessed in association with an attempt to establish a secure session between the with the computing device and the particular domain;
  
  derive, using the secured microcontroller, a one-time password based on the seed; and
  
  send, using the secured microcontroller, the one-time password to another device associated with the particular domain to authenticate the computing device to the particular domain, wherein the one-time password is sent independent of a processor and operating system of the computing device.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46)
- - 31. The storage medium of claim 30, wherein the secured memory is inaccessible to resources of the operating system of the computing device.
  - 32. The storage medium of claim 30, wherein the seed is unique within a system to a pairing of the computing device and the particular domain.
  - 33. The storage medium of claim 30, wherein the particular domain corresponds to a website.
  - 34. The storage medium of claim 30, wherein the particular domain corresponds to a web service.
  - 35. The storage medium of claim 30, wherein the particular domain corresponds to an ecommerce site.
  - 36. The storage medium of claim 30, wherein the seed is received from the particular domain over a secured channel.
  - 37. The storage medium of claim 36, wherein the instructions, when executed, further cause the machine to establish the secured channel, and establishing the secured channel includes authenticating the particular domain.
  - 38. The storage medium of claim 37, wherein establishing the secured channel includes using a key exchange protocol.
  - 39. The storage medium of claim 38, wherein the key exchange protocol is a SIGMA protocol.
  - 40. The storage medium of claim 30, wherein the instructions, when executed, further cause the machine to prompt a user of the computing device for permission to participate in the secure session with the particular domain.
  - 41. The storage medium of claim 30, wherein the instructions, when executed, further cause the machine to derive the secure identifier based on the seed and a value known to both the computing device and the particular domain.
  - 42. The storage medium of claim 41, wherein the value is an identifier of the particular domain.
  - 43. The storage medium of claim 42, wherein the instructions, when executed, further cause the machine to receive the identifier from the particular domain.
  - 44. The storage medium of claim 41, wherein the value comprises a system clock value.
  - 45. The storage medium of claim 30, wherein the instructions, when executed, further cause the machine to communicate security posture data over a secured channel between the computing device and domain, the security posture data describing attributes of the computing device.
  - 46. The storage medium of claim 30, wherein the instructions, when executed, further cause the machine to collect security data from the computing device and generate the security posture data.

47. A method comprising:
- accessing, in secured memory of a secured microcontroller of a computing device, a persistent seed corresponding to a particular domain, wherein the persistent seed is to be accessed in association with an attempt to establish a secure session between the with the computing device and the particular domain;
  
  deriving, using the secured microcontroller, a one-time password based on the seed; and
  
  sending, using the secured microcontroller, the one-time password to another device associated with the particular domain to authenticate the computing device to the particular domain, wherein the one-time password is sent independent of a processor and operating system of the computing device

48. An apparatus comprising:
- secured memory;
  
  a secured microcontroller, wherein the secured microcontroller is configured to access a network interface of a computing device independent of a processor and operating system of the computing device;
  
  code, executable by the secured microcontroller, to;
  
  access, in secured memory of a secured microcontroller of a computing device, a persistent seed corresponding to a particular domain, wherein the persistent seed is to be accessed in association with an attempt to establish a secure session between the with the computing device and the particular domain;
  
  derive, using the secured microcontroller, a one-time password based on the seed; and
  
  send, using the secured microcontroller, the one-time password to another device associated with the particular domain to authenticate the computing device to the particular domain, wherein the one-time password is sent independent of a processor and operating system of the computing device.
- View Dependent Claims (49)
- - 49. The apparatus of claim 48, further comprising:
    - the network interface;
      
      the processor; and
      
      the operating system, wherein the operating system is executed using the processor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Von Bokern, Vincent Edward, Goel, Purushottam, Schrecker, Sven, Smith, Ned McArthur

Granted Patent

US 10,432,616 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/305   by remotely controlling dev...

G06F 21/44   Program or device authentic...

H04L 63/0838   using one-time-passwords

H04L 63/0876   based on the identity of th...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

H04L 67/141   Setup of application sessio...

H04L 9/0877   using additional device, e....

H04L 9/3226   using a predetermined code,...

H04L 9/3234   involving additional secure...

HARDWARE-BASED DEVICE AUTHENTICATION

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

34 Citations

49 Claims

Specification

Solutions

Use Cases

Quick Links

HARDWARE-BASED DEVICE AUTHENTICATION

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

49 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links