SESSION MANAGEMENT FRAMEWORK FOR SECURE COMMUNICATIONS BETWEEN HOST DEVICES AND TRUSTED DEVICES

US 20200137031A1
Filed: 12/23/2019
Published: 04/30/2020
Est. Priority Date: 12/23/2019
Status: Active Grant

First Claim

Patent Images

1. One or more non-transitory computer-readable storage mediums having stored thereon executable computer program instructions that, when executed by one or more processors, cause the one or more processors to perform operations comprising:

establishing a security agreement between a host system and a trusted device, the host system including a trusted execution environment (TEE);

initiating a key exchange between the host system and the trusted device, including sending a key agreement message from the host system to the trusted device;

sending an initialization message to the trusted device;

validating capabilities of the trusted device for a secure communication session between the host system and the trusted device;

provisioning secrets to the trusted device and initializing cryptographic parameters with the trusted device; and

sending an activate session message to the trusted device to activate the secure communication session over a secure communication channel.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed to a session management framework for secure communications between host systems and trusted devices. An embodiment of computer-readable storage mediums includes instructions for establishing a security agreement between a host system and a trusted device, the host device including a trusted execution environment (TEE); initiating a key exchange between the host system and the trusted device, including sending a key agreement message from the host system to the trusted device; sending an initialization message to the trusted device; validating capabilities of the trusted device for a secure communication session between the host system and the trusted device; provisioning secrets to the trusted device and initializing cryptographic parameters with the trusted device; and sending an activate session message to the trusted device to activate the secure communication session over a secure communication channel.

Citations

21 Claims

1. One or more non-transitory computer-readable storage mediums having stored thereon executable computer program instructions that, when executed by one or more processors, cause the one or more processors to perform operations comprising:
- establishing a security agreement between a host system and a trusted device, the host system including a trusted execution environment (TEE);
  
  initiating a key exchange between the host system and the trusted device, including sending a key agreement message from the host system to the trusted device;
  
  sending an initialization message to the trusted device;
  
  validating capabilities of the trusted device for a secure communication session between the host system and the trusted device;
  
  provisioning secrets to the trusted device and initializing cryptographic parameters with the trusted device; and
  
  sending an activate session message to the trusted device to activate the secure communication session over a secure communication channel.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The one or more mediums of claim 1, wherein the instructions further include instructions for:
    - wherein establishing the security agreement includes;
      
      querying the trusted device to determine if the device supports authentication,querying the trusted device regarding capabilities of the device to support a secure communication session, andnegotiation to establish the security agreement between the host device and the trusted device.
  - 3. The one or more mediums of claim 1, wherein the instructions further include instructions for:
    - upon activating the secure communication session between the host system and the trusted device, transmitting and receiving secure communications over the secure communications channel.
  - 4. The one or more mediums of claim 1, wherein the instructions further include instructions for:
    - upon activating the secure communication session, receiving a snapshot of a configuration of the trusted device, an endpoint of the trusted device being locked to allow only authorized entities to read from or write to certain registers.
  - 5. The one or more mediums of claim 1, wherein the instructions further include instructions for:
    - terminating the secure communications session, including the host device transmitting an end session request message to the trusted device.
  - 6. The one or more mediums of claim 1, wherein the secure communication session is either a single physical endpoint session for the trusted device or one or more virtual endpoint sessions for the trusted device.
  - 7. The one or more mediums of claim 1, wherein the trusted device includes a register interface including a plurality of registers for management of the secure communications session.
  - 8. The one or more mediums of claim 1, wherein the trusted device is a trusted I/O device or hardware accelerator device.
  - 9. The one or more mediums of claim 8, wherein the trusted device is a PCIe (PCI (Peripheral Component Interconnect) Express) device.

10. An apparatus comprising:
- one or more processors including a trusted execution environment (TEE);
  
  a computer memory to store data including program data; and
  
  an interface with a trusted device;
  
  wherein the apparatus is to;
  
  establish a security agreement with the trusted device;
  
  initiate a key exchange with the trusted device, including sending a key agreement message from to the trusted device;
  
  send an initialization message to the trusted device;
  
  validate capabilities of the trusted device for a secure communication session between the apparatus and the trusted device;
  
  provision secrets to the trusted device and initialize cryptographic parameters with the trusted device; and
  
  send an activate session message to the trusted device to activate the secure communication session over a secure communication channel.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The apparatus of claim 10, wherein establishing the security agreement includes the apparatus to:
    - query the trusted device to determine if the device supports authentication;
      
      query the trusted device regarding capabilities of the device to support a secure communication session; and
      
      negotiate to establish the security agreement between the apparatus and the trusted device.
  - 12. The apparatus of claim 10, wherein, upon activating the secure communication session, the apparatus is to receive a snapshot of a configuration of the trusted device, an endpoint of the trusted device being locked to allow only authorized entities to read from or write to certain registers.
  - 13. The apparatus of claim 10, wherein the secure communication session is either a single physical endpoint session for the trusted device or one or more virtual endpoint sessions for the trusted device.
  - 14. The apparatus of claim 10, wherein the trusted device includes a register interface including a plurality of registers for management of the secure communications session.
  - 15. The apparatus of claim 10, wherein the trusted device is a trusted I/O device or hardware accelerator device.
  - 16. The apparatus of claim 10, wherein the trusted device is a PCIe (PCI (Peripheral Component Interconnect) Express) device.

17. A method comprising:
- establishing a security agreement between a trusted device and a host system, the host system including a trusted execution environment (TEE);
  
  performing a key exchange between the trusted device and the host system;
  
  providing capability information for the trusted device to the host system for a secure communication session between the host system and the trusted device;
  
  receiving secrets from the host system at the trusted device and establishing cryptographic parameters with the host system; and
  
  activating the secure communication session over a secure communication channel with the host system.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The method of claim 17, wherein establishing the security agreement includes:
    - providing information regarding support of the trusted device for authentication to the host system;
      
      providing information regarding capabilities of the trusted device to support a secure communication session to the host system; and
      
      negotiating with the host system to establish the security agreement between the trusted device and the host device.
  - 19. The method of claim 17, further comprising:
    - upon establishing the secure communication session between the trusted device and the host system, transmitting and receiving secure communications over the secure communications channel.
  - 20. The method of claim 17, further comprising:
    - providing a snapshot of a configuration of the trusted device to the host system; and
      
      locking an endpoint of the trusted device to allow only authorized entities to read from or write to certain registers.
  - 21. The method of claim 17, further comprising:
    - terminating the secure communications session upon receipt of an end session request message from the host system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Pappachan, Pradeep M., Lal, Reshma

Granted Patent

US 11,349,817 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/44   Program or device authentic...

G06F 21/57   Certifying or maintaining t...

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 9/0841   involving Diffie-Hellman or...

H04L 9/0897   involving additional device...

H04W 12/04   Key management, e.g. using ...

H04W 12/06   Authentication

SESSION MANAGEMENT FRAMEWORK FOR SECURE COMMUNICATIONS BETWEEN HOST DEVICES AND TRUSTED DEVICES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

SESSION MANAGEMENT FRAMEWORK FOR SECURE COMMUNICATIONS BETWEEN HOST DEVICES AND TRUSTED DEVICES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links