Method and system for authenticating and utilizing secure resources in a computer system

US 6,138,239 A
Filed: 11/13/1998
Issued: 10/24/2000
Est. Priority Date: 11/13/1998
Status: Expired due to Term

First Claim

Patent Images

1. A method for executing secure transactions on a computer system, the method comprising the steps of:

(a) providing a basic input output system (BIOS) on the computer system, the BIOS including first means for indicating a first trust relationship with the BIOS;

(b) providing a secure peripheral coupled with the computer system, the secure peripheral including second means for indicating a second trust relationship with the secure peripheral;

(c) providing a master security co-processor coupled with the secure peripheral and the memory, the master security co-processor for processing sensitive data on the computer system and including third means for indicating a third trust relationship with the master security co-processor; and

(d) utilizing the BIOS or master security co-processor to verify at least one of the first trust relationship, the second trust relationship, or the third trust relationship using the first means for indicating the first trust relationship, the second means for indicating the second trust relationship, or the third means for indicating the third trust relationship.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for executing secure transactions on a computer system is disclosed. The computer system includes a memory. In one aspect, the method and system include providing a basic input output system (BIOS) on the computer system, providing a secure peripheral coupled with the computer system, and providing a master security co-processor coupled with the computer system. The BIOS includes first unit for indicating a first trust relationship with the BIOS. The secure peripheral includes second unit for indicating a second trust relationship with the secure peripheral. The master security co-processor is for processing sensitive data on the computer system and includes third unit for indicating a third trust relationship with the master security co-processor. The method and system further includes utilizing the BIOS to verify at least one of the first trust relationship, the second trust relationship, or the third trust relationship using the first unit for indicating the first trust relationship, the second unit for indicating the second trust relationship, or the third unit for indicating the third trust relationship. In another aspect, the method and system are for executing an application utilizing sensitive data on a computer system. The computer system includes a master security co-processor and a secure peripheral. In this aspect, the method and system include establishing a secure channel for communication between the master security co-processor and the secure peripheral for executing a portion of the application and executing the portion of the application by the master security co-processor utilizing the secure channel.

211 Citations

34 Claims

1. A method for executing secure transactions on a computer system, the method comprising the steps of:
- (a) providing a basic input output system (BIOS) on the computer system, the BIOS including first means for indicating a first trust relationship with the BIOS;
  
  (b) providing a secure peripheral coupled with the computer system, the secure peripheral including second means for indicating a second trust relationship with the secure peripheral;
  
  (c) providing a master security co-processor coupled with the secure peripheral and the memory, the master security co-processor for processing sensitive data on the computer system and including third means for indicating a third trust relationship with the master security co-processor; and
  
  (d) utilizing the BIOS or master security co-processor to verify at least one of the first trust relationship, the second trust relationship, or the third trust relationship using the first means for indicating the first trust relationship, the second means for indicating the second trust relationship, or the third means for indicating the third trust relationship.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1 wherein the BIOS further includes a signature mechanism utilizing step (d) further includes the step of:
    - (d1) verifying the first trust relationship using the signature mechanism.
  - 3. The method of claim 1 further comprising the step of:
    - (e) utilizing the BIOS to verify the second trust relationship using the second means for indicating the second trust relationship and to verify the third trust relationship using the third means for indicating the third trust relationship.
  - 4. The method of claim 3 wherein the secure peripheral includes a second digital certificate and a second private key, the master security co-processor includes a third digital certificate and a third private key;
    - and wherein the BIOS utilizing step (e) further includes the steps of;
      
      (e1) verifying the second digital certificate and the third digital certificate.
  - 5. The method of claim 3 further comprising the step of:
    - (f) providing a list of a plurality of secure resources, the plurality of secure resources including the master security co-processor and the secure peripheral.
  - 6. The method of claim 4 wherein the computer system further includes an application, a portion of the application to be executed by the master security co-processor, and wherein the method further includes the step of:
    - (g) establishing a secure channel for communication between the master security co-processor and the secure peripheral.
  - 7. The method of claim 6 wherein the master security co-processor further includes a first digital certificate, wherein the secure peripheral includes a second digital certificate, and wherein secure channel establishing step (g) further includes the step of:
    - (g1) providing the first digital certificate to the secure peripheral;
      
      (g2) providing the second digital certificate to the master security co-processor;
      
      (g3) verifying the first digital certificate using the secure peripheral;
      
      (g4) verifying the second digital certificate using the master security co-processor; and
      
      (g5) providing a session key for communication between the master security co-processor and the secure peripheral for executing the portion of the application.
  - 8. The method of claim 6 further comprising the step of:
    - (h) executing the portion of the application by the master security co-processor utilizing the secure channel.
  - 9. The method of claim 8 further comprising the step of:
    - (i) determining whether the application can be executed securely.
  - 10. The method of claim 9 where in the system includes a plurality of resources and wherein determining step (i) further includes the steps of:
    - (i1) determining whether the plurality of resources are sufficient for executing the application; and
      
      (i2) executing the application only if the plurality of resources is sufficient.
  - 11. The method of claim 10 wherein resource determining step (i1) further includes the step of:
    - (i1a) determining if the secure peripheral is sufficient for executing the application.
  - 12. The method of claim 9 further comprising the step of:
    - (j) allowing a system administrator to track use of the secure peripherals.

13. A method for executing an application utilizing sensitive data on a computer system, the computer system including a master security co-processor and a secure peripheral, the master security co-processor including a first digital certificate and a first key, the secure peripheral including a second digital certificate and a second key, the method comprising the steps of:
- (a) establishing a secure channel for communication between the master security co-processor and the secure peripheral for executing a portion of the application, the secure channel establishing step (a) further including the steps of(a1) providing the first digital certificate to the secure peripheral;
  
  (a2) providing the second digital certificate to the master security co-processor;
  
  (a3) verifying the first digital certificate using the secure peripheral;
  
  (a4) verifying the second digital certificate using the master security co-processor; and
  
  (a5) providing a session key based on the first key and the second key, the session key for communication between the master security co-processor and the secure peripheral for executing the portion of the application; and
  
  (b) executing the portion of the application by the master security co-processor utilizing the secure channel.
- View Dependent Claims (14, 15, 16)
- - 14. The method of claim 13 further comprising the step of:
    - (c) determining whether the application can be executed securely.
  - 15. The method of claim 14 wherein the system includes a plurality of resources and wherein determining step (c) further includes the steps of:
    - (c1) determining whether the plurality of resources are sufficient for executing the application; and
      
      (c2) executing the application only if the plurality of resources is sufficient.
  - 16. The method of claim 15 wherein resource determining step (c1) further includes the step of:
    - (c1i) determining if the secure peripheral is sufficient for executing the application.

17. A method for executing an application utilizing sensitive data on a computer system, the computer system including a master security co-processor and a secure peripheral, the method comprising the steps of:
- (a) establishing a secure channel for communication between the master security co-processor and the secure peripheral for executing a portion of the application;
  
  (b) executing the portion of the application by the master security co-processor utilizing the secure channel;
  
  (c) determining whether the application can be executed securely; and
  
  (d) allowing a system administrator to track use of the secure peripheral.

18. An apparatus for executing secure transactions on a computer system comprising:
- a computer system including a basic input output system (BIOS), the BIOS including first means for indicating a first trust relationship with the BIOS;
  
  a secure peripheral coupled with the computer system, the secure peripheral including second means for indicating a second trust relationship with the secure peripheral; and
  
  a master security co-processor coupled with the computer system, the master security co-processor including third means for indicating a third trust relationship with the security co-processor;
  
  wherein the BIOS verifies at least one of the first trust relationship, the second trust relationship, or the third trust relationship using the first means for indicating the first trust relationship, the second means for indicating the second trust relationship, or the third means for indicating the third trust relationship.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 19. The apparatus of claim 18 wherein the BIOS further includes a signature mechanism and wherein the BIOS further verifies the first trust relationship using the signature mechanism.
  - 20. The apparatus of claim 18 wherein the BIOS further verifies the second trust relationship using the second means for indicating the second trust relationship and verifies the third trust relationship using the third means for indicating the third trust relationship.
  - 21. The apparatus of claim 20 wherein the secure peripheral includes a second digital certificate and a second private key, the master security co-processor includes a third digital certificate and a third private key;
    - and wherein the BIOS further verifies the second digital certificate and the third digital certificate.
  - 22. The apparatus of claim 21 wherein the computer system further includes an application, a portion of the application to be executed by the master security co-processor, and wherein the apparatus further includes:
    - means for establishing a secure channel for communication between the master security co-processor and the secure peripheral when executing the portion of the application.
  - 23. The apparatus of claim 22 wherein the master security co-processor further includes a first digital certificate, wherein the secure peripheral includes a second digital certificate, and wherein secure channel establishing means further includes:
    - means for providing the first digital certificate to the secure peripheral;
      
      means for providing the second digital certificate to the master security co-processor;
      
      means for verifying the first digital certificate using the secure peripheral;
      
      means for verifying the second digital certificate using the master security co-processor; and
      
      means for negotiating a session key for communication between the master security co-processor and the secure peripheral for executing the portion of the application.
  - 24. The apparatus of claim 23 wherein the mater security co-processor executes the portion of the application utilizing the secure channel.
  - 25. The apparatus of claim 22 further comprising:
    - means for determining whether the application can be executed securely.
  - 26. The apparatus of claim 25 wherein the system includes a plurality of resources and wherein means for determining whether the application can be executed securely further includes:
    - means for determining whether the plurality of resources are sufficient for executing the application; and
      
      means for executing the application only if the plurality of resources is sufficient.
  - 27. The apparatus of claim 26 wherein means for determining whether the plurality of resource is sufficient further includes:
    - means for determining if the secure peripheral is sufficient for executing the application.
  - 28. The apparatus of claim 25 wherein the system is managed by a system administrator and wherein the system administrator is allowed to track use of the secure peripheral.
  - 29. The apparatus of claim 20 wherein the BIOS further provides a list of a plurality of secure resources, the plurality of secure resources including the master security co-processor and the secure peripheral.

30. An apparatus for executing an application utilizing sensitive data on a computer system, the computer system including a master security co-processor and a secure peripheral, the master security co-processor further including a first digital certificate, the secure peripheral including a second digital certificate, the apparatus comprising:
- means for establishing a secure channel for communication between the master security co-processor and the secure peripheral for executing a portion of the application, the secure channel establishing means further includingmeans for providing the first digital certificate to the secure peripheral;
  
  means for providing the second digital certificate to the master security co-processor;
  
  means for verifying the first digital certificate using the secure peripheral;
  
  means for verifying the second digital certificate using the master security co-processor; and
  
  means for providing a session key for communication between the master security co-processor and the secure peripheral for executing the application; and
  
  means for executing the portion of the application by the master security co-processor utilizing the secure channel.
- View Dependent Claims (31, 32, 33)
- - 31. The apparatus of claim 30 further comprising:
    - means for determining whether the application can be executed securely.
  - 32. The apparatus of claim 31 wherein the system includes a plurality of resources and wherein the means for determining whether the application can be executed securely further includes:
    - means for determining whether the plurality of resources are sufficient for executing the application; and
      
      means for executing the application only if the plurality of resources is sufficient.
  - 33. The apparatus of claim 32 wherein the resource determining means further includes:
    - means for determining if the secure peripheral is sufficient for executing the application.

34. An apparatus for executing an application utilizing sensitive data on a computer system, the computer system including a master security co-processor and a secure peripheral, the apparatus comprising:
- means for establishing a secure channel for communication between the master security co-processor and the secure peripheral for executing a portion of the application; and
  
  means for executing the portion of the application by the master security co-processor utilizing the secure channelmeans for determining whether the application can be executed securelymeans for allowing a system administrator to track use of the secure peripheral.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ESW Holdings, Inc. (ESW Capital, LLC)
Original Assignee
N&K Technology Incorporated
Inventors
Veil, Leonard Scott
Primary Examiner(s)
Beausoliel, Jr., Robert W.
Assistant Examiner(s)
ELISCA, PIERRE E

Application Number

US09/192,152
Time in Patent Office

711 Days
Field of Search

713/200, 713/173, 713/175, 713/201, 713/156, 713/202, 713/171, 709/229, 380/4, 380/228, 380/25, 380/259, 380/159, 340/825.34
US Class Current

726/10
CPC Class Codes

G06F 21/572   Secure firmware programming...

G06F 21/72   in cryptographic circuits

G06F 21/85   interconnection devices, e....

G06F 2211/007   Encryption, En-/decode, En-...

G06F 2211/009   Trust

Method and system for authenticating and utilizing secure resources in a computer system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

211 Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for authenticating and utilizing secure resources in a computer system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

211 Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links