Platform and method for issuing and certifying a hardware-protected attestation key

US 6,996,710 B1
Filed: 03/31/2000
Issued: 02/07/2006
Est. Priority Date: 03/31/2000
Status: Expired due to Term

First Claim

Patent Images

1. A method comprising:

generating an attestation key pair in a platform that supports isolated execution mode, wherein the platform comprises a processor capable of operating in isolated execution mode and a system memory to include an isolated area that is accessible only when the processor is operating in isolated execution mode, and wherein the attestation key pair includes a private attestation key and a public attestation key; and

producing a certificate for the platform to attest that the platform uses isolated execution mode to protect the private key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a method for certifying an attestation key comprises generating a remote attestation key pair within a platform and producing a certificate. The certificate includes a public attestation key to attest that a private attestation key, corresponding to the public attestation key, is stored in hardware-protected memory.

Citations

19 Claims

1. A method comprising:
- generating an attestation key pair in a platform that supports isolated execution mode, wherein the platform comprises a processor capable of operating in isolated execution mode and a system memory to include an isolated area that is accessible only when the processor is operating in isolated execution mode, and wherein the attestation key pair includes a private attestation key and a public attestation key; and
  
  producing a certificate for the platform to attest that the platform uses isolated execution mode to protect the private key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the producing of the certificate occurs at an initial power-on of the platform.
  - 3. The method of claim 1, wherein the operation of generating an attestation key pair comprises:
    - loading, into the platform, boot code provided by an agent of an outside entity;
      
      booting the platform from the boot code provided by the agent; and
      
      after booting the platform from the boot code provided by the agent, executing an applet in isolated execution mode to generate the attestation key pair.
  - 4. The method of claim 3, wherein the producing of the certificate further comprises signing the certificate with a private key of the outside entity.
  - 5. The method of claim 1, wherein the producing of the certificate comprises:
    - signing the certificate with a private key held by a manufacturer of the platform.
  - 6. The method of claim 1 further comprising:
    - receiving a challenge message from a remotely located platform, the challenge message including a nonce.
  - 7. The method of claim 6 further comprising:
    - generating a response message for transmission to the remotely located platform, the response message including the certificate, the nonce and a hash value of an audit log.
  - 8. The method of claim 7, wherein the nonce and the hash value are signed with the private attestation key.

9. A platform comprising:
- a processor to operate selectively in distinct modes including a normal execution mode and an isolated execution mode;
  
  storage in communication with the processor, the storage comprising a system memory to include an isolated area that is accessible only when the processor is operating in isolated execution mode;
  
  key generation instructions encoded in the storage, the key generation instructions to generate an attestation key pair for the platform while executing in isolated execution mode, wherein the attestation key pair comprises a private attestation key and a public attestation key; and
  
  a certificate in the storage, wherein the certificate attests that the platform uses isolated execution mode to protect the private key.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The platform of claim 9, wherein the storage comprises a processor nub to execute in isolated execution mode and an operating system nub to execute in isolated execution mode.
  - 11. The platform of claim 9 further comprising at least one input/output device allowing communications with a remotely located platform.
  - 12. The platform of claim 9 further comprising:
    - a device in communication with the processor; and
      
      a token link coupled to the device, the token link providing a communication path for a token.
  - 13. The platform of claim 12 wherein the token stores the private attestation key of the attestation key pair.
  - 14. The platform of claim 12, wherein the device comprises a protected memory to hold an audit log of software modules loaded on the platform in isolated execution mode.
  - 15. The platform of claim 12, wherein the device is an input/output control hub.

16. A method comprising:
- generating an attestation key pair for a platform;
  
  storing a private attestation key of the attestation key pair into isolated memory of the platform, the isolated memory being accessible to a processor of the platform only when the processor operates in isolated execution mode, wherein the isolated memory comprises hardware-protected memory; and
  
  producing a certificate including the public attestation key, the certificate to attest that the platform stores the private attestation key in the isolated memory.
- View Dependent Claims (17, 18, 19)
- - 17. The method of claim 16, wherein the hardware-protected memory includes single-write, multiple-read control registers.
  - 18. The method of claim 16, wherein the producing of the certificate occurs at an initial power-on of the platform.
  - 19. The method of claim 16, wherein the operation of generating an attestation key pair comprises:
    - booting the platform from code provided by an agent of an outside entity; and
      
      using the code provided by the agent to generate the attestation key pair.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Thakkar, Shreekant S., Neiger, Gilbert, Ellison, Carl M., Mittal, Millind, Reneris, Ken, Lin, Derrick C., McKeen, Francis X., Sutton, James A., Herbert, Howard C., Golliver, Roger A.
Primary Examiner(s)
Barron, Jr., Gilberto
Assistant Examiner(s)
STULBERGER, CAS P

Application Number

US09/538,951
Time in Patent Office

2,139 Days
Field of Search

713/156, 713/155, 713/168, 713/188, 713/189, 713/164, 713/165, 713/167, 705/55
US Class Current

713/156
CPC Class Codes

H04L 2209/12   Details relating to cryptog...

H04L 9/0861   Generation of secret inform...

H04L 9/3263   involving certificates, e.g...

H04L 9/3271   using challenge-response

Platform and method for issuing and certifying a hardware-protected attestation key

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Platform and method for issuing and certifying a hardware-protected attestation key

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links