Method and apparatus for secure remote system management

US 7,024,695 B1
Filed: 12/30/1999
Issued: 04/04/2006
Est. Priority Date: 12/30/1999
Status: Expired due to Fees

First Claim

Patent Images

1. A method, comprising:

receiving a request for hardware component information at a service processor disposed in a hardware component as an open session request from a requesting client application;

transmitting from the service processor a challenge string to the requesting client application, the challenge string including a session identification assigned by the service processor, wherein the session identification is unique to each session;

receiving at the service processor a challenge response from the requesting client application, the challenge response including the session identification and a first hash number that comprises a function of at least one of the challenge string, the session identification, a sequence number, and a password;

comparing the challenge response to an expected response to the challenge string, wherein the comparing includes verifying the session identification received in the challenge response against the session identification transmitted in the challenge string;

transmitting the hardware component information to the requesting client application; and

receiving at the service processor a direct platform control (DPC) message from the client application, the DPC message including a second hash number to verify the integrity of the DPC message, wherein the DPC message is to perform one or more of connecting to Basic Input Output System (BIOS), rebooting, resetting, and shutting down of the service processor.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

To prevent unauthorized access to hardware management information in an out-of-band mode, i.e., when the operating system of the hardware is not executing, a method and apparatus employ an authentication protocol. Upon receiving a request for hardware component information in a service processor that is disposed in a hardware component, which request is received as an open session request and which request passes external to an operating system controlling the hardware component, the service processor transmits a challenge string to the requesting client application. In response to a challenge response received from the requesting client application, the service processor compares the challenge response to an expected response to the challenge. The expected challenge response is calculated by the service processor. Based on the result of the comparison, the service processor transmits an authentication response to the requesting client application indicating success or failure of the authentication process. On the client side, in response to a challenge string from the service processor, the requesting client application transmits to the service processor a challenge response, which includes an sequence number that increments with every new message from the requesting client application. The challenge response also includes a hash number calculated by the requesting client application, which hash number is a function of the challenge string, session identification number, sequence number and/or a password. Each new packet including data and/or commands from the client application includes a similarly calculated hash number.

105 Citations

16 Claims

1. A method, comprising:
- receiving a request for hardware component information at a service processor disposed in a hardware component as an open session request from a requesting client application;
  
  transmitting from the service processor a challenge string to the requesting client application, the challenge string including a session identification assigned by the service processor, wherein the session identification is unique to each session;
  
  receiving at the service processor a challenge response from the requesting client application, the challenge response including the session identification and a first hash number that comprises a function of at least one of the challenge string, the session identification, a sequence number, and a password;
  
  comparing the challenge response to an expected response to the challenge string, wherein the comparing includes verifying the session identification received in the challenge response against the session identification transmitted in the challenge string;
  
  transmitting the hardware component information to the requesting client application; and
  
  receiving at the service processor a direct platform control (DPC) message from the client application, the DPC message including a second hash number to verify the integrity of the DPC message, wherein the DPC message is to perform one or more of connecting to Basic Input Output System (BIOS), rebooting, resetting, and shutting down of the service processor.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein the challenge response includes the sequence number, wherein the sequence number increments with every new message.
  - 3. The method of claim 1, further comprising examining the DPC message received from the client application for one or more of the session identification, the sequence number, and the second hash number.
  - 4. The method of claim 3, wherein the second hash number comprises a function of at least one of a body of the DPC message, the session identification, the sequence number, and the password.

5. A method, comprising:
- transmitting a request for hardware component information to a service processor disposed in a hardware component as an open session request from a requesting client application;
  
  receiving from the service processor a challenge string at the requesting client application, the challenge string including a session identification assigned by the service processor, wherein the session identification is unique to each session;
  
  transmitting to the service processor a challenge response from the requesting client application, the challenge response including the session identification and a first hash number that comprises a function of at least one of the challenge string, the session identification, a sequence number, and a password;
  
  receiving from the service processor an authentication response to the requesting client application based on a comparison of the challenge response from the requesting client application and an expected challenge response calculated in the service processor, wherein the comparison includes verifying the session identification in the challenge response transmitted to the service processor against the session identification received in the challenge string; and
  
  receiving at the service processor a direct platform control (DPC) message from the client application, the DPC message including a second hash number to verify the integrity of the DPC message, wherein the DPC message is to perform one or more of connecting to Basic Input Output System (BIOS), rebooting, resetting, and shutting down of the service processor.
- View Dependent Claims (6, 16)
- - 6. The method of claim 5, wherein the second hash number comprises a function of at least one of a body of the DPC message, the session identification, the sequence number, and the password.
  - 16. The method of claim 6, wherein the sequence number increments with every new message.

7. An apparatus, comprising:
- a remote access port; and
  
  a service processor coupled to the remote access port, wherein the service processor including a machine-readable medium, having stored thereon a set of instructions which, when executed, cause the service processor to;
  
  in response to a remote request for information about a component received as an open session request through the remote access port external to a host operating system of the apparatus, transmit a challenge string to a requesting client application, the challenge string including session identification assigned by the service processor, wherein the session identification is unique to each session;
  
  compare a challenge response received from the requesting client application with an expected response, the challenge response including the session identification and a first hash number that comprises a function of at least one of the challenge string, the session identification, a sequence number, and a password, wherein the comparing includes verifying the session identification received in the challenge response against the session identification transmitted in the challenge string;
  
  transmit an authentication response to the requesting client application based on the comparison; and
  
  receiving at the service processor a direct platform control (DPC) message from the client application, the DPC message including a second hash number to verify the integrity of the DPC message, wherein the DPC message is to perform one or more of connecting to Basic Input Output System (BIOS), rebooting, resetting, and shutting down of the service processor.
- View Dependent Claims (8, 9)
- - 8. The apparatus of claim 7, wherein the service processor compares the sequence number included in the challenge response against previously received sequence numbers and ignores the challenge response if it does not include a sequence number in correct sequence.
  - 9. The apparatus of claim 7, wherein the service processor compares the first hash number received in the challenge response with an expected hash calculated by the service processor and transmits a success or failure message depending upon a result of the comparison.

10. A system, comprising:
- a processor;
  
  a memory; and
  
  a client application stored on a machine-readable medium, the client application including a set of instructions which, when executed, cause the client application to;
  
  transmit a request for hardware component information to a service processor disposed in a hardware component as an open session request;
  
  receive from the service processor a challenge string at the requesting client application, the challenge string including a session identification assigned by the service processor, wherein the session identification is unique to each session;
  
  transmit to the service processor a challenge response from the requesting client application, the challenge response including the session identification and a first hash number that comprises a function of at least one of the challenge string, the session identification, a sequence number, and a password;
  
  receive from the service processor an authentication response to the requesting client application based on a comparison of the challenge response from the requesting client application and an expected challenge response calculated at the service processor, wherein the comparison includes verifying the session identification received in the challenge response against the session identification in the challenge string; and
  
  receiving at the service processor a direct platform control (DPC) message from the client application, the DPC message including a second hash number to verify the integrity of the DPC message, wherein the DPC message is to perform one or more of connecting to Basic Input Output System (BIOS) rebooting, resetting, and shutting down of the service processor.
- View Dependent Claims (12, 13)
- - 12. The system of claim 10, wherein the service processor compares the sequence number included in the challenge response against previously received sequence numbers and ignores the challenge response if it does not include a sequence number in correct sequence.
  - 13. The system of claim 10, wherein the service processor compares a first hash number received in the challenge response with an expected hash calculated by the service processor and transmits a success or failure message depending upon a result of the comparison.

11. A machine-readable medium having stored thereon data representing sets of instructions which, when executed by a machine, causes the machine to:
- receive a request for hardware component information to a service processor disposed in a hardware component as an open session request;
  
  transmit from the service processor a challenge string at the requesting client application, the challenge string including a session identification assigned by the service processor, wherein the session identification is unique to each session;
  
  receive at the service processor a challenge response from the requesting client application, the challenge response including the session identification and a first hash number that comprises a function of at least one of the challenge string, the session identification, a sequence number, and a password;
  
  compare the challenge response to an expected response to the challenge string, wherein the comparing includes verifying the session identification received in the challenge response against the session identification transmitted in the challenge string;
  
  transmit the hardware component information to the requesting client application; and
  
  receiving at the service processor a direct platform control (DPC) message from the client application, the DPC message including a second hash number to verify the integrity of the DPC message, wherein the DPC message is to perform one or more of connecting to Basic Input Output System (BIOS), rebooting, resetting, and shutting down of the service processor.
- View Dependent Claims (14, 15)
- - 14. The machine-readable medium of claim 11, wherein the sequence number included in the challenge response increments with every new message.
  - 15. The machine-readable medium of claim 11, wherein the set of instructions which, when executed by the machine, further causes the machine to examine each packet received from the client application for one or more of the session identification, the sequence number, and the first hash number.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Kumar, Mohan J., Kumar, Arvind
Primary Examiner(s)
Barrón, Gilberto
Assistant Examiner(s)
Lanier, Benjamin E.

Application Number

US09/476,737
Time in Patent Office

2,287 Days
Field of Search

713/201, 713/159
US Class Current

726/26
CPC Class Codes

G06F 11/0748   in a remote unit communicat...

G06F 11/0793   Remedial or corrective acti...

G06F 21/305   by remotely controlling dev...

G06F 21/31   User authentication

G06F 2221/2103   Challenge-response

H04L 41/00   Arrangements for maintenanc...

H04L 41/22   comprising specially adapte...

H04L 63/083   using passwords cryptograph...

Method and apparatus for secure remote system management

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

105 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for secure remote system management

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

105 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links