Method and apparatus for secure remote system management
First Claim
1. A method, comprising:
- receiving a request for hardware component information at a service processor disposed in a hardware component as an open session request from a requesting client application;
transmitting from the service processor a challenge string to the requesting client application, the challenge string including a session identification assigned by the service processor, wherein the session identification is unique to each session;
receiving at the service processor a challenge response from the requesting client application, the challenge response including the session identification and a first hash number that comprises a function of at least one of the challenge string, the session identification, a sequence number, and a password;
comparing the challenge response to an expected response to the challenge string, wherein the comparing includes verifying the session identification received in the challenge response against the session identification transmitted in the challenge string;
transmitting the hardware component information to the requesting client application; and
receiving at the service processor a direct platform control (DPC) message from the client application, the DPC message including a second hash number to verify the integrity of the DPC message, wherein the DPC message is to perform one or more of connecting to Basic Input Output System (BIOS), rebooting, resetting, and shutting down of the service processor.
1 Assignment
0 Petitions
Accused Products
Abstract
To prevent unauthorized access to hardware management information in an out-of-band mode, i.e., when the operating system of the hardware is not executing, a method and apparatus employ an authentication protocol. Upon receiving a request for hardware component information in a service processor that is disposed in a hardware component, which request is received as an open session request and which request passes external to an operating system controlling the hardware component, the service processor transmits a challenge string to the requesting client application. In response to a challenge response received from the requesting client application, the service processor compares the challenge response to an expected response to the challenge. The expected challenge response is calculated by the service processor. Based on the result of the comparison, the service processor transmits an authentication response to the requesting client application indicating success or failure of the authentication process. On the client side, in response to a challenge string from the service processor, the requesting client application transmits to the service processor a challenge response, which includes an sequence number that increments with every new message from the requesting client application. The challenge response also includes a hash number calculated by the requesting client application, which hash number is a function of the challenge string, session identification number, sequence number and/or a password. Each new packet including data and/or commands from the client application includes a similarly calculated hash number.
105 Citations
16 Claims
-
1. A method, comprising:
-
receiving a request for hardware component information at a service processor disposed in a hardware component as an open session request from a requesting client application; transmitting from the service processor a challenge string to the requesting client application, the challenge string including a session identification assigned by the service processor, wherein the session identification is unique to each session; receiving at the service processor a challenge response from the requesting client application, the challenge response including the session identification and a first hash number that comprises a function of at least one of the challenge string, the session identification, a sequence number, and a password; comparing the challenge response to an expected response to the challenge string, wherein the comparing includes verifying the session identification received in the challenge response against the session identification transmitted in the challenge string; transmitting the hardware component information to the requesting client application; and receiving at the service processor a direct platform control (DPC) message from the client application, the DPC message including a second hash number to verify the integrity of the DPC message, wherein the DPC message is to perform one or more of connecting to Basic Input Output System (BIOS), rebooting, resetting, and shutting down of the service processor. - View Dependent Claims (2, 3, 4)
-
-
5. A method, comprising:
-
transmitting a request for hardware component information to a service processor disposed in a hardware component as an open session request from a requesting client application; receiving from the service processor a challenge string at the requesting client application, the challenge string including a session identification assigned by the service processor, wherein the session identification is unique to each session; transmitting to the service processor a challenge response from the requesting client application, the challenge response including the session identification and a first hash number that comprises a function of at least one of the challenge string, the session identification, a sequence number, and a password; receiving from the service processor an authentication response to the requesting client application based on a comparison of the challenge response from the requesting client application and an expected challenge response calculated in the service processor, wherein the comparison includes verifying the session identification in the challenge response transmitted to the service processor against the session identification received in the challenge string; and receiving at the service processor a direct platform control (DPC) message from the client application, the DPC message including a second hash number to verify the integrity of the DPC message, wherein the DPC message is to perform one or more of connecting to Basic Input Output System (BIOS), rebooting, resetting, and shutting down of the service processor. - View Dependent Claims (6, 16)
-
-
7. An apparatus, comprising:
-
a remote access port; and a service processor coupled to the remote access port, wherein the service processor including a machine-readable medium, having stored thereon a set of instructions which, when executed, cause the service processor to; in response to a remote request for information about a component received as an open session request through the remote access port external to a host operating system of the apparatus, transmit a challenge string to a requesting client application, the challenge string including session identification assigned by the service processor, wherein the session identification is unique to each session; compare a challenge response received from the requesting client application with an expected response, the challenge response including the session identification and a first hash number that comprises a function of at least one of the challenge string, the session identification, a sequence number, and a password, wherein the comparing includes verifying the session identification received in the challenge response against the session identification transmitted in the challenge string; transmit an authentication response to the requesting client application based on the comparison; and receiving at the service processor a direct platform control (DPC) message from the client application, the DPC message including a second hash number to verify the integrity of the DPC message, wherein the DPC message is to perform one or more of connecting to Basic Input Output System (BIOS), rebooting, resetting, and shutting down of the service processor. - View Dependent Claims (8, 9)
-
-
10. A system, comprising:
-
a processor; a memory; and a client application stored on a machine-readable medium, the client application including a set of instructions which, when executed, cause the client application to; transmit a request for hardware component information to a service processor disposed in a hardware component as an open session request; receive from the service processor a challenge string at the requesting client application, the challenge string including a session identification assigned by the service processor, wherein the session identification is unique to each session; transmit to the service processor a challenge response from the requesting client application, the challenge response including the session identification and a first hash number that comprises a function of at least one of the challenge string, the session identification, a sequence number, and a password; receive from the service processor an authentication response to the requesting client application based on a comparison of the challenge response from the requesting client application and an expected challenge response calculated at the service processor, wherein the comparison includes verifying the session identification received in the challenge response against the session identification in the challenge string; and receiving at the service processor a direct platform control (DPC) message from the client application, the DPC message including a second hash number to verify the integrity of the DPC message, wherein the DPC message is to perform one or more of connecting to Basic Input Output System (BIOS) rebooting, resetting, and shutting down of the service processor. - View Dependent Claims (12, 13)
-
-
11. A machine-readable medium having stored thereon data representing sets of instructions which, when executed by a machine, causes the machine to:
-
receive a request for hardware component information to a service processor disposed in a hardware component as an open session request; transmit from the service processor a challenge string at the requesting client application, the challenge string including a session identification assigned by the service processor, wherein the session identification is unique to each session; receive at the service processor a challenge response from the requesting client application, the challenge response including the session identification and a first hash number that comprises a function of at least one of the challenge string, the session identification, a sequence number, and a password; compare the challenge response to an expected response to the challenge string, wherein the comparing includes verifying the session identification received in the challenge response against the session identification transmitted in the challenge string; transmit the hardware component information to the requesting client application; and receiving at the service processor a direct platform control (DPC) message from the client application, the DPC message including a second hash number to verify the integrity of the DPC message, wherein the DPC message is to perform one or more of connecting to Basic Input Output System (BIOS), rebooting, resetting, and shutting down of the service processor. - View Dependent Claims (14, 15)
-
Specification