Validation of inclusion of a platform within a data center

US 7,058,807 B2
Filed: 04/15/2002
Issued: 06/06/2006
Est. Priority Date: 04/15/2002
Status: Active Grant

First Claim

Patent Images

1. A platform comprising:

a private key to validate inclusion of the platform within a data center; and

at least one token to seal the private key to the platform.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a method comprises generating a cryptographic key pair associated with a data center. The method also includes storing a private key of the cryptographic key pair within a platform. The private key is used to sign a value stored in the platform for validation of inclusion of the platform into the data center. In an embodiment, the private key is revoked upon determining that the platform has been compromised. In one embodiment, the private key may be revoked in each of the platforms of the data center.

244 Citations

53 Claims

1. A platform comprising:
- a private key to validate inclusion of the platform within a data center; and
  
  at least one token to seal the private key to the platform.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The platform of claim 1, further comprisingan interface to provide a response signed by the private key in response to a received challenge.
  - 3. The platform of claim 1, wherein the at least one token comprisesa register to store a metric of the platform;
    - anda processing unit to seal the private key to the metric.
  - 4. The platform of claim 3, wherein the metric stored in the register corresponds to a policy of the data center when the platform is within the data center.
  - 5. The platform of claim 3, wherein the processing unit is to generate the metric during an initiation of the platform.
  - 6. The platform of claim 3, wherein the processing unit is to generate the private key.
  - 7. The platform of claim 1, wherein the private key is to be stored within a number of platforms of the data center.
  - 8. The platform of claim 1, wherein the private key is different from private keys to be stored in other platforms of the data center.

9. A data center comprising:
- an administrative unit to generate a cryptographic key pair that includes a private key; and
  
  a platform coupled to the administrative unit, the platform comprising a token, wherein the token comprisesa private key to validate inclusion of the platform within the data center;
  
  a register to store a metric of the platform; and
  
  a processing unit to seal the private key based on the metric.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The data center of claim 9, wherein the private key is to be stored within a number of platforms of the data center.
  - 11. The data center of claim 9, wherein the private key is different from private keys to be stored in other platforms of the data center.
  - 12. The data center of claim 9, wherein the register is to store a metric of the platform that corresponds to a policy of the data center.
  - 13. The data center of claim 9, wherein the platform further comprises an interface to provide a response signed by the private key in response to a received challenge.

14. A data center comprising:
- a platform comprisinga token that includes a processing unit and a register, the register to store a value, wherein the value represents a policy of the platform, the processing unit to generate a cryptographic key pair that includes a private key;
  
  a memory to store the private key of the cryptographic key pair; and
  
  an administrative unit coupled to the platform, the administrative unit to generate a root key for the data center, to generate a signing key for the data center based on a certification of the root key, to sign the private key of the platform with the signing key of the data center.
- View Dependent Claims (15, 16, 17)
- - 15. The data center of claim 14, further comprising a certification authority to certify the root key.
  - 16. The data center of claim 15, wherein the certification authority is to validate inclusion of the platform within the data center.
  - 17. The data center of claim 14, wherein the memory is to store the private key that is different from private keys stored in other platforms of the data center.

18. A method comprising:
- generating a cryptographic key pair associated with a data center; and
  
  storing a private key of the cryptographic key pair within a platform, the private key used to sign a value stored in the platform for validation of inclusion of the platform into the data center.
- View Dependent Claims (19, 20, 21, 22, 23, 24)
- - 19. The method of claim 18, further comprising validating a policy for the platform prior to storing the private key within the platform.
  - 20. The method of claim 19, wherein validating the policy comprises validating metrics of the platform.
  - 21. The method of claim 19, further comprising associating the private key with the policy for the platform.
  - 22. The method of claim 21, wherein associating the private key with the policy for the platform comprises,binding the private key based on the hardware of the platform;
    - andsealing the private key based on the policy for the platform.
  - 23. The method of claim 22, wherein sealing of the private key based on the policy for the platform comprises sealing the private key based on a value stored in a register within a physical token in the platform.
  - 24. The method of claim 18, further comprising storing the private key of the cryptographic key pair in a number of platforms within the data center.

25. A method comprising:
- receiving a quote request to validate inclusion of a platform within a data center;
  
  retrieving a value associated with a policy of the platform, the value stored in the platform;
  
  signing the value using a private key of a cryptographic key pair stored in the platform; and
  
  outputting the signed value in response to the quote request.
- View Dependent Claims (26, 27, 28, 29)
- - 26. The method of claim 25, wherein retrieving the value associated with the policy of the platform comprises retrieving the value from a physical token of the platform.
  - 27. The method of claim 25, wherein signing the value using the private key of the cryptographic key pair comprises signing the value using a private key that is different from private keys stored other platforms within the data center.
  - 28. The method of claim 25, wherein receiving the quote request comprises receiving a quote request that comprises a random value.
  - 29. The method of claim 25, further comprising,signing the random value using the private key;
    - andoutputting the random value in response to the quote request.

30. A machine-readable medium that provides instructions, which when executed by a machine, cause said machine to perform operations comprising:
- generating a quote request to validate inclusion of a platform within a data center;
  
  transmitting the quote request to the platform;
  
  receiving a response to the quote request, the response including a value stored in the platform that is signed by a private key stored in the platform, wherein the value is associated with a policy of the platform; and
  
  validating the inclusion of the platform within the data center based on decryption of the value using a public key that corresponds to the private key.
- View Dependent Claims (31, 32, 33, 34, 35)
- - 31. The machine-readable medium of claim 30, further comprising retrieving a policy of the data center.
  - 32. The machine-readable medium of claim 31, wherein validating the inclusion of the platform comprises validating that the policy of the platform corresponds to the policy of the data center.
  - 33. The machine-readable medium of claim 31, wherein validating the inclusion of the platform within the data center comprises validating that a number of metrics of the platform correspond to the policy of the data center.
  - 34. The machine-readable medium of claim 30, wherein validating the inclusion of the platform within the data center comprises validating the private key has been signed by a signing key associated with the data center using a certifying authority validation.
  - 35. The machine-readable medium of claim 30, wherein generating the quote request comprises generating a quote request that includes a random value, wherein validating the inclusion of the platform within the data center comprises validating that the decryption of the response includes the random value.

36. A machine-readable medium that provides instructions, which when executed by a machine, cause said machine to perform operations comprising:
- generating a root key associated with a data center;
  
  generating a signing key based on the root key using a certification of the root key;
  
  receiving a request from a platform for inclusion into the data center, the request to include a private key associated with the platform;
  
  certifying the private key based on a signature from the signing key associated with the data center; and
  
  storing the certification of the private key within the platform, the private key to sign a value stored in the platform for validation of inclusion of the platform within the data center.
- View Dependent Claims (37, 38, 39, 40, 41, 42)
- - 37. The machine-readable medium of claim 36, wherein receiving the request from the platform comprises receiving a request that includes a private key for the platform that is different from private keys of other platforms in the data center.
  - 38. The machine-readable medium of claim 36, further comprising validating that the platform includes a policy that corresponds to a policy for the data center prior to certifying the private key of the platform.
  - 39. The machine-readable medium of claim 38, wherein validating comprises validating that the platform comprises a number of metrics for the data center.
  - 40. The machine-readable medium of claim 39, further comprising associating the private key with the policy for the platform.
  - 41. The machine-readable medium of claim 40, wherein associating the private key with the policy for the platform comprises,binding the private key based on the hardware of the platform;
    - andsealing the private key based on the policy for the platform.
  - 42. The machine-readable medium of claim 41, wherein the sealing of the private key based on the policy for the platform comprises sealing the private key based on a value stored in a register within a physical token in the platform.

43. A machine-readable medium that provides instructions, which when executed by a machine, cause said machine to perform operations comprising:
- performing the following, upon determining that a platform of a number of platforms of a data center has been compromised,revoking a current cryptographic key pair stored in the number of platforms of the data center;
  
  generating a new cryptographic key pair associated with the data center; and
  
  storing a new private key of the new cryptographic key pair into the number of platforms that had been compromised.
- View Dependent Claims (44, 45, 46, 47, 48)
- - 44. The machine-readable medium of claim 43, further comprising validating a policy for the number of platforms prior to storing the new private key into the number of platforms.
  - 45. The machine-readable medium of claim 44, wherein validating the policy comprises validating metrics of the platform.
  - 46. The machine-readable medium of claim 44, wherein the performing of the following further comprises associating the new private key with the policy of the platform.
  - 47. The machine-readable medium of claim 43, further comprising determining that a current private key of the current cryptographic key pair is unusable in at least one platform of the number of platforms.
  - 48. The machine-readable medium of claim 47, further comprising redistributing the current private key to the at least one platform, upon determining that the at least one platform has not been compromised.

49. A machine-readable medium that provides instructions, which when executed by a machine, cause said machine to perform operations comprising:
- performing the following, upon determining that a platform of a number of platforms of a data center has been compromised and that a current private key stored in the platform is different from private keys stored in other platforms of the data center,revoking a current cryptographic key pair that includes the current private key;
  
  certifying a new private key based on a signature from a signing key associated with the data center; and
  
  storing the certification of the new private key within the platform, wherein the new private key is to sign a value stored in the platform for validation of the platform within the data center.
- View Dependent Claims (50, 51, 52, 53)
- - 50. The machine-readable medium of claim 49, further comprising validating that the platform includes a policy that corresponds to a policy for the data center prior to certifying the new private key.
  - 51. The machine-readable medium of claim 50, wherein the performing the following comprises associating the new private key with the policy of the platform.
  - 52. The machine-readable medium of claim 49, further comprising determining that the current private key is unusable in at least one of platform of the number of platforms.
  - 53. The machine-readable medium of claim 52, further comprising redistributing the current private key to the at least one platform, upon determining that the at least one platform has not been compromised.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tahoe Research Limited (f/k/a Learndale Limited) (Vector Capital Corporation)
Original Assignee
Intel Corporation
Inventors
Sutton, James A. II, Grawrock, David W.
Primary Examiner(s)
Smithers, Matthew

Application Number

US10/122,785
Publication Number

US 20030196083A1
Time in Patent Office

1,513 Days
Field of Search

713/172
US Class Current

713/172
CPC Class Codes

G06F 21/57   Certifying or maintaining t...

G06F 21/73   by creating or determining ...

G06F 2221/2103   Challenge-response

H04L 63/062   for key distribution, e.g. ...

H04L 63/104   Grouping of entities

Validation of inclusion of a platform within a data center

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

244 Citations

53 Claims

Specification

Use Cases

Quick Links

Others

Validation of inclusion of a platform within a data center

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

244 Citations

53 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others