System and method for providing endorsement certificate

US 7,263,608 B2
Filed: 12/12/2003
Issued: 08/28/2007
Est. Priority Date: 12/12/2003
Status: Active Grant

First Claim

Patent Images

1. A method comprising the acts of:

providing an endorsement key pair to a security module associated with a customer computing device, the endorsement key pair including a public key and a private key;

storing data representative of the public key in a storage external to the customer device;

at a subsequent time, receiving at a comparison agent operatively connected to the storage, certificate request data from the customer device, die certificate request data including a hash of the public key with a temporary secret;

determining whether at least a portion of the certificate request data transmitted to the comparison agent matches the data representative of the public key stored in the storage, and if so;

generating an endorsement certificate at least in part using the public key;

providing the endorsement certificate to the customer device; and

erasing the temporary secret from the security module after the certificate request data has been sent to the comparison agent so that the temporary secret cannot subsequently be discovered.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A Trusted Computing Platform Alliance (TCPA) endorsement certificate is provided by comparing a trusted platform module (TPM) public key transmitted by an owner of the computing device to which the TPM belongs to a copy of the key as originally stored in a remote database prior to vending the device. If a match is found the certificate is created using the public key, and then sent to the owner of the computing device.

24 Citations

View as Search Results

17 Claims

1. A method comprising the acts of:
- providing an endorsement key pair to a security module associated with a customer computing device, the endorsement key pair including a public key and a private key;
  
  storing data representative of the public key in a storage external to the customer device;
  
  at a subsequent time, receiving at a comparison agent operatively connected to the storage, certificate request data from the customer device, die certificate request data including a hash of the public key with a temporary secret;
  
  determining whether at least a portion of the certificate request data transmitted to the comparison agent matches the data representative of the public key stored in the storage, and if so;
  
  generating an endorsement certificate at least in part using the public key;
  
  providing the endorsement certificate to the customer device; and
  
  erasing the temporary secret from the security module after the certificate request data has been sent to the comparison agent so that the temporary secret cannot subsequently be discovered.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the receiving act is associated with a request from the customer device for the endorsement certificate.
  - 3. The method of claim 1, further comprising transferring the customer device to a customer after the storing act.
  - 4. The method of claim 1, wherein the security module is a trusted platform module (TPM).
  - 5. The method of claim 1, wherein the storage and the comparison agent are not associated with a vendor of the customer device.
  - 6. The method of claim 1, further comprising signing the endorsement certificate with a signing key.

7. A customer computing device, comprising:
- at least one security module containing a private key and a public key related to the private key, the keys establishing an endorsement key pair;
  
  at least one processor operatively connected to the security module and executing logic comprising;
  
  requesting an endorsement certificate at least in part by sending data representative of the public key to a source of endorsement certificates, the data representative of the public key including a hash of the public key with a nonce; and
  
  if it is determined at the source that the data representative of the public key matches a version of the data representative of the public key already at the source, receiving from the source an endorsement certificate generated by the source, the endorsement certificate being generated at least in part using the public key;
  
  wherein the nonce is erased from the security module after the data representative of the public key has been sent to the source so that the nonce cannot subsequently be discovered.
- View Dependent Claims (8, 9, 10)
- - 8. The device of claim 7, wherein the endorsement certificate is signed with a signing key.
  - 9. The device of claim 7, wherein the security module is a trusted platform module (TPM).
  - 10. The device of claim 8, wherein the source of endorsement certificates is not the source of the customer device.

11. A service comprising:
- storing data representative of public keys associated with respective customer computing devices;
  
  receiving transmissions of data representative of public keys from customer computing devices;
  
  comparing the received data representative of a public key with at least the stored data representative of a public key to determine if a match is found; and
  
  , if a match is found;
  
  generating an endorsement certificate if a match is found; and
  
  providing the endorsement certificate to the customer computing device, wherein the data representative of a public key includes a hash of the public key and a secret, the secret being erased from the customer computing device after the data representative of the public key has been sent to the facility such that the secret cannot be rediscovered.
- View Dependent Claims (12, 13, 14)
- - 12. The service of claim 11, wherein the endorsement certificate is generated based at least in part on the associated public key.
  - 13. The service of claim 12, further comprising signing the endorsement certificate with a signing key before providing the endorsement certificate to the customer computing device.
  - 14. The service of claim 11, wherein the public keys are associated with respective trusted platform modules.

15. A computing facility comprising:
- means for storing data representative of public keys associated with respective customer computing devices, prior to providing the devices to customers;
  
  means for receiving transmissions of data representative of public keys from devices provided to customers;
  
  means for comparing data representative of a public key received from a device provided to a customer with at least data representative of a public key in the means for storing to determine if a match is found;
  
  means for generating an endorsement certificate based at least in part on the associated public key if a match is found; and
  
  means for transmitting the endorsement certificate to the customer device, wherein the data representative of a public key includes a hash of the public key and secret, and the secret is erased from a customer computing device after the data representative of the public key has been sent to the facility so that the secret cannot be rediscovered.
- View Dependent Claims (16, 17)
- - 16. The facility of claim 15, wherein the means for generating signs the endorsement certificate with a signing key before transmitting the endorsement certificate to the customer device.
  - 17. The facility of claim 15, wherein the public keys are associated with respective crusted platform modules.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lenovo PC International Limited (Lenovo Group Ltd.)
Original Assignee
Lenovo Singapore Pte Limited (Lenovo Group Ltd.)
Inventors
Springfield, Randall Scott, Challener, David Carroll, Ward, James Peter, Hoff, James Patrick
Primary Examiner(s)
Barrón, Jr.; Gilberto
Assistant Examiner(s)
Banks; Corbann

Application Number

US10/735,388
Publication Number

US 20050132182A1
Time in Patent Office

1,355 Days
Field of Search

713/155, 713/156
US Class Current

713/156
CPC Class Codes

G06F 21/57 Certifying or maintaining t...

G06F 2221/2117 User registration

System and method for providing endorsement certificate

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

24 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for providing endorsement certificate

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

24 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links