Attestation using both fixed token and portable token

US 7,318,235 B2
Filed: 12/16/2002
Issued: 01/08/2008
Est. Priority Date: 12/16/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprisingrequesting a fixed token to create a sealed key blob comprising both a first key pair and first usage authorization data, wherein knowledge of the first usage authorization data is required in order to use a private key of the first key pair, andrequesting a portable token to create a protected key blob, where the protected key blob comprises the sealed key blob and second usage authorization data, wherein knowledge of the second usage authorization data is required in order to obtain the sealed key blob from the protected key blob.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, apparatus and machine readable medium are described for creating and using protected key blobs that require a particular portable token be present before use of the key or keys of the protected key blob is granted. Such protected key blobs may be used to establish a level of trust between a local user and the computing device.

242 Citations

22 Claims

1. A method comprisingrequesting a fixed token to create a sealed key blob comprising both a first key pair and first usage authorization data, wherein knowledge of the first usage authorization data is required in order to use a private key of the first key pair, andrequesting a portable token to create a protected key blob, where the protected key blob comprises the sealed key blob and second usage authorization data, wherein knowledge of the second usage authorization data is required in order to obtain the sealed key blob from the protected key blob.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1 comprisingencrypting the private key of the first key pair and the first usage authorization data with the fixed token and a public key of the fixed token, andcreating the sealed key blob with the encrypted private key and the encrypted first usage authorization data.
  - 3. The method of claim 2 comprisingencrypting the sealed key blob and the second usage authorization data with the portable token and a public key of the portable token, andcreating the protected key blob with the encrypted sealed key blob and the encrypted second usage authorization data.
  - 4. The method of claim 3 comprisingproviding the portable token with a request for the sealed key blob of the protected key blob, the request providing proof of possessing the second usage authorization data,decrypting the encrypted sealed key blob and the encrypted second usage authorization data of the protected key blob with the portable token using a private key of the portable token, andreceiving the sealed key blob from the portable token in response to the portable token determining that the proof of possessing the second usage authorization data was valid.
  - 5. The method of claim 4 further comprisingscrubbing the protected key blob and associated data from the portable token in response to determining that the proof of possessing the second usage authorization data was invalid.
  - 6. The method of claim 5 further comprisingdeactivating the portable token in response to determining that the proof of possessing the second usage authorization data was invalid.
  - 7. The method of claim 4 comprisingproviding the fixed token with a request to load the first key pair of the sealed key blob, the request providing proof of possessing the first usage authorization data,decrypting the encrypted private key and the encrypted first usage authorization data of the sealed key blob with the fixed token using a private key of the fixed token, andreceiving a key handle to the first key pair of the sealed key blob in response to the fixed token determining that the proof of possessing the first usage authorization data was valid.
  - 8. The method of claim 7 further comprisingscrubbing the sealed key blob and associated data from the fixed token in response to determining that the proof of possessing the first usage authorization data was invalid.
  - 9. The method of claim 8 further comprisingdeactivating the portable token in response to determining that the proof of possessing the first usage authorization data was invalid.
  - 10. The method of claim 1 comprisingrequesting the portable token to return the sealed key blob from the protected key blob,providing the portable token with proof of possessing the second usage authorization data, andobtaining the sealed key blob from the portable token only if the proof of possessing the second usage authorization data was valid.
  - 11. The method of claim 10 comprisingrequesting the fixed token to load the first key pair from the sealed key blob, andproviding the fixed token with proof of possessing the first usage authorization data, andobtaining a key handle to the first key pair stored in the fixed token only if the proof of possessing the first usage authorization data was valid.
  - 12. The method of claim 1 comprisingdirecting a request to the portable token to return the sealed key blob from the protected key blob, the request comprising proof of possessing the second usage authorization data, andobtaining the sealed key blob from the portable token only if the portable token was present and the proof of possessing the second usage authorization data was valid.
  - 13. The method of claim 12 comprisingdirecting a request to the fixed token to load the first key pair from the sealed key blob, the request comprising proof of possessing the first usage authorization data, andobtaining a key handle to the first key pair stored in the fixed token only if the proof of possessing the first usage authorization data was valid and an environment associated with the request satisfies criteria specified by the sealed key blob.

14. A computing device, comprisinga fixed token comprising a first processing unit and first protected storage, the first processing unit to load a first key pair of a sealed key blob into the first protected storage in response to determining that a first authentication code has a predetermined relationship to first usage authorization data of the sealed key blob,a portable token comprising a second processing unit and second protected storage, the second processing unit to return the sealed key blob from a protected key blob in response to determining that a second authentication code has a predetermined relationship to second usage authorization data of the protected key blob,a portable token interface that enables the portable token to be coupled to and removed from the computing device,a processor to provide the portable token with a request for the sealed key blob, wherein the request that comprises the protected key blob and the second authentication code, and to provide the fixed token with a request to load the first key pair, wherein the request comprises the sealed key blob and the first authentication code.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22)
- - 15. The computing device of claim 14 whereinthe fixed token is to provide a first key handle to the first key pair in response to successfully loading the first key pair, andthe processor is to determine that that a user associated with the portable token is present in response to receiving the first key handle.
  - 16. The computing device of claim 14 whereinthe fixed token is to provide a first key handle to the first key pair in response to successfully loading the first key pair, andthe processor is to determine that a user associated with the portable token is present in response to successfully decrypting a secret using the first key pair identified by the first key handle.
  - 17. The computing device of claim 14 whereinthe first protected storage of the fixed token comprises registers for storing metrics of an environment,the processor is to provide the fixed token with a plurality of metrics of the environment, andthe first processing is to load the first key pair into the first protected storage only if the metrics stored in the registers indicate that the environment satisfies criteria of the sealed key blob.
  - 18. The computing device of claim 17 whereinthe fixed token is to provide a first, key handle to the first key pair in response to successfully loading the first key pair, andthe processor is to determine that the environment satisfies the criteria specified by the sealed key blob in response to receiving the first key handle.
  - 19. The computing device of claim 17 whereinthe fixed token is to provide a first key handle to the first key pair in response to successfully loading the first key pair, andthe processor is to determine that the environment satisfies the criteria specified by the sealed key blob in response to successfully decrypting a secret using the first key pair identified by the first key handle.
  - 20. The computing device of claim 17 whereinthe first processing unit is to scrub the sealed key blob and any associated data from the fixed token in response to determining that the environment does not satisfy the criteria of the sealed key blob.
  - 21. The computing device of claim 14 whereinthe fixed token comprises a key pair used to create the sealed key blob,the first processing unit only loads the first key pair of the sealed key blob in response to a request received via a first session established for the key pair used to create the sealed key blob, andthe processor is to establish the first session prior to providing the fixed token with the request to load the first key pair.
  - 22. The computing device of claim 21 whereinthe portable token comprises a key pair used to create the protected key blob,the second processing unit is to only load the first key pair of the sealed key blob in response to a request received via a second session established for the key pair used to create the protected key blob, andthe processor is to establish the second session prior to providing the portable token with the request to for the sealed key blob.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Grawrock, David W.
Primary Examiner(s)
Barron; Gilberto
Assistant Examiner(s)
Simitoski; Michael J.

Application Number

US10/321,751
Publication Number

US 20040117625A1
Time in Patent Office

1,849 Days
Field of Search

713/159, 713/172, 713/185, 713/193, 713/194, 726/9, 726/20, 726/26, 380283-285, 380/278, 705 54- 55, 705 65- 67
US Class Current

726/26
CPC Class Codes

G06F 21/34   involving the use of extern...

G06Q 20/367   involving electronic purses...

H04L 9/0827   involving distinctive inter...

H04L 9/0877   using additional device, e....

H04L 9/3234   involving additional secure...

Attestation using both fixed token and portable token

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

242 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Attestation using both fixed token and portable token

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

242 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links