System and method for combining user and platform authentication in negotiated channel security protocols
First Claim
Patent Images
1. A network security handshake exchange method comprising:
- obtaining a pre-master secret that contains a nonce generated by a server endpoint, the pre-master secret including a server stored measurement log (SML) that stores configuration state measured values for the server endpoint;
hashing server platform configuration register values (PCRs) representing a configuration state of the of the server endpoint;
generating at the server endpoint a modified pre-master secret by combining the pre-master secret with the hash of the server PCRs;
incorporating a handshake state into the server endpoint platform configuration values by storing the modified pre-master secret into a PCR of the server endpoint;
generating multi-faceted authentication of the server endpoint by digitally signing the modified pre-master secret with a server platform identity key, and digitally signing the modified pre-master secret with a server user identity key to create a server platform-identity-key signed value and a server user-identity-key signed value; and
sending a first message to a client endpoint, wherein the message includes the pre-master secret, the modified pre-master secret, the server platform-identity-key signed value, and the server user-identity-key signed value.
2 Assignments
0 Petitions
Accused Products
Abstract
A network security handshake exchange for combining user and platform authentication. The security handshake exchange performs operations on a pre-master secret to increase identity verification and security. The pre-master secret is augmented and authenticated with platform identity and user identity credentials of one endpoint. A second phase of exchanges may include exchange of a master secret that is the pre-master secret modified with platform identity and user identity of the other endpoint.
-
Citations
19 Claims
-
1. A network security handshake exchange method comprising:
-
obtaining a pre-master secret that contains a nonce generated by a server endpoint, the pre-master secret including a server stored measurement log (SML) that stores configuration state measured values for the server endpoint; hashing server platform configuration register values (PCRs) representing a configuration state of the of the server endpoint; generating at the server endpoint a modified pre-master secret by combining the pre-master secret with the hash of the server PCRs; incorporating a handshake state into the server endpoint platform configuration values by storing the modified pre-master secret into a PCR of the server endpoint; generating multi-faceted authentication of the server endpoint by digitally signing the modified pre-master secret with a server platform identity key, and digitally signing the modified pre-master secret with a server user identity key to create a server platform-identity-key signed value and a server user-identity-key signed value; and sending a first message to a client endpoint, wherein the message includes the pre-master secret, the modified pre-master secret, the server platform-identity-key signed value, and the server user-identity-key signed value. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An article comprising:
- a non-transitory computer readable storage medium having a plurality of machine accessible instructions stored thereon, wherein when the instructions are executed by a processor, the instructions provide for performing operations including
obtaining a pre-master secret that contains a nonce generated by a server endpoint, the pre-master secret including a server stored measurement log (SML) that stores configuration state measured values for the server endpoint; hashing server platform configuration register values (PCRs) representing a configuration state of the of the server endpoint; generating at the server endpoint a modified pre-master secret by combining the pre-master secret with the hash of the server PCRs; incorporating a handshake state into the server endpoint platform configuration values by storing the modified pre-master secret into a PCR of the server endpoint; generating multi-faceted authentication of the server endpoint by digitally signing the modified pre-master secret with a server platform identity key, and digitally signing the modified pre-master secret with a server user identity key to create a server platform-identity-key signed value and a server user-identity-key signed value; and sending a first message to a client endpoint, wherein the message includes the pre-master secret, the modified pre-master secret, the server platform-identity-key signed value, and the server user-identity-key signed value. - View Dependent Claims (9, 10, 11, 12, 13, 14)
- a non-transitory computer readable storage medium having a plurality of machine accessible instructions stored thereon, wherein when the instructions are executed by a processor, the instructions provide for performing operations including
-
15. A network security handshake exchange method comprising:
-
receiving at a client endpoint a first message from a server endpoint, the first message including a server modified pre-master secret, the modified pre-master secret generated by modifying a pre-master secret that contains a nonce generated by the server endpoint with a server platform configuration register value (PCR); hashing client platform configuration register values (PCRs) representing a configuration state of the of the client endpoint; generating at the client endpoint a master secret by combining the modified pre-master secret with the hash of the client PCRs; incorporating a handshake state into the client endpoint platform configuration values by storing the master secret into a PCR of the client endpoint; generating multi-faceted authentication of the client endpoint by digitally signing the master secret with a client platform identity key, and digitally signing the master secret with a client user identity key to create a client platform-identity-key signed value and a client user-identity-key signed value; and sending a second message to the server endpoint, wherein the second message includes the modified pre-master secret, the master secret, the client platform-identity-key signed value, and the client user-identity-key signed value. - View Dependent Claims (16, 17, 18, 19)
-
Specification