System and method for combining user and platform authentication in negotiated channel security protocols

US 8,006,090 B2
Filed: 05/19/2009
Issued: 08/23/2011
Est. Priority Date: 03/24/2004
Status: Expired due to Fees

First Claim

Patent Images

1. A network security handshake exchange method comprising:

obtaining a pre-master secret that contains a nonce generated by a server endpoint, the pre-master secret including a server stored measurement log (SML) that stores configuration state measured values for the server endpoint;

hashing server platform configuration register values (PCRs) representing a configuration state of the of the server endpoint;

generating at the server endpoint a modified pre-master secret by combining the pre-master secret with the hash of the server PCRs;

incorporating a handshake state into the server endpoint platform configuration values by storing the modified pre-master secret into a PCR of the server endpoint;

generating multi-faceted authentication of the server endpoint by digitally signing the modified pre-master secret with a server platform identity key, and digitally signing the modified pre-master secret with a server user identity key to create a server platform-identity-key signed value and a server user-identity-key signed value; and

sending a first message to a client endpoint, wherein the message includes the pre-master secret, the modified pre-master secret, the server platform-identity-key signed value, and the server user-identity-key signed value.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network security handshake exchange for combining user and platform authentication. The security handshake exchange performs operations on a pre-master secret to increase identity verification and security. The pre-master secret is augmented and authenticated with platform identity and user identity credentials of one endpoint. A second phase of exchanges may include exchange of a master secret that is the pre-master secret modified with platform identity and user identity of the other endpoint.

6 Citations

View as Search Results

19 Claims

1. A network security handshake exchange method comprising:
- obtaining a pre-master secret that contains a nonce generated by a server endpoint, the pre-master secret including a server stored measurement log (SML) that stores configuration state measured values for the server endpoint;
  
  hashing server platform configuration register values (PCRs) representing a configuration state of the of the server endpoint;
  
  generating at the server endpoint a modified pre-master secret by combining the pre-master secret with the hash of the server PCRs;
  
  incorporating a handshake state into the server endpoint platform configuration values by storing the modified pre-master secret into a PCR of the server endpoint;
  
  generating multi-faceted authentication of the server endpoint by digitally signing the modified pre-master secret with a server platform identity key, and digitally signing the modified pre-master secret with a server user identity key to create a server platform-identity-key signed value and a server user-identity-key signed value; and
  
  sending a first message to a client endpoint, wherein the message includes the pre-master secret, the modified pre-master secret, the server platform-identity-key signed value, and the server user-identity-key signed value.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein combining the pre-master secret with the hash of the server PCRs further comprises:
    - performing an exclusive OR (XOR) operation on the pre-master secret with the hash of the server PCRs.
  - 3. The method of claim 2, wherein combining the pre-master secret with the hash of the server PCRs further comprises:
    - hashing the result of the XOR operation.
  - 4. The method of claim 1, wherein the first message further comprises the SML and the hash of the server PCRs.
  - 5. The method of claim 1, further comprising:
    - receiving an encrypted master secret from the client via a second message, wherein the encrypted master secret is generated by modifying the modified pre-master secret at the client;
      
      verifying the second message; and
      
      generating session keys when the second message is verified.
  - 6. The method of claim 5, wherein the second message includes a client SML and the modified pre-master secret, and wherein verifying the second message comprises:
    - obtaining a client PCR value from the client SML;
      
      calculating the modified pre-master secret from the master secret and the client PCR value; and
      
      comparing the calculated modified pre-master secret with the stored modified pre-master secret.
  - 7. The method of claim 6, wherein calculating the modified pre-master secret from the master secret and the client PCR value comprises:
    - performing an XOR operation of the master secret with the client PCR value; and
      
      hashing the result of the XOR operation.

8. An article comprising:
- a non-transitory computer readable storage medium having a plurality of machine accessible instructions stored thereon, wherein when the instructions are executed by a processor, the instructions provide for performing operations includingobtaining a pre-master secret that contains a nonce generated by a server endpoint, the pre-master secret including a server stored measurement log (SML) that stores configuration state measured values for the server endpoint;
  
  hashing server platform configuration register values (PCRs) representing a configuration state of the of the server endpoint;
  
  generating at the server endpoint a modified pre-master secret by combining the pre-master secret with the hash of the server PCRs;
  
  incorporating a handshake state into the server endpoint platform configuration values by storing the modified pre-master secret into a PCR of the server endpoint;
  
  generating multi-faceted authentication of the server endpoint by digitally signing the modified pre-master secret with a server platform identity key, and digitally signing the modified pre-master secret with a server user identity key to create a server platform-identity-key signed value and a server user-identity-key signed value; and
  
  sending a first message to a client endpoint, wherein the message includes the pre-master secret, the modified pre-master secret, the server platform-identity-key signed value, and the server user-identity-key signed value.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory computer readable storage medium of claim 8, wherein instructions for combining the pre-master secret with the hash of the server PCRs further comprise instructions forperforming an exclusive OR (XOR) operation on the pre-master secret with the hash of the server PCRs.
  - 10. The non-transitory computer readable storage medium of claim 9, wherein instructions for combining the pre-master secret with the hash of the PCRs further comprise instructions forhashing the result of the XOR operation.
  - 11. The non-transitory computer readable storage medium of claim 9, further comprising instructions forreceiving an encrypted master secret from the client via a second message, wherein the encrypted master secret is generated by modifying the modified pre-master secret at the client;
    - verifying the second message; and
      
      generating session keys when the second message is verified.
  - 12. The non-transitory computer readable storage medium of claim 11, wherein the second message includes a client SML and the modified pre-master secret, and wherein the instructions forverifying the second message comprise instructions for obtaining a client PCR value from the client SML;
    - calculating the modified pre-master secret from the master secret and the client PCR value; and
      
      comparing the calculated modified pre-master secret with the stored modified pre-master secret.
  - 13. The non-transitory computer readable storage medium of claim 12, wherein the instructions for calculating the modified pre-master secret from the master secret and the client PCR value comprise instructions forperforming an XOR operation of the master secret with the client PCR value;
    - andhashing the result of the XOR operation.
  - 14. The non-transitory computer readable storage medium of claim 8, wherein the first message further comprises the SML and the hash of the server PCRs.

15. A network security handshake exchange method comprising:
- receiving at a client endpoint a first message from a server endpoint, the first message including a server modified pre-master secret, the modified pre-master secret generated by modifying a pre-master secret that contains a nonce generated by the server endpoint with a server platform configuration register value (PCR);
  
  hashing client platform configuration register values (PCRs) representing a configuration state of the of the client endpoint;
  
  generating at the client endpoint a master secret by combining the modified pre-master secret with the hash of the client PCRs;
  
  incorporating a handshake state into the client endpoint platform configuration values by storing the master secret into a PCR of the client endpoint;
  
  generating multi-faceted authentication of the client endpoint by digitally signing the master secret with a client platform identity key, and digitally signing the master secret with a client user identity key to create a client platform-identity-key signed value and a client user-identity-key signed value; and
  
  sending a second message to the server endpoint, wherein the second message includes the modified pre-master secret, the master secret, the client platform-identity-key signed value, and the client user-identity-key signed value.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The method of claim 15, wherein combining the modified pre-master secret with the hash of the client PCRs further comprises:
    - performing an exclusive OR (XOR) operation on the modified pre-master secret with the hash of the client PCRs; and
      
      hashing the result of the XOR operation.
  - 17. The method of claim 15, wherein the second message further comprises the client SML and the hash of the client PCRs.
  - 18. The method of claim 15, further comprising:
    - verifying the second message; and
      
      generating session keys when the first message is verified.
  - 19. The method of claim 15, wherein the first message includes a server SML and the pre-master secret, and wherein verifying the first message comprises:
    - obtaining a server PCR value from the server SML;
      
      calculating the pre-master secret from the modified pre-master secret and the server PCR value; and
      
      comparing the calculated pre-master secret with the pre-master secret included in the first message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tahoe Research Limited (f/k/a Learndale Limited) (Vector Capital Corporation)
Original Assignee
Intel Corporation
Inventors
Smith, Ned M.
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
Traore; Fatoumata

Application Number

US12/468,532
Publication Number

US 20090307493A1
Time in Patent Office

826 Days
Field of Search

None
US Class Current

713/168
CPC Class Codes

H04L 63/0823 using certificates cryptogr...

H04L 63/166 at the transport layer

System and method for combining user and platform authentication in negotiated channel security protocols

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

6 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for combining user and platform authentication in negotiated channel security protocols

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

6 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links