Secure creation and management of device ownership keys

US 8,041,960 B2
Filed: 04/24/2008
Issued: 10/18/2011
Est. Priority Date: 04/24/2008
Status: Active Grant

First Claim

Patent Images

1. A method of generating an ownership key for a target device containing a Trusted Platform Module (TPM) by a Key Manager comprising:

combining manufacturer information with target device specific information to generate an owner key and a recovery token, the recovery token being based on information used to generate the owner key;

sending the owner key to the target device;

commanding the target device to use the owner key to take ownership of the TPM;

sending the key recovery token to the target device and storing the key recovery token in the target device; and

storing transaction information and the key recovery token in an ownership recovery database.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Secure creation and management of device ownership keys. TPM ownership keys are generated by cryptographically combining manufacturer information with device specific information. Ownership keys are established in the TPM containing device. The manufacturer retains necessary information to reconstruct the ownership key if needed.

8 Citations

View as Search Results

20 Claims

1. A method of generating an ownership key for a target device containing a Trusted Platform Module (TPM) by a Key Manager comprising:
- combining manufacturer information with target device specific information to generate an owner key and a recovery token, the recovery token being based on information used to generate the owner key;
  
  sending the owner key to the target device;
  
  commanding the target device to use the owner key to take ownership of the TPM;
  
  sending the key recovery token to the target device and storing the key recovery token in the target device; and
  
  storing transaction information and the key recovery token in an ownership recovery database.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1 where the generating of the owner key and the recovery token is a cryptographic process.
  - 3. The method of claim 1 where the generating of the;
    - owner key and the recovery token further comprises;
      
      hashing the target device specific information concatenated with manufacturer information to form an intermediate value;
      
      choosing a model key corresponding to the target device;
      
      hashing the intermediate value with the model key to form an output value;
      
      selecting the owner key from the output value; and
      
      generating a key recovery token from the model key.
  - 4. The method of claim 3 where the manufacturer information includes a nonce.
  - 5. The method of claim 3 where the target device specific information includes one or more of the device model, device MAC address, and/or the target device serial number.
  - 6. The method of claim 3 where the generating of the key recovery token comprises encrypting the concatenation of a Model Key ID being a unique identifier included in the Model key and a nonce being at least part of the manufacturer information using a public key of the Key Manager.
  - 7. The method of claim 6 further comprising padding the concatenation of the Model Key ID and the nonce to the same length as the public key.
  - 8. The method of claim 1 where the key recovery token is stored in the target device.
  - 9. The method of claim 1 where the key recovery token is stored in the target device TPM.
  - 10. The method of claim 9 further comprising purging the owner key from a target device memory after storing the key recovery token in the TPM.
  - 11. The method of claim 1 further comprising having the target device notify the Key Manager of a successful owner key change after the step of taking ownership of the TPM using the owner key.
  - 12. The method of claim 9 further comprising having the target device notify the Key Manager of a successful owner key change after the step of storing the key recovery token in the TPM.

13. A non-transitory machine readable medium having a set of instructions stored therein, which when executed on a system comprising a key manager connected to a target device containing a TPM causes a set of operations to be performed comprising:
- hashing target device specific information concatenated with manufacturer information to form an intermediate value,choosing a model key corresponding to the target device;
  
  hashing the intermediate value with the model key to form an output value;
  
  selecting the owner key from the output value;
  
  generating a key recovery token from the model key;
  
  sending the owner key to the target device;
  
  commanding the target device to use the owner key to take ownership of the TPM;
  
  sending the key recovery token to the target device and storing the key recovery token in the target device; and
  
  storing transaction information and the key recovery token in an ownership recovery database.

14. A method of generating an owner key for a target device containing a Trusted Platform Module (TPM) by a Key Manager, the method comprising:
- performing operations on manufacturer information and identification information for the target device to an intermediary result;
  
  performing operations on the intermediary result and keying material to generate an owner key, the owner key to be needed for future operations using the TPM;
  
  performing operations on a unique identifier located in the keying material to generate a key recovery token;
  
  transmitting the owner key and the key recovery token to the target device that results in the target device issuing a command to securely store and utilize the owner key;
  
  receiving information from the target device that the owner key has been successfully changed; and
  
  transmitting the identification information and the key recovery token in an external storage device upon receiving the information from the target device that the owner key has been successfully changed.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The method of claim 14 where the performing of the operations on the manufacturer information and the identification information includes performing a hash operation on the manufacturer information and the identification information to produce the intermediary result being a first hash value.
  - 16. The method of claim 15 where the manufacturer information is a nonce generated by the Key Manager.
  - 17. The method of claim 15 where the identification information is either a device Media Access Control (MAC) address or a serial number.
  - 18. The method of claim 15 where the performing of the operations on the intermediary result and the keying material to generate the owner key includes performing a hash operation on the intermediary result and the keying material to produce a second hash value, a predetermined number of bits of the second hash value being used as the owner key.
  - 19. The method of claim 18 where the keying material is a unique key associated with the target device and the predetermined number of bits being lesser in number than a number of bits forming the second hash value.
  - 20. The method of claim 16 where the performing of the operations on the unique identifier located in the keying material to generate the key recovery token includes concatenating the unique identifier being part of the unique key and the nonce and encrypting a combination of the unique identifier and the nonce with a public key of the Key Manager to produce the key recovery token.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Aruba Networks Incorporated (Hewlett-Packard Enterprise Company)
Inventors
Kelly, Scott G., Kshirsagar, Shekhar
Primary Examiner(s)
TRAN, ELLEN C

Application Number

US12/109,273
Publication Number

US 20090268915A1
Time in Patent Office

1,272 Days
Field of Search

380/282, 380/279, 713/164, 713/193, 713/194
US Class Current

713/193
CPC Class Codes

H04L 9/0877 using additional device, e....

H04L 9/0897 involving additional device...

Secure creation and management of device ownership keys

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

8 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Secure creation and management of device ownership keys

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

8 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links