Online trusted platform module

US 8,086,844 B2
Filed: 06/03/2003
Issued: 12/27/2011
Est. Priority Date: 06/03/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A system comprising:

a trusted platform module (TPM);

at least one application configured to send one or more requests to said TPM; and

a hardware based security module coupled to said TPM, said security module configured to perform cryptographic processing and to provide long-term storage of cryptographic keys and cryptographic state information on behalf of said TPM,wherein said TPM is configured to access said security module over a secure communication connection using one or more layers of a network protocol stack when a cryptographic operation requiring at least one of said cryptographic keys or said cryptographic state information is required by said one or more requests, andwherein said TPM is configured to circumvent said one or more layers of said network protocol stack to access said security module during a secure boot process to retrieve said cryptographic state information.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An online trusted platform module (TPM) in communication with a security module that can be located elsewhere in the network in a server machine. In an embodiment, the online TPM is connected directly to a network interface card (NIC) that is also resident at the client. This allows the online TPM to communicate directly to the network, and therefore to the security module (without having to deal with the TCP/IP stack at the client machine in some circumstances, e.g., the boot process). In an embodiment, the communications channel between the online TPM and the security module is implemented using the transport layer security (TLS) protocol. A secure boot process is performed in advance of security processing. Typical security processing includes receipt, by the online TPM, of one or more commands from an application. The online TPM then proxies out the commands to the security module. After the security module has completed its processing of the commands, results of the processing and any related status information is returned to the online TPM.

Citations

21 Claims

1. A system comprising:
- a trusted platform module (TPM);
  
  at least one application configured to send one or more requests to said TPM; and
  
  a hardware based security module coupled to said TPM, said security module configured to perform cryptographic processing and to provide long-term storage of cryptographic keys and cryptographic state information on behalf of said TPM,wherein said TPM is configured to access said security module over a secure communication connection using one or more layers of a network protocol stack when a cryptographic operation requiring at least one of said cryptographic keys or said cryptographic state information is required by said one or more requests, andwherein said TPM is configured to circumvent said one or more layers of said network protocol stack to access said security module during a secure boot process to retrieve said cryptographic state information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 15, 16, 17)
- - 2. The system of claim 1, wherein said secure communication connection employs a transport layer security (TLS) protocol.
  - 3. The system of claim 1, further comprising an untrusted software stack that contains logic for intermediate processing between said at least one application and said TPM.
  - 4. The system of claim 1, wherein said TPM and said security module are compliant with a version of the Trusted Computing Platform Architecture (TCPA) Main Specification.
  - 5. The system of claim 1, wherein said security module is further configured to store all cryptographic state information on behalf of said TPM.
  - 6. The system of claim 1, wherein said security module and said TPM are authenticated to each other.
  - 7. The system of claim 1, wherein said TPM is in direct communication with a network interface device, such that the cryptographic state information is retrieved by said TPM from said security module via said network interface device while circumventing said one or more layers of said network protocol stack.
  - 8. The system of claim 7, wherein said one or more layers of said network protocol stack is related to the transmission control protocol/internet protocol (TCP/IP).
  - 9. The system of claim 7, wherein said TPM and said network interface device are embodied in an ethernet controller.
  - 10. The system of claim 1, wherein said security module comprises logic implemented in software.
  - 11. The system of claim 10, wherein said software is upgradeable independent of said TPM.
  - 15. The system of claim 1, further comprising a network interface device located at a client machine, coupled to said TPM, and configured to transfer data between said TPM and said security module while circumventing said one or more layers of said network protocol stack.
  - 16. The system of claim 1, wherein said TPM is located at a client machine and said security module is located at a server machine.
  - 17. The system of claim 1, wherein said security module is configured to communicate with one or more additional TPMs.

12. A method for providing a trusted security proxy, comprising:
- (a) receiving, at a security module, a cryptographic key associated with a remote trusted platform module (TPM);
  
  (b) providing long term storage for said cryptographic key and long term storage for cryptographic state information at said security module on behalf of said remote TPM;
  
  (c) receiving, at said security module, one or more requests to perform a cryptographic operation, requiring said cryptographic key, from at least one application via said remote TPM over a secure communication connection using one or more layers of a network protocol stack;
  
  (d) performing said cryptographic operation on behalf of said remote TPM;
  
  (e) providing a result of said cryptographic operation to said remote TPM over said secure communication connection; and
  
  (f) prior to performing step (c), providing the cryptographic state information from said security module to said remote TPM during a boot sequence while circumventing said one or more layers of said network protocol stack.
- View Dependent Claims (13)
- - 13. The method of claim 12, wherein step (c) comprises establishing said secure communication connection, between said TPM and said security module, using a transport layer security (TLS) protocol.

14. The method of step 12, wherein step (f) comprises:
- (i) executing a block of basic input output system (BIOS) code at said remote TPM; and
  
  (ii) performing integrity measurements at said remote TPM.

18. A system for remote performance of network security functions, comprising:
- a trusted platform module (TPM);
  
  a network interface device configured to be in direct communication with said TPM;
  
  at least one application configured to send a request to said TPM; and
  
  a security module configured to be in communication with said TPM,wherein said TPM is configured to proxy said request to said security module via said network interface device using one or more layers of a network protocol stack,wherein said security module is configured to process said proxied request and to send cryptographic state information to said TPM via said network interface device, andwherein said TPM is configured to circumvent said one or more layers of said network protocol stack to access said security module during a secure boot process to retrieve said cryptographic state information.
- View Dependent Claims (19, 20)
- - 19. The system of claim 18, wherein said TPM and network interface device are located at a client machine.
  - 20. The system of claim 18, wherein said security module is located at a server machine.

21. A method for remote performance of network security functions, comprising:
- (a) receiving a request from an application, wherein said request is proxied by a trusted platform module (TPM) to a security module via a network interface device using one or more layers of a network protocol stack, said network interface device having a direct connection to said TPM;
  
  (b) processing said proxied request at said security module; and
  
  (c) sending a result of said proxied request to said TPM via said network interface device using said network protocol,wherein said TPM is configured to circumvent said one or more layers of said network protocol stack to access said security module during a secure boot process to retrieve cryptographic state information prior to performing step (a).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avago Technologies International Sales Pte Limited (Broadcom, Inc.)
Original Assignee
Broadcom Corporation (Broadcom, Inc.)
Inventors
Buer, Mark, Dubey, Pradeep
Primary Examiner(s)
SHAW, YIN CHEN

Application Number

US10/452,792
Publication Number

US 20040250126A1
Time in Patent Office

3,129 Days
Field of Search

726/27, 726/12, 726 2- 3, 726/26, 713/189, 713/193, 713/194, 713150-151, 713/153, 380/255, 709223-225, 370/235.1
US Class Current

713/151
CPC Class Codes

G06F 21/57   Certifying or maintaining t...

G06F 21/629   to features or functions of...

G06F 2221/2107   File encryption

G06F 2221/2153   Using hardware token as a s...

H04L 63/0428   wherein the data content is...

H04L 63/166   at the transport layer

Online trusted platform module

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Online trusted platform module

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links