Online trusted platform module
First Claim
1. A system comprising:
- a trusted platform module (TPM);
at least one application configured to send one or more requests to said TPM; and
a hardware based security module coupled to said TPM, said security module configured to perform cryptographic processing and to provide long-term storage of cryptographic keys and cryptographic state information on behalf of said TPM,wherein said TPM is configured to access said security module over a secure communication connection using one or more layers of a network protocol stack when a cryptographic operation requiring at least one of said cryptographic keys or said cryptographic state information is required by said one or more requests, andwherein said TPM is configured to circumvent said one or more layers of said network protocol stack to access said security module during a secure boot process to retrieve said cryptographic state information.
7 Assignments
0 Petitions
Accused Products
Abstract
An online trusted platform module (TPM) in communication with a security module that can be located elsewhere in the network in a server machine. In an embodiment, the online TPM is connected directly to a network interface card (NIC) that is also resident at the client. This allows the online TPM to communicate directly to the network, and therefore to the security module (without having to deal with the TCP/IP stack at the client machine in some circumstances, e.g., the boot process). In an embodiment, the communications channel between the online TPM and the security module is implemented using the transport layer security (TLS) protocol. A secure boot process is performed in advance of security processing. Typical security processing includes receipt, by the online TPM, of one or more commands from an application. The online TPM then proxies out the commands to the security module. After the security module has completed its processing of the commands, results of the processing and any related status information is returned to the online TPM.
-
Citations
21 Claims
-
1. A system comprising:
-
a trusted platform module (TPM); at least one application configured to send one or more requests to said TPM; and a hardware based security module coupled to said TPM, said security module configured to perform cryptographic processing and to provide long-term storage of cryptographic keys and cryptographic state information on behalf of said TPM, wherein said TPM is configured to access said security module over a secure communication connection using one or more layers of a network protocol stack when a cryptographic operation requiring at least one of said cryptographic keys or said cryptographic state information is required by said one or more requests, and wherein said TPM is configured to circumvent said one or more layers of said network protocol stack to access said security module during a secure boot process to retrieve said cryptographic state information. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 15, 16, 17)
-
-
12. A method for providing a trusted security proxy, comprising:
-
(a) receiving, at a security module, a cryptographic key associated with a remote trusted platform module (TPM); (b) providing long term storage for said cryptographic key and long term storage for cryptographic state information at said security module on behalf of said remote TPM; (c) receiving, at said security module, one or more requests to perform a cryptographic operation, requiring said cryptographic key, from at least one application via said remote TPM over a secure communication connection using one or more layers of a network protocol stack; (d) performing said cryptographic operation on behalf of said remote TPM; (e) providing a result of said cryptographic operation to said remote TPM over said secure communication connection; and (f) prior to performing step (c), providing the cryptographic state information from said security module to said remote TPM during a boot sequence while circumventing said one or more layers of said network protocol stack. - View Dependent Claims (13)
-
-
14. The method of step 12, wherein step (f) comprises:
-
(i) executing a block of basic input output system (BIOS) code at said remote TPM; and (ii) performing integrity measurements at said remote TPM.
-
-
18. A system for remote performance of network security functions, comprising:
-
a trusted platform module (TPM); a network interface device configured to be in direct communication with said TPM; at least one application configured to send a request to said TPM; and a security module configured to be in communication with said TPM, wherein said TPM is configured to proxy said request to said security module via said network interface device using one or more layers of a network protocol stack, wherein said security module is configured to process said proxied request and to send cryptographic state information to said TPM via said network interface device, and wherein said TPM is configured to circumvent said one or more layers of said network protocol stack to access said security module during a secure boot process to retrieve said cryptographic state information. - View Dependent Claims (19, 20)
-
-
21. A method for remote performance of network security functions, comprising:
-
(a) receiving a request from an application, wherein said request is proxied by a trusted platform module (TPM) to a security module via a network interface device using one or more layers of a network protocol stack, said network interface device having a direct connection to said TPM; (b) processing said proxied request at said security module; and (c) sending a result of said proxied request to said TPM via said network interface device using said network protocol, wherein said TPM is configured to circumvent said one or more layers of said network protocol stack to access said security module during a secure boot process to retrieve cryptographic state information prior to performing step (a).
-
Specification