Secure authentication token management

US 8,312,272 B1
Filed: 06/26/2009
Issued: 11/13/2012
Est. Priority Date: 06/26/2009
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for securely managing an authentication token, the method comprising the steps of:

using hardware based security extensions, by a computer, to dynamically instantiate a first dynamic secure virtual machine and a second dynamic secure virtual machine in system memory of the computer;

generating a public key and a corresponding private key, by the computer;

using hardware-based security extensions, by the first dynamic secure virtual machine in the system memory of the computer, to seal the private key to the second dynamic secure virtual machine at a hardware level, wherein a security coprocessor only allows access to an address associated with a sealing process by the second dynamic secure virtual machine by setting at least one platform configuration register to a hash value of the second dynamic secure virtual machine;

creating a request for an authentication token, by the computer, the created request comprising at least the public key;

using hardware based security extensions to sign the created request, by the first dynamic secure virtual machine in the system memory of the computer;

transmitting, by the computer, the signed request for an authentication token to a remote computer;

responsive to transmitting the signed request for an authentication token to the remote computer, receiving, by the computer, an authentication token encrypted with the public key, from the remote computer;

using hardware based security extensions to unseal the private key, by the second dynamic secure virtual machine in the system memory of the computer;

using the unsealed private key to decrypt the received encrypted authentication token, by the second dynamic secure virtual machine in the system memory of the computer; and

using hardware based security extensions to seal the authentication token to at least one additional dynamic secure virtual machine, by the second dynamic secure virtual machine in the system memory of the computer.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An authentication token management system securely manages an authentication token. Hardware based security extensions on a client are used to dynamically instantiate two dynamic secure virtual machines, a registration initiation module (RIM) and a registration completion module (RCM). A public key and a corresponding private key are generated, and the RIM seals the private key to the RCM. A request for an authentication token is signed by the hardware based security extensions and transmitted to the server. This request comprises at least the public key. In response, an authentication token encrypted with the public key is received. The RCM unseals the private key, and uses it to decrypt the received authentication token. The RCM then seals the authentication token to at least one additional dynamic secure virtual machine, which can use it to perform additional functionalities, such as data signing, encryption, generation and/or verification.

Citations

16 Claims

1. A computer implemented method for securely managing an authentication token, the method comprising the steps of:
- using hardware based security extensions, by a computer, to dynamically instantiate a first dynamic secure virtual machine and a second dynamic secure virtual machine in system memory of the computer;
  
  generating a public key and a corresponding private key, by the computer;
  
  using hardware-based security extensions, by the first dynamic secure virtual machine in the system memory of the computer, to seal the private key to the second dynamic secure virtual machine at a hardware level, wherein a security coprocessor only allows access to an address associated with a sealing process by the second dynamic secure virtual machine by setting at least one platform configuration register to a hash value of the second dynamic secure virtual machine;
  
  creating a request for an authentication token, by the computer, the created request comprising at least the public key;
  
  using hardware based security extensions to sign the created request, by the first dynamic secure virtual machine in the system memory of the computer;
  
  transmitting, by the computer, the signed request for an authentication token to a remote computer;
  
  responsive to transmitting the signed request for an authentication token to the remote computer, receiving, by the computer, an authentication token encrypted with the public key, from the remote computer;
  
  using hardware based security extensions to unseal the private key, by the second dynamic secure virtual machine in the system memory of the computer;
  
  using the unsealed private key to decrypt the received encrypted authentication token, by the second dynamic secure virtual machine in the system memory of the computer; and
  
  using hardware based security extensions to seal the authentication token to at least one additional dynamic secure virtual machine, by the second dynamic secure virtual machine in the system memory of the computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 wherein creating the request for an authentication token, by the computer, further comprises:
    - creating the request for an authentication token, by the computer, the created request comprising at least the public key and at least one value from a register of the security coprocessor on the computer.
  - 3. The method of claim 1 wherein creating the request for an authentication token, by the computer, further comprises:
    - requesting, by the computer, a nonce from the remote computer; and
      
      creating the request for the authentication token, by the computer, the created request comprising at least the public key and the nonce.
  - 4. The method of claim 1 wherein using hardware based security extensions to seal the authentication token to at least one additional dynamic secure virtual machine, by the second dynamic secure virtual machine in the system memory of the computer, further comprises:
    - using hardware based security extensions, by the second dynamic secure virtual machine in the system memory of the computer, to dynamically instantiate a third dynamic secure virtual machine in the system memory of the computer; and
      
      using hardware based security extensions to seal the authentication token to the third dynamic secure virtual machine in the system memory of the computer, by the second dynamic secure virtual machine in the system memory of the computer.
  - 5. The method of claim 4 further comprising:
    - using hardware based security extensions to unseal the authentication token, by the third dynamic secure virtual machine in the system memory of the computer; and
      
      using the unsealed authentication token, by the third dynamic secure virtual machine in the system memory of the computer, to generate a signature with which to sign data to be transmitted to at least one remote computer.
  - 6. The method of claim 4 further comprising:
    - using hardware based security extensions to unseal the authentication token, by the third dynamic secure virtual machine in the system memory of the computer; and
      
      using the unsealed authentication token, by the third dynamic secure virtual machine in the system memory of the computer, to encrypt data to be transmitted to at least one remote computer.
  - 7. The method of claim 4 further comprising:
    - using hardware based security extensions to unseal the authentication token, by the third dynamic secure virtual machine in the system memory of the computer; and
      
      using the unsealed authentication token, by the third dynamic secure virtual machine in the system memory of the computer, to generate data to be transmitted to at least one remote computer.
  - 8. The method of claim 4 further comprising:
    - using hardware based security extensions to unseal the authentication token, by the third dynamic secure virtual machine in the system memory of the computer; and
      
      using the unsealed authentication token, by the third dynamic secure virtual machine in the system memory of the computer, to verify data to be transmitted to at least one remote computer.

9. At least one non-transitory computer readable storage medium for securely managing an authentication token, the non-transitory computer readable storage medium comprising:
- program code for using hardware based security extensions to dynamically instantiate a first dynamic secure virtual machine and a second dynamic secure virtual machine in system memory of the computer;
  
  program code for generating a public key and a corresponding private key;
  
  program code for using hardware-based security extensions, by the first dynamic secure virtual machine in the system memory of the computer, to seal the private key to the second dynamic secure virtual machine at a hardware level, wherein a security coprocessor only allows access to an address associated with a sealing process by the second dynamic secure virtual machine by setting at least one platform configuration register to a hash value of the second dynamic secure virtual machine;
  
  program code for creating a request for an authentication token the created request comprising at least the public key;
  
  program code for using hardware based security extensions to sign the created request, by the first dynamic secure virtual machine in the system memory of the computer;
  
  program code for transmitting the signed request for an authentication token to a remote computer;
  
  program code for, responsive to transmitting the signed request for an authentication token to the remote computer, receiving an authentication token encrypted with the public key, from the remote computer;
  
  program code for using hardware based security extensions to unseal the private key, by the second dynamic secure virtual machine in the system memory of the computer;
  
  program code for using the unsealed private key to decrypt the received encrypted authentication token, by the second dynamic secure virtual machine in the system memory of the computer; and
  
  program code for using hardware based security extensions to seal the authentication token to at least one additional dynamic secure virtual machine, by the second dynamic secure virtual machine in the system memory of the computer.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The non-transitory computer readable storage medium of claim 9 wherein the program code for creating the request for an authentication token further comprises:
    - program code for creating the request for an authentication token the created request comprising at least the public key and at least one value from a register of the security coprocessor on the computer.
  - 11. The non-transitory computer readable storage medium of claim 9 wherein the program code for creating the request for an authentication token further comprises program code for:
    - requesting, by the computer, a nonce from the remote computer; and
      
      creating the request for the authentication token, by the computer, the created request comprising at least the public key and the nonce.
  - 12. The non-transitory computer readable storage medium of claim 9 wherein the program code for using hardware based security extensions to seal the authentication token to at least one additional dynamic secure virtual machine, by the second dynamic secure virtual machine in the system memory of the computer, further comprises program code for:
    - using hardware based security extensions, by the second dynamic secure virtual machine in the system memory of the computer, to dynamically instantiate a third dynamic secure virtual machine in the system memory of the computer; and
      
      using hardware based security extensions to seal the authentication token to the third dynamic secure virtual machine in the system memory of the computer, by the second dynamic secure virtual machine in the system memory of the computer.
  - 13. The non-transitory computer readable storage medium of claim 12 further comprising:
    - program code for using hardware based security extensions to unseal the authentication token, by the third dynamic secure virtual machine in the system memory of the computer; and
      
      program code for using the unsealed authentication token, by the third dynamic secure virtual machine in the system memory of the computer, to generate a signature with which to sign data to be transmitted to at least one remote computer.
  - 14. The non-transitory computer readable storage medium of claim 12 further comprising:
    - program code for using hardware based security extensions to unseal the authentication token, by the third dynamic secure virtual machine in the system memory of the computer; and
      
      program code for using the unsealed authentication token, by the third dynamic secure virtual machine in the system memory of the computer, to encrypt data to be transmitted to at least one remote computer.
  - 15. The non-transitory computer readable storage medium of claim 12 further comprising:
    - program code for using hardware based security extensions to unseal the authentication token, by the third dynamic secure virtual machine in the system memory of the computer; and
      
      program code for using the unsealed authentication token, by the third dynamic secure virtual machine in the system memory of the computer, to generate data to be transmitted to at least one remote computer.
  - 16. The non-transitory computer readable storage medium of claim 12 further comprising:
    - program code for using hardware based security extensions to unseal the authentication token, by the third dynamic secure virtual machine in the system memory of the computer; and
      
      program code for using the unsealed authentication token, by the third dynamic secure virtual machine in the system memory of the computer, to verify data to be transmitted to at least one remote computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Serenyi, Denis, Ramzan, Zulfikar
Primary Examiner(s)
Schwartz, Darren B

Application Number

US12/492,962
Time in Patent Office

1,236 Days
Field of Search

713164-167, 713/188, 713/189, 713192-194, 726 1- 2, 726 16- 21, 726 26- 30, 380277-286, 719/1
US Class Current

713/168
CPC Class Codes

G06F 2009/45562 Creating, deleting, cloning...

G06F 21/33 using certificates

Secure authentication token management

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Secure authentication token management

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links