Method and system for enterprise network single-sign-on by a manageability engine

US 8,856,512 B2
Filed: 12/30/2008
Issued: 10/07/2014
Est. Priority Date: 12/30/2008
Status: Active Grant

First Claim

Patent Images

1. A method for using an out-of-band (OOB) manageability engine (ME) having an OOB processor separate from a main processor of a computer platform to securely access an Enterprise server comprising:

receiving, with the OOB processor of the ME, user authentication credentials from a pre-boot authentication module (PBAM) executed by a BIOS of the computer platform;

requesting, with the OOB processor of the ME, via a dedicated OOB interface, independent of the main processor, between the ME and a network controller of the computer platform, a key encryption key (KEK) from a key distribution center (KDC);

receiving, with the OOB processor of the ME and independent of the main processor, via the dedicated OOB interface, the KEK from the KDC if the user authentication credentials are authenticated by the KDC;

securely storing the KEK using the OOB processor of the ME;

enabling, with the OOB processor of the ME, the BIOS to proceed with booting of an operating system (OS);

wrapping an OS credential manager with a shim, wherein the OS credential manager is configured to authenticate a user to the OS;

intercepting an OS login process by the shim wrapping the OS credential manager;

receiving, with the OOB processor of the ME, a request for the KEK from the shim used to intercept the OS login process;

retrieving, with the OOB processor of the ME, the KEK from secure storage; and

sending, with the OOB processor of the ME, the KEK to the OS, wherein the shim, upon receipt of the KEK suppresses an OS login prompt and completes booting of the OS;

wherein when the OS requires access to the Enterprise server, the ME uses the KEK to obtain a ticket specific to the Enterprise server, and the OS retrieves the ticket specific to the Enterprise server from the ME.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A manageability engine (ME) receives an authentication response from a user during pre-boot authentication and registers the user with a key distribution center (KDC), indicating that the user has successfully authenticated to the PC. The KDC supplies the ME with single-sign-on credentials in the form of a Key Encryption Key (KEK). The KEK may later be used by the PC to obtain a credential used to establish secure access to Enterprise servers.

16 Citations

View as Search Results

28 Claims

1. A method for using an out-of-band (OOB) manageability engine (ME) having an OOB processor separate from a main processor of a computer platform to securely access an Enterprise server comprising:
- receiving, with the OOB processor of the ME, user authentication credentials from a pre-boot authentication module (PBAM) executed by a BIOS of the computer platform;
  
  requesting, with the OOB processor of the ME, via a dedicated OOB interface, independent of the main processor, between the ME and a network controller of the computer platform, a key encryption key (KEK) from a key distribution center (KDC);
  
  receiving, with the OOB processor of the ME and independent of the main processor, via the dedicated OOB interface, the KEK from the KDC if the user authentication credentials are authenticated by the KDC;
  
  securely storing the KEK using the OOB processor of the ME;
  
  enabling, with the OOB processor of the ME, the BIOS to proceed with booting of an operating system (OS);
  
  wrapping an OS credential manager with a shim, wherein the OS credential manager is configured to authenticate a user to the OS;
  
  intercepting an OS login process by the shim wrapping the OS credential manager;
  
  receiving, with the OOB processor of the ME, a request for the KEK from the shim used to intercept the OS login process;
  
  retrieving, with the OOB processor of the ME, the KEK from secure storage; and
  
  sending, with the OOB processor of the ME, the KEK to the OS, wherein the shim, upon receipt of the KEK suppresses an OS login prompt and completes booting of the OS;
  
  wherein when the OS requires access to the Enterprise server, the ME uses the KEK to obtain a ticket specific to the Enterprise server, and the OS retrieves the ticket specific to the Enterprise server from the ME.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein a user authenticates to the PBAM through a BIOS.
  - 3. The method of claim 1, wherein the PBAM provides an authentication challenge to a user to authenticate the user, the authentication challenge requiring the user to enter the user authentication credentials.
  - 4. The method of claim 1, wherein the user authentication credentials comprise a user identification and a user password.
  - 5. The method of claim 1, wherein requesting the key encryption key (KEK) from the KDC comprises opening a connection to an Enterprise network and requesting the KEK from the KDC.
  - 6. The method of claim 5, wherein the KDC verifies that a user is a known entity with the Enterprise network by querying a directory using the user authentication credentials to verify the authenticity of the user.
  - 7. The method of claim 1, wherein when the KEK is securely stored, the KEK is under the control of the OOB ME and has the authority granted to obtain a service specific ticket to Enterprise servers.
  - 8. The method of claim 1, wherein when the KEK is securely stored, the user is logged on to the OOB ME using Enterprise single-sign-on credentials.
  - 9. The method of claim 1, wherein loading the OS invokes a user authentication module to authenticate a user to the OS.
  - 10. The method of claim 1, wherein suppressing the OS login prompt enables the user authentication to only request a single-sign-on.

11. An article comprising:
- a non-transitory storage medium having a plurality of machine accessible instructions, wherein when the instructions are executed by a an out-of-band (OOB) co-processor separate from a main processor of a computer platform, the instructions provide for;
  
  receiving, with the OOB co-processor, user authentication credentials from a pre-boot authentication module (PBAM) executed by a BIOS of the computer platform;
  
  requesting, with the OOB co-processor, via a dedicated OOB interface, independent of the main processor, between the OOB co-processor and a network controller of the computer platform, a key encryption key (KEK) from a key distribution center (KDC) ;
  
  receiving, with the OOB co-processor and independent of the main processor, via the dedicated OOB interface, the KEK from the KDC if the user authentication credentials are authenticated by the KDC;
  
  securely storing the KEK using the OOB co-processor;
  
  enabling, with the OOB co-processor, the BIOS to proceed with booting of an operating system (OS);
  
  wrapping an OS credential manager with a shim, wherein the OS credential manager is configured to authenticate a user to the OS;
  
  intercepting an OS login process by the shim wrapping the OS credential manager;
  
  receiving, with the OOB co-processor, a request for the KEK from the shim used to intercept the OS login process;
  
  retrieving, with the OOB co-processor, the KEK from secure storage; and
  
  sending, with the OOB co-processor, the KEK to the OS, wherein the shim, upon receipt of the KEK suppresses an OS login prompt and completes booting of the OS;
  
  wherein when the OS requires access to the Enterprise server, the ME uses the KEK to obtain a ticket specific to the Enterprise server, and the OS retrieves the ticket specific to the Enterprise server from the ME.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The article of claim 11, wherein a user authenticates to the PBAM through a BIOS.
  - 13. The article of claim 11, wherein the PBAM provides an authentication challenge to a user to authenticate the user, the authentication challenge requiring the user to enter the user authentication credentials.
  - 14. The article of claim 11, wherein the user authentication credentials comprise a user identification and a user password.
  - 15. The article of claim 11, wherein instructions for requesting the key encryption key (KEK) from the KDC comprises instructions for opening a connection to an Enterprise network and requesting the KEK from the KDC.
  - 16. The article of claim 15, wherein the KDC verifies that a user is a known entity with the Enterprise network by querying a directory using the user authentication credentials to verify the authenticity of the user.
  - 17. The article of claim 11, wherein when the KEK is securely stored, the KEK is under the control of the OOB co-processor and has the authority granted to obtain a service specific ticket to Enterprise servers.
  - 18. The article of claim 11, wherein when the KEK is securely stored, the user is logged on to the OOB co-processor using Enterprise single-sign-on credentials.
  - 19. The article of claim 11, wherein loading the OS invokes a user authentication module to authenticate a user to the OS.
  - 20. The article of claim 11, wherein suppressing the OS login prompt enables the user authentication to only request a single-sign-on.

21. A computer platform to securely access an Enterprise server, the computer platform comprising:
- a main processor to execute a BIOS including a pre-boot authentication module (PBAM);
  
  an out-of-band (OOB) manageability engine (ME) having an OOB processor separate from the main processor; and
  
  a network controller having a dedicated OOB interface to the OOB processor, independent of the main processor;
  
  wherein the OOB processor of the ME is to;
  
  receive user authentication credentials from the PBAM, wherein a user authenticates to the PBAM through the BIOS;
  
  request, via the dedicated OOB interface, a key encryption key (KEK) from a key distribution center (KDC);
  
  receive, via the dedicated OOB interface, the KEK from the KDC if the user authentication credentials are authenticated by the KDC;
  
  securely store the KEK;
  
  enable the BIOS to proceed with booting of an operating system (OS);
  
  receive a request for the KEK from a shim that wraps an OS credential manager and is used to intercept an OS login process, wherein the OS credential manager is configured to authenticate a user to the OS;
  
  retrieve the KEK from secure storage; and
  
  send the KEK to the OS;
  
  wherein the main processor to wrap the OS credential manager with the shim and intercept the OS login process by the shim that wraps the OS credential manager, and wherein the shim, upon receipt of the KEK, to suppress an OS login prompt and complete booting of the OS; and
  
  wherein when the OS requires access to the Enterprise server, the ME to use the KEK to obtain a ticket specific to the Enterprise server, and the OS to retrieve the ticket specific to the Enterprise server from the ME.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28)
- - 22. The computer platform of claim 21, wherein the PBAM is further to provide an authentication challenge to a user to authenticate the user, the authentication challenge to require the user to enter the user authentication credentials.
  - 23. The computer platform of claim 21, wherein the user authentication credentials comprise a user identification and a user password.
  - 24. The computer platform of claim 21, wherein to request the key encryption key (KEK) from the KDC comprises to open a connection to an Enterprise network and request the KEK from the KDC.
  - 25. The computer platform of claim 24, wherein the KDC is to verify that a user is a known entity with the Enterprise network by querying a directory using the user authentication credentials to verify the authenticity of the user.
  - 26. The computer platform of claim 21, wherein when the KEK is securely stored, the KEK is under the control of the OOB co-processor and has the authority granted to obtain a service specific ticket to Enterprise servers.
  - 27. The computer platform of claim 21, wherein when the KEK is securely stored, the user is logged on to the OOB co-processor using Enterprise single-sign-on credentials.
  - 28. The computer platform of claim 21, wherein to suppress the OS login prompt comprises to enable the user authentication to only request a single-sign-on.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Smith, Ned, Goel, Purushottam
Primary Examiner(s)
Kim, Jung
Assistant Examiner(s)
LEUNG, ROBERT B

Application Number

US12/319,065
Publication Number

US 20100169640A1
Time in Patent Office

2,107 Days
Field of Search
US Class Current

713/155
CPC Class Codes

G06F 21/31   User authentication

G06F 21/33   using certificates

G06F 21/335   for accessing specific reso...

G06F 21/41   where a single sign-on prov...

G06F 21/575   Secure boot

G06F 21/72   in cryptographic circuits

G06F 21/80   in storage media based on m...

G06F 2221/034   Test or assess a computer o...

G06F 2221/2103   Challenge-response

G09G 2358/00   Arrangements for display da...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 9/0822   using key encryption key

H04L 9/083   involving central third par...

H04L 9/3213   using tickets or tokens, e....

Method and system for enterprise network single-sign-on by a manageability engine

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

16 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for enterprise network single-sign-on by a manageability engine

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links