Methods and apparatus for securing communications between a node and a server based on hardware metadata gathered by an in-memory process

US 8,990,550 B1
Filed: 12/27/2012
Issued: 03/24/2015
Est. Priority Date: 12/27/2012
Status: Active Grant

First Claim

Patent Images

1. A method for securing communications between a boot node and a server, comprising:

receiving a microkernel at said boot node from said server;

executing said microkernel in a memory of said boot node to dynamically gather hardware-related metadata for said boot node, wherein said hardware-related metadata comprises information about physical characteristics of said boot node;

generating a unique identifier for said boot node using said hardware-related metadata;

generating a public/private key pair for said boot node using said unique identifier;

storing said generated public/private key pair with said associated unique identifier in a key management system; and

securing communications between said boot node and said server using said public/private key pair retrieved from said key management system using said associated unique identifier for said boot node.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus are provided for securing communications between a node and a server, for example, during a boot process. In accordance with an aspect of the invention, a method is provided for securing communications between a node and a server, comprising: dynamically gathering hardware-related metadata for the node using a process running in memory; generating a unique identifier for the node using the hardware-related metadata; generating a public/private key pair for the node using the unique identifier; and securing communications between the node and the server using the public/private key pair. The process comprises, for example, an in-memory microkernel executing on a boot node. The hardware-related metadata comprises, for example, information about physical characteristics of the node. The unique identifier for the node can optionally be further based on information obtained from a Trusted Processing Module. The node can be authenticated using the public/private key pair.

Citations

18 Claims

1. A method for securing communications between a boot node and a server, comprising:
- receiving a microkernel at said boot node from said server;
  
  executing said microkernel in a memory of said boot node to dynamically gather hardware-related metadata for said boot node, wherein said hardware-related metadata comprises information about physical characteristics of said boot node;
  
  generating a unique identifier for said boot node using said hardware-related metadata;
  
  generating a public/private key pair for said boot node using said unique identifier;
  
  storing said generated public/private key pair with said associated unique identifier in a key management system; and
  
  securing communications between said boot node and said server using said public/private key pair retrieved from said key management system using said associated unique identifier for said boot node.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein said unique identifier for said boot node is further based on information obtained from a Trusted Processing Module on said boot node.
  - 3. The method of claim 1, further comprising the step of storing said public/private key pair in an external key management system.
  - 4. The method of claim 1, wherein said communications comprise one or more of a configuration change, an operating system installation, a BIOS update and a firmware update.
  - 5. The method of claim 1, further comprising the step of authenticating said boot node using said public/private key pair.
  - 6. The method of claim 1, further comprising the step of securing communications between said boot node and at least one additional node using said public/private key pair.

7. An apparatus for securing communications between a boot node and a server, the apparatus comprising:
- a memory; and
  
  at least one hardware device, coupled to the memory, operative to implement the following steps;
  
  receive a microkernel at said boot node from said server;
  
  execute said microkernel in a memory of said boot node to dynamically gather hardware-related metadata for said boot node, wherein said hardware-related metadata comprises information about physical characteristics of said boot node;
  
  generate a unique identifier for said boot node using said hardware-related metadata;
  
  generate a public/private key pair for said boot node using said unique identifier;
  
  store said generated public/private key pair with said associated unique identifier in a key management system; and
  
  secure communications between said boot node and said server using said public/private key pair retrieved from said key management system using said associated unique identifier for said boot node.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The apparatus of claim 7, wherein said unique identifier for said boot node is further based on information obtained from a Trusted Processing Module on said boot node.
  - 9. The apparatus of claim 7, wherein said at least one hardware device is further configured to store said public/private key pair in an external key management system.
  - 10. The apparatus of claim 7, wherein said communications comprise one or more of a configuration change, an operating system installation, a BIOS update and a firmware update.
  - 11. The apparatus of claim 7, wherein said at least one hardware device is further configured to authenticate said boot node using said public/private key pair.
  - 12. The apparatus of claim 7, wherein said at least one hardware device is further configured to secure communicate between said boot node and at least one additional node using said public/private key pair.

13. A non-transitory machine-readable recordable storage medium for securing communications between a boot node and a server, wherein one or more software programs when executed by one or more processing devices implement the following steps:
- receiving a microkernel at said boot node from said server;
  
  executing said microkernel in a memory of said boot node to dynamically gather hardware-related metadata for said boot node, wherein said hardware-related metadata comprises information about physical characteristics of said boot node;
  
  generating a unique identifier for said boot node using said hardware-related metadata;
  
  generating a public/private key pair for said boot node using said unique identifier;
  
  storing said generated public/private key pair with said associated unique identifier in a key management system; and
  
  securing communications between said boot node and said server using said public/private key pair retrieved from said key management system using said associated unique identifier for said boot node.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The non-transitory machine-readable recordable storage medium of claim 13, wherein said unique identifier for said boot node is further based on information obtained from a Trusted Processing Module on said boot node.
  - 15. The non-transitory machine-readable recordable storage medium of claim 13, further comprising the step of storing said public/private key pair in an external key management system.
  - 16. The non-transitory machine-readable recordable storage medium of claim 13, wherein said communications comprise one or more of a configuration change, an operating system installation, a BIOS update and a firmware update.
  - 17. The non-transitory machine-readable recordable storage medium of claim 13, further comprising the step of authenticating said boot node using said public/private key pair.
  - 18. The non-transitory machine-readable recordable storage medium of claim 13, further comprising the step of securing communications between said boot node and at least one additional node using said public/private key pair.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Hushon, John Daniel, Weaver, Nicholas, McSweeney, Tom
Primary Examiner(s)
Shaw, Yin-Chen
Assistant Examiner(s)
GUIRGUIS, MICHAEL M

Application Number

US13/728,382
Time in Patent Office

817 Days
Field of Search

713/2
US Class Current

713/2
CPC Class Codes

G06F 21/44   Program or device authentic...

G06F 21/572   Secure firmware programming...

G06F 9/4401   Bootstrapping security arra...

G06F 9/4416   Network booting; Remote ini...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0876   based on the identity of th...

Methods and apparatus for securing communications between a node and a server based on hardware metadata gathered by an in-memory process

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for securing communications between a node and a server based on hardware metadata gathered by an in-memory process

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links