Hardware-based device authentication

US 9,294,478 B2
Filed: 09/29/2014
Issued: 03/22/2016
Est. Priority Date: 12/23/2012
Status: Active Grant

First Claim

Patent Images

1. At least one non-transitory machine accessible storage medium having instructions stored thereon, the instructions when executed on a machine, cause the machine to:

detect that a computing device has entered a particular domain;

receive a domain identifier of the particular domain over a network associated with the particular domain, the domain identifier included in a domain certificate;

identify, using a secured microcontroller of the computing device, a secured, persistent hardware identifier of the computing device stored in secured memory of the computing device, wherein the secured microcontroller is independent of an operating system of the computing device and values of secure identifiers derived by the secured microcontroller are hidden from the operating system, the hardware identifier derived from a fuse key stored in a non-volatile memory of the computing device during fabrication; and

derive, using the secured microcontroller, a secure identifier for a pairing of the computing device and the particular domain based on the hardware identifier and the domain identifier of the particular domain.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An opportunity for a computing device to participate in a secure session with a particular domain is identified. A domain identifier of the particular domain is received and a secured microcontroller of the computing device is used to identify a secured, persistent hardware identifier of the computing device stored in secured memory of the computing device. A secure identifier is derived for a pairing of the computing device and the particular domain based on the hardware identifier and domain identifier of the particular domain and the secure identifier is transmitted over a secured channel to the particular domain. The particular domain can verify identity of the computing device from the secure identifier and apply security policies to transactions involving the computing device and the particular domain based at least in part on the secure identifier.

Citations

20 Claims

1. At least one non-transitory machine accessible storage medium having instructions stored thereon, the instructions when executed on a machine, cause the machine to:
- detect that a computing device has entered a particular domain;
  
  receive a domain identifier of the particular domain over a network associated with the particular domain, the domain identifier included in a domain certificate;
  
  identify, using a secured microcontroller of the computing device, a secured, persistent hardware identifier of the computing device stored in secured memory of the computing device, wherein the secured microcontroller is independent of an operating system of the computing device and values of secure identifiers derived by the secured microcontroller are hidden from the operating system, the hardware identifier derived from a fuse key stored in a non-volatile memory of the computing device during fabrication; and
  
  derive, using the secured microcontroller, a secure identifier for a pairing of the computing device and the particular domain based on the hardware identifier and the domain identifier of the particular domain.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The storage medium of claim 1, wherein at least some of the secure identifiers are to map to a user profile.
  - 3. The storage medium of claim 1, wherein the value of the secure identifier is derived by the secured microcontroller via a hash operation.
  - 4. The storage medium of claim 1, wherein the secure identifier is a unique identifier within a system to correspond to the pairing of the computing device and the particular domain.
  - 5. The storage medium of claim 1, wherein the instructions, when executed, further cause the machine to:
    - receive a request to reset the hardware identifier;
      
      reset the hardware identifier; and
      
      derive a replacement hardware identifier, wherein the replacement hardware identifier comprises a secured, persistent identifier.
  - 6. The storage medium of claim 5, wherein the secure identifier is a first secure identifier, and the instructions, when executed, further cause the machine to:
    - identify an opportunity for the computing device to participate in a secure session with the particular domain following the reset;
      
      derive a second secure identifier for the pairing of the computing device and the particular domain based on the replacement hardware identifier and the domain identifier of the particular domain, wherein the second secure identifier is different from the first secure identifier; and
      
      communicate the second secure identifier to a computing system associated with the particular domain.
  - 7. The storage medium of claim 1, wherein the secure identifier is a first secure identifier, and the instructions, when executed, further cause the machine to:
    - identify an opportunity for the computing device to participate in a secure session with a second domain;
      
      receive a domain identifier of the second domain;
      
      derive a second secure identifier for a pairing of the computing device and the second domain based on the hardware identifier and the domain identifier of the second domain, wherein the second secure identifier is different from the first secure identifier; and
      
      transmit the second secure identifier over a secured channel to the second domain.
  - 8. The storage medium of claim 1, wherein the instructions, when executed, further cause the machine to send security posture data over the secured channel, the security posture data describing attributes of the computing device.

9. A mobile computing device comprising:
- a secured microcontroller;
  
  secured memory;
  
  secure identifier generation logic, executable by the secured microcontroller to;
  
  identify a domain identifier of a particular one of a plurality of domains, the domain identifier included in a domain certificate received from the particular domain;
  
  identify a secured, persistent hardware identifier stored in the secured memory of the computing device, the hardware identifier derived from a fuse key stored in a non-volatile memory of the secured microcontroller during fabrication; and
  
  derive a secure identifier for a pairing of the mobile computing device and the particular domain based on the hardware identifier and the domain identifier; and
  
  a transmitter to transmit the secure identifier over a secured channel to a computing device associated with the particular domain, wherein the secured microcontroller is independent of an operating system of the mobile computing device and values of secure identifiers derived by the secured microcontroller are hidden from the operating system.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The mobile computing device of claim 9, wherein the secured memory comprises flash memory of the secured microcontroller.
  - 11. The mobile computing device of claim 9, wherein the mobile computing device comprises a computer-assisted household appliance.
  - 12. The mobile computing device of claim 9, wherein the mobile computing device comprises a media player.
  - 13. The mobile computing device of claim 9, wherein the mobile computing device comprises a computing system of an automobile.
  - 14. The mobile computing device of claim 9, wherein the mobile computing device comprises one of a tablet computer and a smart phone.
  - 15. The mobile computing device of claim 9, further comprising a communication manager to provide the secure identifier to the transmitter while the operating system is inactive, the communication manager comprising an out-of-band communication channel.

16. A method comprising:
- detecting that a computing device has entered a particular domain;
  
  receiving a domain identifier of the particular domain over a network associated with the particular domain, the domain identifier included in a domain certificate;
  
  identifying, using a secured microcontroller of the computing device, a secured, persistent hardware identifier of the computing device stored in secured memory of the computing device, wherein the secured microcontroller is independent of an operating system of the computing device and values of secure identifiers derived by the secured microcontroller are hidden from the operating system, the hardware identifier derived from a fuse key stored in a non-volatile memory of the computing device during fabrication; and
  
  deriving, using the secured microcontroller, a secure identifier for a pairing of the computing device and the particular domain based on the hardware identifier and the domain identifier of the particular domain.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16, further comprising communicating the secure identifier, over a secure channel, to a computing system associated with the particular domain.
  - 18. The method of claim 17, wherein the domain identifier is to be received during negotiation of a key exchange protocol used in establishing the secure channel.
  - 19. The method of claim 16, further comprising authenticating the particular domain, wherein authentication of the particular domain permits derivation of the secure identifier.
  - 20. The method of claim 16, wherein deriving the secure identifier comprises generating a hash from the hardware identifier and the domain identifier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Von Bokern, Vincent Edward, Goel, Purushottam, Schrecker, Sven, Smith, Ned McArthur
Primary Examiner(s)
SIMITOSKI, MICHAEL J

Application Number

US14/500,130
Publication Number

US 20150200937A1
Time in Patent Office

540 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/2255   Hash tables

G06F 21/305   by remotely controlling dev...

G06F 21/44   Program or device authentic...

H04L 63/0876   based on the identity of th...

H04L 63/102   Entity profiles

H04L 63/107   wherein the security polici...

H04L 63/20   for managing network securi...

H04L 9/0877   using additional device, e....

H04L 9/3226   using a predetermined code,...

H04L 9/3234   involving additional secure...

H04W 12/71   Hardware identity

Hardware-based device authentication

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Hardware-based device authentication

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links