Trusted container

US 9,419,953 B2
Filed: 12/23/2012
Issued: 08/16/2016
Est. Priority Date: 12/23/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

deriving, using a secured microcontroller of a client computing device, a secure identifier comprising a one-time password unique to a pairing of the client computing device and a particular domain comprising at least one second computing device, the secure identifier derived based at least in part on seed data received from the particular domain, the seed data separate from a domain identifier of the particular domain and unique to the pairing of the client computing device and the particular domain, the seed data stored in a secured memory of the client computing device inaccessible to an operating system of the client computing device;

identifying, in the secured memory of the client computing device, security posture data corresponding to attributes of the client computing device; and

sending the secure identifier and the security posture data together in a secured container to a management device of the particular domain.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure identifier is derived, using a secured microcontroller of a computing device, that is unique to a pairing of the computing device and a particular domain. Secure posture data corresponding to attributes of the computing device is identified in secured memory of the computing device. The secure identifier and security posture is sent in a secured container to a management device of the particular domain. The particular domain can utilize the information in the secured container to authenticate the computing device and determine a security task to be performed relating to interactions of the computing device with the particular domain.

Citations

20 Claims

1. A method comprising:
- deriving, using a secured microcontroller of a client computing device, a secure identifier comprising a one-time password unique to a pairing of the client computing device and a particular domain comprising at least one second computing device, the secure identifier derived based at least in part on seed data received from the particular domain, the seed data separate from a domain identifier of the particular domain and unique to the pairing of the client computing device and the particular domain, the seed data stored in a secured memory of the client computing device inaccessible to an operating system of the client computing device;
  
  identifying, in the secured memory of the client computing device, security posture data corresponding to attributes of the client computing device; and
  
  sending the secure identifier and the security posture data together in a secured container to a management device of the particular domain.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the secured container is sent to the particular domain over a secure communication channel, the secure communication channel comprising an out-of-band communication channel between the secured microcontroller and the particular domain independent from an in-band communication channel between a central processing unit of the client computing device and the particular domain.
  - 3. The method of claim 2, further comprising:
    - negotiating with the particular domain to establish the secure communication channel.
  - 4. The method of claim 3, wherein negotiating the secure communication channel includes a key exchange protocol.
  - 5. The method of claim 4, wherein the key exchange protocol is a SIGMA key exchange protocol.
  - 6. The method of claim 1, further comprising:
    - authenticating the particular domain at the client computing device; and
      
      providing a secure application programming interface (API) to a management controller executed by the secured microcontroller based on the authenticating of the particular domain.
  - 7. The method of claim 6, further comprising receiving a certificate from the particular domain, wherein the particular domain is authenticated based at least in part on the received certificate.
  - 8. The method of claim 1, further comprising:
    - deriving, using the secured microcontroller, a second secure identifier unique to a pairing of the client computing device and a second domain;
      
      identifying, in the secured memory of the client computing device, security posture data corresponding to attributes of the client computing device; and
      
      sending the second secure identifier and at least a portion of the security posture data to the second domain.
  - 9. The method of claim 1, wherein the secured microcontroller is independent of the operating system of the client computing device and values of secure identifiers derived by the secured microcontroller are hidden from the operating system.
  - 10. The method of claim 1, further comprising collecting at least a portion of the security posture data using the secured microcontroller.

11. At least one non-transitory machine accessible storage medium having instructions stored thereon, the instructions when executed on a machine, cause the machine to:
- derive, using a secured microcontroller of a client computing device, a secure identifier comprising a one-time password unique to a pairing of the client computing device and a particular domain comprising at least one second computing device, the secure identifier derived based at least in part on seed data received from the particular domain, the seed data separate from a domain identifier of the particular domain and unique to the pairing of the client computing device and the particular domain, the seed data stored in a secured memory of the client computing device inaccessible to an operating system of the client computing device;
  
  identify, in the secured memory of the client computing device, security posture data corresponding to attributes of the client computing device; and
  
  send the secure identifier and the security posture data together in a secured container to a management device of the particular domain.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The non-transitory storage medium of claim 11, wherein the seed data is to be provisioned on the secured memory by the particular domain over a secure communication channel, wherein the seed data is to be unique to the client computing device within the particular domain, the secure communication channel comprising an out-of-band communication channel between the secured microcontroller and the particular domain independent from an in-band communication channel between a central processing unit of the client computing device and the particular domain.
  - 13. The non-transitory storage medium of claim 12, wherein deriving the secure identifier includes:
    - identifying the seed data in the secured memory as corresponding to the particular domain; and
      
      generating the one-time-password from the seed data, wherein the particular domain derives the seed data from the one-time-password to authenticate to the client computing device.
  - 14. The non-transitory storage medium of claim 11, wherein the security posture data is to include boot policies of the client computing device.
  - 15. The non-transitory storage medium of claim 11, wherein the attributes are to include a hardware configuration of the client computing device.
  - 16. The non-transitory storage medium of claim 11, wherein the attributes are to include a state of use of the client computing device.
  - 17. The non-transitory storage medium of claim 11, wherein the attributes are to include software installed on the client computing device.
  - 18. The non-transitory storage medium of claim 17, wherein the attributes are to include an operating system installed on the client computing device.

19. A system comprising:
- a system processor device;
  
  system memory accessible to the system processor device;
  
  secure management controller memory isolated from the system processor device and the system memory and adapted to store;
  
  persistent authentication data; and
  
  security posture data corresponding to attributes of a client computing device;
  
  a secure management microcontroller; and
  
  a management engine adapted, when executed by the secure management microcontroller, to;
  
  derive, using the secure management microcontroller, a secure identifier comprising a one-time password unique to a pairing of the client computing device and a particular domain comprising at least one second computing device, the secure identifier derived based at least in part on seed data received from the particular domain, the seed data separate from a domain identifier of the particular domain and unique to the pairing of the client computing device and the particular domain, the seed data stored in the secure management microcontroller memory; and
  
  send the secure identifier and the security posture data together in a secured container to a management device of the particular domain.
- View Dependent Claims (20)
- - 20. The system of claim 19, wherein the secure management microcontroller is to send the secured container to the particular domain over a secure communication channel, the secure communication channel comprising an out-of-band communication channel between the secure management microcontroller and the particular domain independent from an in-band communication channel between a central processing unit of the client computing device and the particular domain.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Von Bokern, Vincent Edward, Goel, Purushottam, Schrecker, Sven, Smith, Ned McArthur
Primary Examiner(s)
HENNING, MATTHEW T

Application Number

US13/726,167
Publication Number

US 20140181894A1
Time in Patent Office

1,332 Days
Field of Search

726/1, 726/3, 726/7
US Class Current

1/1
CPC Class Codes

H04L 41/046   comprising network manageme...

H04L 41/28   Restricting access to netwo...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0823   using certificates cryptogr...

H04L 63/0838   using one-time-passwords

H04L 63/18   using different networks or...

H04L 63/20   for managing network securi...

Trusted container

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Trusted container

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links