Secure import and export of keying material

US 9,602,500 B2
Filed: 12/20/2013
Issued: 03/21/2017
Est. Priority Date: 12/20/2013
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising:

at least one memory coupled to a processor;

at least one secure processor that is included in a first computing node, coupled to the memory, and out-of-band from the processor;

the at least one secure processor to perform operations comprising;

generating a key pair including a first public key and a corresponding first private key;

receiving an instance of a certificate, including a second public key, from a second computing node located remotely from the first computing node;

associating the instance of the certificate with the key pair;

receiving an additional instance of the certificate;

verifying the additional instance of the certificate is associated with the key pair; and

encrypting and then exporting an instance of the first private key in response to verifying the additional instance of the certificate is associated with the key pair.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An embodiment includes a method executed by at least one processor of a first computing node comprising: generating a key pair including a first public key and a corresponding first private key; receiving an instance of a certificate, including a second public key, from a second computing node located remotely from the first computing node; associating the instance of the certificate with the key pair; receiving an additional instance of the certificate; verifying the additional instance of the certificate is associated with the key pair; and encrypting and exporting the first private key in response to verifying the additional instance of the certificate is associated with the key pair. Other embodiments are described herein.

Citations

23 Claims

1. An apparatus comprising:
- at least one memory coupled to a processor;
  
  at least one secure processor that is included in a first computing node, coupled to the memory, and out-of-band from the processor;
  
  the at least one secure processor to perform operations comprising;
  
  generating a key pair including a first public key and a corresponding first private key;
  
  receiving an instance of a certificate, including a second public key, from a second computing node located remotely from the first computing node;
  
  associating the instance of the certificate with the key pair;
  
  receiving an additional instance of the certificate;
  
  verifying the additional instance of the certificate is associated with the key pair; and
  
  encrypting and then exporting an instance of the first private key in response to verifying the additional instance of the certificate is associated with the key pair.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The apparatus of claim 1, wherein the operations comprise:
    - after associating the instance of the certificate with the key pair, receiving another certificate that is not an another instance of the certificate;
      
      attempting but failing to verify the another certificate is associated with the key pair; and
      
      rejecting exporting an additional instance of the first private key in response to attempting but failing to verify the another certificate is associated with the key pair.
  - 3. The apparatus of claim 1, wherein the operations comprise:
    - receiving a request to export an additional instance of the first private key; and
      
      rejecting exporting the additional instance of the first private key in response to receiving the request to export the additional instance of the first private key.
  - 4. The apparatus of claim 1, wherein the operations comprise:
    - receiving another certificate that is not an another instance of the certificate;
      
      verifying the another certificate is associated with the key pair; and
      
      encrypting and then exporting an additional instance of the first private key in response to verifying the another certificate is associated with the key pair.
  - 5. The apparatus of claim 1, wherein the operations comprise:
    - verifying the first computing node allows exportation of the instance of the first private key; and
      
      exporting the instance of the first private key in response to verifying the first computing node allows exportation of the instance of the first private key;
      
      wherein the at least one secure processor is included in a trusted execution environment (TEE).
  - 6. The apparatus of claim 1, wherein the operations comprise:
    - after associating the instance of the certificate with the key pair, receiving multiple additional certificates of which none are another instance of the certificate; and
      
      rejecting exporting an additional instance of the first private key in response to associating the instance of the certificate with the key pair and receiving the multiple additional certificates.
  - 7. The apparatus of claim 1, wherein the operations comprise:
    - generating a certificate request that is coupled to the first public key;
      
      wherein (a) the instance of the certificate is coupled to a certificate chain that includes a certificate including the first public key, and (b) the second computing node corresponds to at least one of a certificate authority (CA) and a migration authority (MA);
      
      verifying the certificate chain; and
      
      associating the instance of the certificate with the key pair in response to verifying the certificate chain.

8. At least one non-transitory storage medium having instructions stored thereon for causing a system, including at least one secure out-of-band processor of a first computing node, to perform operations comprising:
- generating a key pair including a first public key and a corresponding first private key;
  
  receiving an instance of a certificate, including a second public key, from a second computing node located remotely from the first computing node;
  
  associating the instance of the certificate with the key pair;
  
  receiving an additional instance of the certificate;
  
  verifying the additional instance of the certificate is associated with the key pair; and
  
  encrypting and then exporting an instance of the first private key in response to verifying the additional instance of the certificate is associated with the key pair.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 9. The at least one non-transitory storage medium of claim 8, the operations comprising:
    - after associating the instance of the certificate with the key pair, receiving another certificate that is not another instance of the certificate; and
      
      attempting but failing to verify the another certificate is associated with the key pair.
  - 10. The at least one non-transitory storage medium of claim 9, the operations comprising rejecting exporting an additional instance of the first private key in response to attempting but failing to verify the another certificate is associated with the key pair.
  - 11. The at least one non-transitory storage medium of claim 10, the operations comprising:
    - receiving a request to export the additional instance of the first private key; and
      
      rejecting exporting the additional instance of first private key in response to receiving the request to export the additional instance of first private key.
  - 12. The at least one non-transitory storage medium of claim 8, the operations comprising:
    - receiving another certificate that is not another instance of the certificate;
      
      verifying the another certificate is associated with the key pair; and
      
      encrypting and then exporting an additional instance of the first private key in response to verifying the another certificate is associated with the key pair.
  - 13. The at least one non-transitory storage medium of claim 12, the operations comprising:
    - storing a first identifier, which corresponds to the instance of the certificate, in at least one memory coupled to the at east one secure out-of-band processor; and
      
      storing a second identifier, which corresponds to the another certificate, in the at least one memory.
  - 14. The at least one non-transitory storage medium of claim 8, the operations comprising;
    - generating an additional key pair including an additional first public key and a corresponding additional first private key;
      
      receiving an instance of an additional certificate including an additional second public key;
      
      associating the instance of the additional certificate with the additional key pair;
      
      receiving an additional instance of the additional certificate;
      
      verifying the additional instance of the additional certificate is associated with the additional key pair; and
      
      encrypting and then exporting an instance of the additional first private key in response to verifying the additional instance of the additional certificate is associated with the additional key pair.
  - 15. The at least one non-transitory storage medium of claim 8, the operations comprising:
    - verifying the first computing node allows exportation of the instance of the first private key; and
      
      exporting the instance of the first private key in response to verifying the first computing node allows exportation of the instance of the first private key.
  - 16. The at least one non-transitory storage medium of claim 15 wherein verifying the first computing node allows exportation of the instance of the first private key includes reading a flag status.
  - 17. The at least one non-transitory storage medium of claim 8, the operations comprising;
    - after associating the instance of the certificate with the key pair, receiving multiple additional certificates of which none are another instance of the certificate; and
      
      rejecting exporting an additional instance of the first private key in response to associating the instance of the certificate with the key pair and receiving the multiple additional certificates.
  - 18. The at least one non-transitory storage medium of claim 8, the operations comprising;
    - receiving a request to export an additional instance of the first private key; and
      
      rejecting exporting the additional instance of the first private key in response to receiving the request to export the additional instance of the first private key.
  - 19. The at least one non-transitory storage medium of claim 8, the operations comprising:
    - generating a wrapping key in response to verifying the additional instance of the certificate is associated with the key pair; and
      
      encrypting the instance of the first private key with the wrapping key.
  - 20. The at least one non-transitory storage medium of claim 8, the operations comprising:
    - associating a wrapping key with the key pair; and
      
      encrypting the instance of the first private key with the wrapping key in response to associating the wrapping key with the key pair.
  - 21. The at least one non-transitory storage medium of claim 8, the operations comprising;
    - receiving a personal identification number (PIN);
      
      determining a wrapping key in response to receiving the PIN; and
      
      encrypting the instance of the first private key with the wrapping key.
  - 22. The at least one non-transitory storage medium of claim 21, the operations comprising:
    - receiving an additional instance of the PIN;
      
      determining an additional instance of the wrapping key in response to receiving the additional instance of the PIN; and
      
      decrypting an additional instance of the first private key with the additional instance of the wrapping key.
  - 23. The at least one non-transitory storage medium of claim 8, the operations comprising:
    - generating a certificate request that is coupled to the first public key;
      
      wherein (a) the instance of the certificate is coupled to a certificate chain that includes a certificate including the first public key, and (b) the second computing node corresponds to at least one of a certificate authority (CA) and a migration authority (MA);
      
      verifying the certificate chain; and
      
      associating the instance of the certificate with the key pair in response to verifying the certificate chain.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Nayshtut, Alex, Khosravi, Hormuzd M., Ben-Shalom, Omer, Pivitt, Barry R., Smith, Ned M.
Primary Examiner(s)
Homayounmehr, Farid
Assistant Examiner(s)
Zhu, Zhimei

Application Number

US14/367,434
Publication Number

US 20160323264A1
Time in Patent Office

1,187 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0823   using certificates cryptogr...

H04L 9/3268   using certificate validatio...

Secure import and export of keying material

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Secure import and export of keying material

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links