Technologies for secure server access using a trusted license agent

US 9,749,323 B2
Filed: 03/27/2015
Issued: 08/29/2017
Est. Priority Date: 03/27/2015
Status: Active Grant

First Claim

Patent Images

1. A computing device for secure server access, the computing device comprising:

a processor that includes secure enclave support;

a license agent loader module to load a license agent into a secure enclave;

a server access module to bind, by the license agent, a machine identifier and a user identifier to an application license, wherein to bind the machine identifier and the user identifier to the application license comprises to transmit the machine identifier and the user identifier to a remote server;

an application request module to receive, by the license agent, a request to access the remote server from an application of the computing device in response to binding of the machine identifier and the user identifier to application license;

an attestation module to perform, by the license agent, remote attestation of the secure enclave with the remote server via a secure connection between the license agent and the remote server; and

a user authentication module to authenticate, by the license agent, a user of the computing device;

wherein the server access module is further to (i) transmit, by the license agent, the machine identifier and the user identifier to the remote server via the secure connection in response to authentication of the user, wherein the machine identifier identifies the computing device and the user identifier identifies the user of the computing device; and

(ii) allow, by the license agent, the application to access the secure connection with the remote server in response to authentication of the machine identifier and the user identifier.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Technologies for secure server access include a client computing device that loads a license agent into a secure enclave established by a processor of the client computing device. The license agent receives a request from an application to access a remote server device. The license agent opens a secure connection with the server device and performs remote attestation of the secure enclave. The license agent authenticates the user and transmits a machine identifier and a user identifier to the server device. The machine identifier may be based on an enclave sealing key of the client computing device. The server device verifies that the machine identifier and the user identifier are bound to a valid application license. If the machine identifier and the user identifier are successfully verified, the application communicates with the server device using the secure connection. Other embodiments are described and claimed.

10 Citations

View as Search Results

22 Claims

1. A computing device for secure server access, the computing device comprising:
- a processor that includes secure enclave support;
  
  a license agent loader module to load a license agent into a secure enclave;
  
  a server access module to bind, by the license agent, a machine identifier and a user identifier to an application license, wherein to bind the machine identifier and the user identifier to the application license comprises to transmit the machine identifier and the user identifier to a remote server;
  
  an application request module to receive, by the license agent, a request to access the remote server from an application of the computing device in response to binding of the machine identifier and the user identifier to application license;
  
  an attestation module to perform, by the license agent, remote attestation of the secure enclave with the remote server via a secure connection between the license agent and the remote server; and
  
  a user authentication module to authenticate, by the license agent, a user of the computing device;
  
  wherein the server access module is further to (i) transmit, by the license agent, the machine identifier and the user identifier to the remote server via the secure connection in response to authentication of the user, wherein the machine identifier identifies the computing device and the user identifier identifies the user of the computing device; and
  
  (ii) allow, by the license agent, the application to access the secure connection with the remote server in response to authentication of the machine identifier and the user identifier.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computing device of claim 1, wherein the server access module is further to generate, by the license agent, the machine identifier as a function of a unique key, wherein the unique key is unique to a combination of the secure enclave and the computing device.
  - 3. The computing device of claim 2, wherein the unique key comprises an enclave sealing key.
  - 4. The computing device of claim 2, wherein to generate the machine identifier further comprises to generate the machine identifier as a function of a server challenge data item received from the remote server.
  - 5. The computing device of claim 1, wherein to perform remote attestation of the secure enclave comprises to:
    - generate, by the license agent, a measurement of the secure enclave; and
      
      transmit, by the license agent, the measurement of the secure enclave to the remote server.
  - 6. The computing device of claim 5, wherein to generate the measurement of the secure enclave comprises to generate a measurement indicative of a security log associated with the secure enclave, wherein the security log is indicative of contents of the secure enclave and an order of creation of the secure enclave.
  - 7. The computing device of claim 1, wherein to authenticate the user of the computing device comprises to receive user credentials from the user using a trusted I/O path of the computing device.

8. One or more non-transitory, computer-readable storage media comprising a plurality of instructions that in response to being executed cause a computing device to:
- load a license agent into a secure enclave established by a processor of the computing device;
  
  bind, by the license agent, a machine identifier and a user identifier to an application license, wherein to bind the machine identifier and the user identifier to the application license comprises to transmit the machine identifier and the user identifier to a remote server;
  
  receive, by the license agent, a request to access the remote server from an application of the computing device in response to binding the machine identifier and the user identifier to application license;
  
  perform, by the license agent, remote attestation of the secure enclave with the remote server via secure connection between the license agent and the remote server;
  
  authenticate, by the license agent, a user of the computing device;
  
  transmit, by the license agent, the machine identifier and the user identifier to the remote server via the secure connection in response to authenticating the user, wherein the machine identifier identifies the computing device and the user identifier identifies the user of the computing device; and
  
  allow, by the license agent, the application to access the secure connection with the remote server in response to authenticating the machine identifier and the user identifier.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The one or more non-transitory, computer-readable storage media of claim 8, further comprising a plurality of instructions that in response to being executed cause the computing device to generate, by the license agent, the machine identifier as a function of a unique key, wherein the unique key is unique to a combination of the secure enclave and the computing device.
  - 10. The one or more non-transitory, computer-readable storage media of claim 8, wherein to perform remote attestation of the secure enclave comprises to:
    - generate, by the license agent, a measurement of the secure enclave; and
      
      transmit, by the license agent, the measurement of the secure enclave to the remote server.
  - 11. The one or more non-transitory, computer-readable storage media of claim 10, wherein to generate the measurement of the secure enclave comprises to generate a measurement indicative of a security log associated with the secure enclave, wherein the security log is indicative of contents of the secure enclave and an order of creation of the secure enclave.
  - 12. The one or more non-transitory, computer-readable storage media of claim 8, wherein to authenticate the user of the computing device comprises to receive user credentials from the user using a trusted I/O path of the computing device.

13. A computing device for secure server access, the computing device comprising:
- an application license module to bind a first machine identifier and a first user identifier to an application license, wherein the first machine identifier identifies a particular combination of a client computing device and a secure enclave established by a processor of the client computing device and the first user identifier identifies a particular user of the client computing device;
  
  a client computing device module to open a secure connection with the client computing device;
  
  an attestation module to perform remote attestation of the secure enclave of the client computing device via the secure connection; and
  
  an access verification module to (i) receive a second machine identifier and a second user identifier from the client computing device via the secure connection and (ii) determine whether the second machine identifier matches the first machine identifier and whether the second user identifier matches the first user identifier;
  
  wherein the client computing device module is further to allow the client computing device to access data of the computing device via the secure connection in response to (i) performance of the remote attestation of the secure enclave and (ii) a determination that the second machine identifier matches the first machine identifier and that the second user identifier matches the first user identifier.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The computing device of claim 13, wherein the first machine identifier is generated as a function of a unique key, wherein the unique key is unique to the combination of the client computing device and the secure enclave of the client computing device.
  - 15. The computing device of claim 14, wherein the unique key comprises an enclave sealing key.
  - 16. The computing device of claim 13, wherein to bind the first machine identifier and the first user identifier to the application license comprises to transmit a server challenge data item to the client computing device, wherein the machine identifier is further indicative of the server challenge data item.
  - 17. The computing device of claim 13, wherein to perform remote attestation of the secure enclave of the client computing device comprises to:
    - receive, via the secure connection, a measurement of the secure enclave; and
      
      verify that the secure enclave is intact based on the measurement of the secure enclave.
  - 18. The computing device of claim 17, wherein the measurement of the secure enclave is indicative of a security log associated with the secure enclave, wherein the security log is indicative of contents of the secure enclave and an order of creation of the secure enclave.

19. One or more non-transitory, computer-readable storage media comprising a plurality of instructions that in response to being executed cause a computing device to:
- bind a first machine identifier and a first user identifier to an application license, wherein the first machine identifier identifies a particular combination of a client computing device and a secure enclave established by a processor of the client computing device and wherein the first user identifier identifies a particular user of the client computing device;
  
  open a secure connection with the client computing device;
  
  perform remote attestation of the secure enclave of the client computing device via the secure connection;
  
  receive a second machine identifier and a second user identifier from the client computing device via the secure connection;
  
  determine whether the second machine identifier matches the first machine identifier and whether the second user identifier matches the first user identifier; and
  
  allow the client computing device to access data of the computing device via the secure connection in response to (i) performing the remote attestation of the secure enclave and (ii) determining that the second machine identifier matches the first machine identifier and that the second user identifier matches the first user identifier.
- View Dependent Claims (20, 21, 22)
- - 20. The one or more non-transitory, computer-readable storage media of claim 19, wherein the first machine identifier is generated as a function of a unique key, wherein the unique key is unique to the combination of the client computing device and the secure enclave of the client computing device.
  - 21. The one or more non-transitory, computer-readable storage media of claim 19, wherein to perform remote attestation of the secure enclave of the client computing device comprises to:
    - receive, via the secure connection, a measurement of the secure enclave; and
      
      verify that the secure enclave is intact based on the measurement of the secure enclave.
  - 22. The one or more non-transitory, computer-readable storage media of claim 21, wherein the measurement of the secure enclave is indicative of a security log associated with the secure enclave, wherein the security log is indicative of contents of the secure enclave and an order of creation of the secure enclave.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Lenz, Oron, Milshten, Noam, Berdichevsky, Ilya
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
TENG, LOUIS C

Application Number

US14/670,959
Publication Number

US 20160285875A1
Time in Patent Office

886 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/577   Assessing vulnerabilities a...

H04L 2463/103   applying security measure f...

H04L 63/06   for supporting key manageme...

H04L 63/08   for authentication of entit...

H04L 63/0853   using an additional device,...

H04L 63/0876   based on the identity of th...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

Technologies for secure server access using a trusted license agent

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

10 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Technologies for secure server access using a trusted license agent

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

10 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links