Security associations for devices

US 7,778,422 B2
Filed: 02/27/2004
Issued: 08/17/2010
Est. Priority Date: 02/27/2004
Status: Active Grant

First Claim

Patent Images

1. An out-of-band method implemented on a computing device having instructions executable by a processor for asynchronously establishing a secure association with a server node, the method comprising:

generating a local public value and a local private value on a client node;

in response to an attempt to remotely load an operating system by the client node, wherein a profile of the operating system is stored on the server node;

orsimultaneously with a generation of the local public value and the local private value on the server node;

allowing a client node to exchange information for remotely loading an operating system from one node to another node;

loading the operating system on the client node;

storing the public value for configuration of the secure association on an out-of band computer-readable storage medium, wherein the stored public value is not used for authentication;

transporting the out-of-band computer-readable storage medium to the server node to establish a trust relationship allowing for remotely loading the operating system on the client node from the server node, wherein a low level of trust is required as the trust relationship required between the client node and the server node is established by using a third party out-of-band entity;

receiving from the server node a public value generated by the server node via the out-of-band computer-readable storage medium, wherein the public value generated by the server node is generated with a private value generated by the server node in response to receiving the public value from the client node;

generating a secret value using the local private value in combination with the public value received from the server node;

wherein the receiving is asynchronous to the generating the secret value; and

producing the secret value as a function of a local private value; and

sharing the secret value by encrypting the secret value using an imported public key value, the public key value imported via the out-of-band mechanism.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Generating symmetric keys among distributed appliances, includes generating public and private values on at least one appliance, importing a public value from another appliance via an out-of-band entity, and generating a secret value as a function of the private value corresponding to the local appliance and the public value received from the other appliance.

486 Citations

32 Claims

1. An out-of-band method implemented on a computing device having instructions executable by a processor for asynchronously establishing a secure association with a server node, the method comprising:
- generating a local public value and a local private value on a client node;
  
  in response to an attempt to remotely load an operating system by the client node, wherein a profile of the operating system is stored on the server node;
  
  orsimultaneously with a generation of the local public value and the local private value on the server node;
  
  allowing a client node to exchange information for remotely loading an operating system from one node to another node;
  
  loading the operating system on the client node;
  
  storing the public value for configuration of the secure association on an out-of band computer-readable storage medium, wherein the stored public value is not used for authentication;
  
  transporting the out-of-band computer-readable storage medium to the server node to establish a trust relationship allowing for remotely loading the operating system on the client node from the server node, wherein a low level of trust is required as the trust relationship required between the client node and the server node is established by using a third party out-of-band entity;
  
  receiving from the server node a public value generated by the server node via the out-of-band computer-readable storage medium, wherein the public value generated by the server node is generated with a private value generated by the server node in response to receiving the public value from the client node;
  
  generating a secret value using the local private value in combination with the public value received from the server node;
  
  wherein the receiving is asynchronous to the generating the secret value; and
  
  producing the secret value as a function of a local private value; and
  
  sharing the secret value by encrypting the secret value using an imported public key value, the public key value imported via the out-of-band mechanism.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. A method according to claim 1, wherein the method is performed on both of a pair of nodes, and wherein further the secret values generated at both of the nodes are symmetric.
  - 3. A method according to claim 2, wherein the generating a secret value includes performing a Diffie-Hellman computation.
  - 4. A method according to claim 1, further comprising:
    - retaining the secret value locally;
      
      protecting the secret value using the public value received from the other node; and
      
      transmitting the protected secret value to the other node via the out-of-band mechanism.
  - 5. A method according to claim 4, wherein the generating a secret value includes performing a Rivest-Shamir-Adleman (RSA) computation.
  - 6. A method according to claim 1, wherein the receiving of the public value from the other node via an out-of-band mechanism includes downloading the public value from an external device.
  - 7. A method according to claim 6, wherein the external device is any one of a personal digital assistant (PDA), flash memory, memory stick, barcode, smart card, USB-compatible device, Bluetooth-compatible device, and infrared-compatible device.

8. A computer-readable storage medium having one or more instructions causing one or more processors to:
- generate a local two-part code having a public code component and a private code component;
  
  in response to an attempt to allow a processor to remotely load an operating system by a client node from another processor, wherein a profile of the operating system is stored on the another processor;
  
  orsimultaneously with a generation of the two-part code by a server node;
  
  load the operating system on the processor;
  
  store the public component on a peripheral out-of-band device which is then transported over an out-of-band mechanism to the another processor for configuration of a secure association and not authentication, wherein a low level of trust is required for transport as a trust relationship required between the processor and the another processor is established by using a third party out-of-band entity;
  
  receive the public code component asynchronously from another processor via the peripheral device;
  
  generate a secret value using the local private code component and the public code component received from the other processor;
  
  produce the secret value as a function of a local private value; and
  
  share the secret value by encrypting the secret value using an imported public key value, the public key value imported via the out-of-band mechanism.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. A computer-readable storage medium according to claim 8, wherein the one or more instructions are executed on the other processor, and wherein further the secret value is symmetrical to the secret value generated on the other processor.
  - 10. A computer-readable storage medium according to claim 8, wherein the one or more instructions to generate a secret value includes one or more instructions to perform a Diffie-Hellman computation.
  - 11. A computer-readable storage medium according to claim 8, further comprising one or more instructions causing one or more processors to:
    - encode the secret value using the public code component received from the other processor; and
      
      transmit the encoded secret value to the other processor via the peripheral device.
  - 12. A computer-readable storage medium according to claim 11, wherein the one or more instructions to generate a secret value includes one or more instructions to perform an RSA computation.
  - 13. A computer-readable storage medium according to claim 8, wherein the one or more instructions to receive the public code component from the other processor via the peripheral device includes downloading the public code component from one of a personal digital assistant (PDA), flash memory, memory stick, barcode, smart card, USB-compatible device, Bluetooth-compatible device, and infrared-compatible device.

14. An apparatus, comprising:
- a computer-readable storage medium;
  
  a key generator on a first node to generate a local public/private key pair based on;
  
  in response to an attempt to remotely load an operating system by the first node, wherein a profile of the operating system is stored on a second node;
  
  orsimultaneously with a generation of the local public/private key pair on the second node;
  
  a computer processor executing code to write the local public/private key pair to an out-of-band computer-readable storage medium to facilitate setup of a secure association and not for authentication, wherein the secure association allows the first node to remotely load an operating system having a profile stored on a second node;
  
  a shared secret generator on the second node to receive the public key from the first node via the out-of-band computer-readable storage medium connection without requiring a high degree of trust between the first node and the second node as a trust relationship required between the first node and the second node is established by using a third party out-of-band entity; and
  
  the shared secret generator to generate a shared secret using the local private key and the public key received from the first node, wherein the shared secret is generated in response to receiving the public key from the first node.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. An apparatus according to claim 14, wherein the shared secret is symmetrical to a shared secret generated on the other node using the local public key and a private key corresponding to the other node.
  - 16. An apparatus according to claim 14, wherein the other node is a server.
  - 17. An apparatus according to claim 14, wherein the shared secret generator is to generate a shared secret by performing a Diffie-Hellman computation.
  - 18. An apparatus according to claim 14, further comprising an encoder to encode the secret value using the public key received from the other node and to transmit the encoded secret value to the other node via the out-of-band connection.
  - 19. An apparatus according to claim 18, wherein the shared secret generator is to generate a shared secret by performing an RSA computation.
  - 20. An apparatus according to claim 14, wherein the out-of-band connection includes any one of a personal digital assistant (PDA), flash memory, memory stick, barcode, smart card, USB-compatible device, Bluetooth-compatible device, and infrared-compatible device.

21. A method implemented on a computing device having instructions executable by a processor for running a protocol for establishing a trust relationship between two or more processing nodes, the method comprising:
- generating a public key and a private key based at least in part;
  
  on each of at least two nodes in response to an attempt of allowing a first node of at least two nodes to remotely load an operating system, wherein a profile of the operating system is stored on a second node of at least two nodes;
  
  orsimultaneously with a generation of the public key and the private key on the second node;
  
  exchanging the public keys asynchronously between the at least two nodes using an out-of-band mechanism comprising a computer-readable storage medium wherein the public keys are not used for authentication and without requiring a high degree of trust for an exchange of the public keys between the two nodes as a trust relationship required between the first node and the second node is established by using a third party out-of-band entity; and
  
  calculating a secret to be shared on at least one of the two nodes.
- View Dependent Claims (22, 23, 24, 25, 26, 27)
- - 22. A method for running a protocol according to claim 21, wherein the calculating of the secret to be shared includes performing a function using the public key from the other of the two nodes and the private key.
  - 23. A method for running a protocol according to claim 22, wherein the calculating the secret to be shared includes performing a Diffie-Hellman calculation.
  - 24. A method for running a protocol according to claim 22, wherein the secret to be shared is symmetrical on the at least two nodes.
  - 25. A method for running a protocol according to claim 21, further comprising:
    - encoding the secret to be shared using the public key from the other of the two nodes; and
      
      transmitting the encoded secret to be shared to the other of the two nodes via the out-of-band mechanism.
  - 26. A method for running a protocol according to claim 25, wherein the calculating the secret to be shared includes performing an RSA calculation.
  - 27. A method for running a protocol according to claim 21, wherein the out-of-band mechanism includes any one of a personal digital assistant (PDA), flash memory, memory stick, barcode, smart card, USB-compatible device, Bluetooth-compatible device, and infrared-compatible device.

28. An apparatus, comprising:
- means for generating a local public/private key pair based at least in part on;
  
  in response to an attempt to allow a node to remotely load an operating system through a secure association with another node, wherein a profile of the operating system is stored on the another node;
  
  orsimultaneously with a generation of the local public/private key pair on the another node;
  
  means for storing a public key on an out-of-band computer-readable storage medium;
  
  means for transporting asynchronously the public key to the another node;
  
  means for receiving at the another node the public key from the out-of-band computer-readable storage medium wherein the public key is used for configuration of the secure association and not used for authentication; and
  
  means for generating a shared secret using the local private key and another public key received from the another node asynchronously via the out-of-band computer-readable storage medium, wherein the another public key is generated by the another node with a private value generated by the another node in response to receiving the public key from the node.
- View Dependent Claims (29, 30, 31, 32)
- - 29. An apparatus according to claim 28, wherein the means for generating a shared secret performs a Diffie-Hellman computation.
  - 30. An apparatus according to claim 28, further comprising means for encoding the shared secret using the public key received from the other node.
  - 31. An apparatus according to claim 30, wherein the means for generating a shared secret performs an RSA computation.
  - 32. An apparatus according to claim 28, wherein the out-of-band computer-readable storage medium includes any one of a personal digital assistant (PDA), flash memory, memory stick, barcode, smart card, USB-compatible device, Bluetooth-compatible device, and infrared-compatible device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Moore, Tim, Aboba, Bernard, Freeman, Trevor W.
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Kaplan; Benjamin A

Application Number

US10/789,809
Publication Number

US 20050193203A1
Time in Patent Office

2,363 Days
Field of Search

380/30, 380/258, 380/259, 380/278, 726/17
US Class Current

380/278
CPC Class Codes

H04L 63/0442   wherein the sending and rec...

H04L 63/06   for supporting key manageme...

H04L 63/18   using different networks or...

H04L 9/0841   involving Diffie-Hellman or...

H04L 9/321   involving a third party or ...

H04L 9/3215   using a plurality of channe...

Security associations for devices

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

486 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Security associations for devices

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

486 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links