US2005246529A1PendingUtilityA1
Isolated persistent identity storage for authentication of computing devies
Est. expiryApr 30, 2024(expired)· nominal 20-yr term from priority
H04L 61/5014H04L 2209/56H04L 2209/60H04L 63/0823H04L 9/3273H04L 9/3263
47
PatentIndex Score
0
Cited by
0
References
0
Claims
Abstract
A technique is provided for authenticating a computing device to access a secured resource based on a persistent identity that is associated with the computing device. The persistent identity is maintained in an isolated region of the computing device. In one aspect, a secure identity processing area (SIPA) is provided within the computing device to contain the persistent identity.
Claims
exact text as granted — not AI-modified1 . A method, comprising:
authenticating a computing device to access a secured resource based on a persistent identity that is associated with the computing device; and maintaining the persistent identity in an isolated region of the computing device.
2 . The method of claim 1 , in which the persistent identity includes a private key of a public key/private key pair.
3 . The method of claim 1 , in which the persistent identity further includes key information stored in an isolated storage portion that can be accessed by a cryptographic processor.
4 . The method of claim 1 , further comprising:
receiving a challenge at the computing device from an authentication server that was encrypted based on a public key of the computing device; producing a challenge response at the computing device in response to the challenge by decrypting the challenge with the computing device's private key; and transmitting the challenge response to the authentication server.
5 . The method of claim 1 , further comprising:
receiving a challenge at the computing device from an authentication server that was encrypted based on a public key of the computing device and the private key of the authentication server; producing a challenge response at the computing device in response to the challenge by decrypting the challenge with authentication server's public key and the computing device's private key; producing a re-encrypted challenge response by encrypting the decrypted challenge response based on the authentication server's public key; and transmitting the re-encrypted challenge response to the authentication server.
6 . The method of claim 1 , further comprising allowing the computing device to access the secured resource only if the computing device is authenticated.
7 . The method of claim 1 , further comprising using the secured resource at the computing device.
8 . The method of claim 1 , in which the authenticating includes mutual authentication between the computing device and a security domain.
9 . The method of claim 1 , in which the authentication includes one-way authentication of the computing device with respect to a security domain.
10 . The method of claim 1 , further comprising:
locating the persistent identity within a Secure Identity Processing Area (SIPA) that is contained on the computing device; and restricting access to operations associated with a memory and a processor that occur within the SIPA from other locations within the computing device but outside of the SIPA.
11 . The method of claim 1 , in which the authenticating of the computing device is performed as multiple sequential authentication steps, wherein during each sequential authentication step the computing device is provided with an increased level of authentication.
12 . The method of claim 1 , in which the authenticating of the computing device is performed as multiple sequential authentication steps, wherein during each sequential authentication step the computing device can access additional secured resources within a security domain.
13 . The method of claim 1 , in which the authenticating is performed in a series of sequential authentication steps, wherein one sequential authentication step is performed at least partially by a preboot execution (PXE) boot device for the computing device.
14 . The method of claim 1 , wherein the authenticating includes a series of sequential authentication steps.
15 . The method of claim 1 , wherein the authenticating includes a series of sequential authentication steps, wherein one sequential authentication step is performed at least partially by an operating system.
16 . The method of claim 1 , wherein the persistent identity is located within a Secure Identity Processing Area (SIPA) that is contained in the computing device, and the SIPA contains key information to be used in the authenticating in an isolated storage portion within the SIPA.
17 . The method of claim 1 , wherein the persistent identity is located within a Secure Identity Processing Area (SIPA) that is contained on the computing device, and wherein the authentication involves cryptographic processing within the SIPA.
18 . A method, comprising:
authenticating a computing device at a security domain based on a persistent identity contained within the computing device; and limiting access to a secured resource that is located in the security domain based on the persistent identity.
19 . The method of claim 18 , in which the persistent identity further includes storing key information in an isolated storage portion that can be accessed by a cryptographic processor.
20 . The method of claim 18 , further comprising:
creating a challenge at an authentication server by encrypting a message using a public key of the computing device; transmitting the challenge from the authentication server to the computing device; and receiving a response at the authentication server from the computing device in response to the challenge that was decrypted using the private key of the computing device.
21 . The method of claim 18 , further comprising:
creating a challenge at an authentication server by encrypting a message using a public key of the computing device and the private key of the authentication server; transmitting the challenge from the authentication server to the computing device; and receiving a response at the authentication server from the computing device in response to the challenge that was decrypted using the private key of the computing device and the public key of the authentication server.
22 . The method of claim 18 , further comprising allowing the computing device to access a secured resource contained within the security domain only if the computing device is authenticated.
23 . The method of claim 18 , wherein the authentication includes mutual authentication between the computing device and the security domain.
24 . The method of claim 18 , wherein the authentication includes one-way authentication of the computing device with respect to the security domain.
25 . A computer readable media having computer readable instructions that when executed by a processor causes the processor to:
authenticate a computing device with respect to a security domain, the authentication using a persistent identity associated with a computing device; and allow the computing device to access a secured resource only if the computing device is authenticated, wherein the accessing of the secured resource creates a new machine account for the computing device within the security domain.
26 . The computer readable media of claim 25 , wherein the authentication of the computing device includes mutual authentication between the computing device and the security domain.
27 . The computer readable media of claim 25 , wherein the authentication of the computing device includes one-way authentication of the computing device with respect to the security domain.
28 . The computer readable media of claim 25 , wherein the computer readable instructions further cause the processor to isolate the computing device from accessing a secured resource contained within the security domain if the computing device is not authenticated.
29 . The computer readable media of claim 25 , wherein the computer readable instructions further cause the processor to authenticate the security domain with respect to the computing device.
30 . The computer readable media of claim 25 , wherein the persistent identity is located within a Secure Identity Processing Area (SIPA) that is contained on the computing device, further comprising restricting access to operations associated with the memory and the processor that occur within the SIPA from other locations within the computing device but outside of the SIPA.
31 . The computer readable media of claim 25 , wherein the authenticating is performed as multiple sequential authentication steps, wherein during each sequential authentication step the computing device is provided with an increased level of authentication.
32 . The computer readable media of claim 25 , wherein the authenticating is performed as multiple sequential authentication steps, wherein during each sequential authentication step the computing device is permitted to access another secured resources from the security domain.
33 . The computer readable media of claim 25 , wherein the authenticating is performed in a series of sequential authentication steps.
34 . The computer readable media of claim 25 , wherein the authenticating is performed in a series of sequential authentication steps, wherein at least one of the series of sequential authentication steps is performed at least partially by a boot agent.
35 . The computer readable media of claim 25 , wherein the authenticating is performed in a series of sequential authentication steps, wherein at least one of the series of sequential authentication steps is performed at least partially by an operating system.
36 . The computer readable media of claim 25 , wherein the persistent identity is located within a Secure Identity Processing Area (SIPA) that is contained on the computing device, and further comprising storing key information to be used in the authenticating in an isolated storage portion within the SIPA.
37 . The computer readable media of claim 25 , wherein the persistent identity is located within a Secure Identity Processing Area (SIPA) that is contained on the computing device, and wherein the authentication involves cryptographic processing within the SIPA.
38 . An apparatus, comprising:
a Secure Identity Processing Area (SIPA) device located within a computing device, the SIPA includes a cryptographic processor and an isolated storage portion that includes a persistent identity that is associated with the apparatus; the contents of both the cryptographic processor and the isolated storage portion are physically inaccessible from all of the locations outside of the computing device; and a computer readable media containing instructions for authenticating the apparatus to access a secured resource based on the persistent identity.
39 . The apparatus of claim 38 , wherein the authentication the computing device is mutual authentication between the computing device and the security domain.
40 . The apparatus of claim 38 , wherein the authentication the computing device is one-way authentication of the computing device with respect to the security domain.
41 . The apparatus of claim 38 , wherein the SIPA is capable of authenticating the security domain with respect to the SIPA.
42 . The apparatus of claim 38 , wherein the SIPA is included on a smartcard within the computing device.
43 . The apparatus of claim 38 , wherein the SIPA is soldered to a circuit board within the computing device.
44 . The apparatus of claim 38 , wherein the SIPA performs a progression of sequential authentication, wherein following each sequential authentication the computing device is authenticated to use other secured resources.
45 . The apparatus of claim 38 , wherein the SIPA performs a progression of sequential authentication, wherein following each sequential authentication the computing device is configured to perform more complex operations.
46 . A method, comprising:
authenticating a computing device with respect to a security domain at a preboot execution (PXE) level based on a persistent identity located on, identified with, and unable to be accessed outside of the computing device; and accessing a secured resource from the security domain in response to the authentication.
47 . The method of claim 46 , wherein the authentication that allows the computing device to access the secured resource at the preboot execution (PXE) level is mutual authentication between the computing device and the security domain.
48 . The method of claim 46 , wherein the authentication that allows the computing device to access the secured resource at the preboot execution (PXE) level is one-way authentication.
49 . The method of claim 46 , further comprising:
authenticating the computing device to access a secured resource contained within the security domain at an operating system level using the persistent identity, at least partially in response to the computing device accessing the secured resource at the PXE level; and allowing the computing device to access the secured resource.
50 . The method of claim 46 , further comprising authenticating the computing device to access the secured resource at a boot agent level using the persistent identity, at least partially in response to the computing device accessing the secured resource at the PXE level; and
accessing the secured resource with the computing device at the boot agent level.
51 . The method of claim 50 , wherein the authenticating the computing device to access the secured resource at the boot agent level includes mutual authentication between the computing device and the security domain.
52 . The method of claim 50 , wherein the authenticating the computing device to access the secured resource at the boot agent level includes one-way authentication of the computing device with respect to the security domain.
53 . The method of claim 50 , further comprising authenticating the computing device to access the secured resource at an operating system level using the persistent identity, at least partially in response to the computing device accessing the secured resource at the PXE level; and
accessing the secured resource at the operating system level.
54 . The apparatus of claim 46 , wherein the authenticating a computing device to access a secured resource for at least one of the levels is automated.
55 . A computer readable media having computer readable instructions that when executed by a processor causes the processor to:
obtain authentication for a computing device to access a secured resource at a preboot execution (PXE) level using a persistent identity located on, and identified with, the computing device; access the secured resource to the security domain at the PXE level; obtain authentication for the computing device to access a secured resource at an operating system level using the persistent identity, at least partially in response to the computing device accessing the secured resource at the PXE; and access the secured resource by the computing device at the operating system level.
56 . The computer readable media of claim 55 , wherein the authentication that allows the computing device to access the secured resource at the preboot execution (PXE) level is mutual authentication between the computing device and the security domain.
57 . The computer readable media of claim 55 , wherein the authentication that allows the computing device to access a secured resource at the preboot execution (PXE) level is one-way authentication of the computing device with respect to the security domain.
58 . The computer readable media of claim 55 , wherein the authentication of the computing device to access a secured resource at an operating system level uses the persistent identity, at least partially in response to the computing device accessing the secured resource at the PXE level.
59 . The computer readable media of claim 55 , wherein the computer readable instructions further cause the processor to:
authenticate the computing device to access the secured resource at a boot agent level using the persistent identity, at least partially in response to the computing device accessing the secured resource at the PXE level; and access the secured resource at the boot agent level.
60 . A method, comprising:
turning on a computing device; and attempting to authenticate the computing device to access a secured resource based on a persistent identity that is associated with the computing device, wherein the persistent identity is in an isolated region of the computing device.
61 . The method of claim 60 , further comprising:
locating the persistent identity within a Secure Identity Processing Area (SIPA) that is contained on the computing device; and restricting access to operations associated with a memory and a processor that occur within the SIPA from other locations within the computing device but outside of the SIPA.
62 . The method of claim 60 , in which the authenticating of the computing device is performed as multiple sequential authentication steps, wherein during each sequential authentication step the computing device is provided an increased level of authentication.
63 . A method, comprising:
attempting to authenticate a computing device to access a secured resource based on a persistent identity that is associated with the computing device; and maintaining the persistent identity in an isolated region of the computing device.
64 . The method of claim 63 , further comprising:
locating the persistent identity within a Secure Identity Processing Area (SIPA) that is contained on the computing device; and restricting access to operations associated with a memory and a processor that occur within the SIPA from other locations within the computing device but outside of the SIPA.
65 . The method of claim 63 , in which the authenticating of the computing device is performed as multiple sequential authentication steps, wherein during each sequential authentication step the computing device is provided an increased level of authentication.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.