Apparatus and method for establishing a secure session with a device without exposing privacy-sensitive information

Description

FIELD OF THE INVENTION

One or more embodiments of the invention relate generally to the field of cryptography. More particularly, one or more of the embodiments of the invention relates to a method and apparatus for establishing a secure session with a device without exposing privacy-sensitive information.

BACKGROUND OF THE INVENTION

Various system architectures support the use of specially-protected, “trusted” software modules, such as, for example, to perform specific tamper-resistant software, or systems using technology to run protected applications sensitive activities, even in the presence of other hostile software in the system. Some of these trusted software modules require equivalently “trustable” protected access to peripheral devices. In general, such access requires that the trusted software be able to: identify the device's capabilities and/or specific identity, and then establish a secure session with the device to permit the exchange of data that cannot be snooped or spoofed by other software in the system.

The traditional method of both identifying the device and simultaneously establishing the encrypted session is to use a one-side authenticated Diffie-Hellman (DH) key exchange process. In this process, a device is assigned a unique DH public/private key pair. The device holds and protects the private key, while the public key, along with authenticating certificates, may be released to the software. During the DH key exchange process, the software obtains the certificate of the device and verifies the devices' certificate. The software then generates a random ephemeral DH public/private key pair and sends the ephemeral public key to the device. The device computes a shared secret using the device private key and the software ephemeral public key. The software computes a shared secret using the device public key and the software ephemeral private key. Following the Diffie Hellman protocol, the software and the device will compute the same shared secret. The software knows that the shared secret is known only to a trusted device because of the certificate on the public key of the device. The shared secret can now be used to encrypt and authenticate messages between the software and the device.

However, because this authentication process uses conventional private/private key pairs, the device discloses a unique and provable identity (i.e., its public key) as part of the authentication process. Any software that can get the device to engage in a key exchange with its private key can prove that this specific, unique device key is present in a system. Given that devices rarely migrate between systems, this also represents a provable unique system identity. Furthermore, the device's public key itself represents a constant unique value; effectively a permanent “cookie”. In some circles, these characteristics will be construed as a significant privacy problem.

Current architectures may attempt to address this problem by providing mechanisms that limit which software has access to the device's public key and which may ask the device to sign a message. However, these solutions tend to be severely limited in application, often solving the problem only for a small subset of the problem space.

BRIEF DESCRIPTION OF THE DRAWINGS

The various embodiments of the present invention are illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings and in which:

FIG. 1 is a block diagram illustrating a system featuring a platform implemented with a trusted hardware device (THD), in accordance with one embodiment.

FIG. 2 is a block diagram further illustrating the platform of FIG. 1 implemented with the THD, in accordance with one embodiment.

FIG. 3 is a block diagram further illustrating the THD of FIGS. 1 and 2, in accordance with one embodiment.

FIG. 4 is a block diagram further illustrating authentication logic of FIG. 3, in accordance with one embodiment.

FIG. 5 is a flowchart illustrating a method to set-up a THD once manufactured by a certifying manufacturer, in accordance with one embodiment.

FIG. 6 is a flowchart illustrating a method to assign a secret key pair to a THD, in accordance with one embodiment.

FIG. 7 is a flowchart illustrating a method performed by a prover platform to establish an encrypted session in response to a one-way authentication request, in accordance with one embodiment.

FIG. 8 is a flowchart illustrating a method for issuing a one-way authentication request to a detected hardware device in order to establish an encrypted session with the detected hardware device, in accordance with one embodiment.

DETAILED DESCRIPTION

A method and apparatus for establishing a secure session with a device without exposing privacy-sensitive information are described. In one embodiment, the method includes the authentication of a digitally signed message received from a hardware device. In one embodiment, a digital signature, created by a private signature key of the hardware device, is authenticated according to a public key of an issuer without disclosure of an identity of the hardware device. The digital signature is a signature of an ephemeral DH public key, which the verifier is now assured comes from a trusted device. An encrypted and authenticated session (“secure session”) is established with the authenticated hardware device according to a key exchange using this signed ephemeral DH public key.

Accordingly, in one embodiment, a verifier, in the form of a protected software module, is able to authenticate an identified hardware device as a trusted hardware device (THD) without requiring disclosure of privacy-sensitive information from the hardware device, which may be used to subsequently identify the hardware device. For one embodiment, the functionality of the THD, which responds to a one-way authentication request from a verifier is deployed as firmware. However, it is contemplated that such functionality may be deployed as dedicated hardware or software. Instructions or code forming the firmware or software are stored on a machine-readable medium.

Herein, “machine-readable medium” may include, but is not limited to a floppy diskette, hard disk, optical disk (e.g., CD-ROMs, DVDs, mini-DVDs, etc.), magneto-optical disk, semiconductor memory such as read-only memory (ROM), random access memory (RAM), any type of programmable read-only memory (e.g., programmable read-only memory “PROM”, erasable programmable read-only memories “EPROM”, electrically erasable programmable read-only memories “EEPROM”, or flash), magnetic or optical cards, or the like. It is contemplated that a signal itself and/or a communication link can be regarded as machine-readable medium since software may be temporarily stored as part of a downloaded signal or during propagation over the communication link.

In the following description, certain terminology is used to describe certain features of one or more embodiments of the invention. For instance, “platform” is defined as any type of communication device that is adapted to transmit and receive information. Examples of various platforms include, but are not limited or restricted to computers, personal digital assistants, cellular telephones, set-top boxes, facsimile machines, printers, modems, routers, or the like. A “communication link” is broadly defined as one or more information-carrying mediums adapted to a platform. Examples of various types of communication links include, but are not limited or restricted to electrical wire(s), optical fiber(s), cable(s), bus trace(s), or wireless signaling technology.

A “verifier” refers to any entity (e.g., person, platform, system, software, and/or device) that requests some verification of authenticity or authority from another entity. Normally, this is performed prior to disclosing or providing the requested information. A “prover” refers to any entity that has been requested to provide some proof of its authority, validity, and/or identity. A “device manufacturer,” which may be used interchangeably with “certifying manufacturer,” refers to any entity that manufactures or configures a platform or device (e.g., a Trusted Hardware Device).

As used herein, to “prove” or “convince” a verifier that a prover has possession or knowledge of some cryptographic information (e.g., signature key, a private key, etc.) means that, based on the information and proof disclosed to the verifier, there is a high probability that the prover has the cryptographic information. To prove this to a verifier without “revealing” or “disclosing” the cryptographic information to the verifier means that, based on the information disclosed to the verifier, it would be computationally infeasible for the verifier to determine the cryptographic information. Such proofs are hereinafter referred to as direct proofs. The term “direct proof” is a type of zero-knowledge proof, as these types of proofs are commonly known in the field.

Throughout the description and illustration of the various embodiments discussed hereinafter, coefficients, variables, and other symbols (e.g., “h”) are referred to by the same label or name. Therefore, where a symbol appears in different parts of an equation as well as different equations or functional description, the same symbol is being referenced.

I. General Architecture

FIG. 1 illustrates system 100 featuring a platform implemented with a trusted hardware device (THD) in accordance with one embodiment. A verifier platform 102 (Verifier Platform) transmits an authentication request 106 to a prover platform 200 (Prover Platform) via network 120. In response to request 106, prover platform 200 provides the authentication information 108. In one embodiment, network 120 forms part of a local or wide area network, and/or a conventional network infrastructure, such as a company's Intranet, the Internet, or other like network.

Additionally, for heightened security, verifier platform 102 may need to verify that prover platform 200 is manufactured by either a selected device manufacturer or a selected group of device manufacturers (hereinafter referred to as “device manufacturer(s) 110”). In one embodiment, verifier platform 102 challenges prover platform 200 to show that it has cryptographic information (e.g., a private signature key) generated by device manufacturer(s) 110. Prover platform 200 replies to the challenge by providing authentication information, in the form of a reply, to convince verifier platform 102 that prover platform 200 has cryptographic information generated by device manufacturer(s) 110, without revealing the cryptographic information or any unique, device/platform identification information.

FIG. 2 is a block diagram further illustrating prover platform 200 including THD 300 to convince a verifier that prover platform 200 possesses uncompromised cryptographic information without disclosure of the cryptographic information or any unique device identification information. Representatively, prover platform 200 comprises a processor system bus (front side bus (FSB)) 204 for communicating information between processor (CPU) 202 and chipset 210. As described herein, the term “chipset” is used in a manner to collective describe the various devices coupled to CPU 202 to perform desired system functionality.

Representatively, hard drive devices (HDD) 230 and main memory 220 may be coupled to chipset 210. In one embodiment, chipset 210 includes a memory controller and/or an input/output (I/O) controller to communicate with I/O devices 250 (250-1, . . . , 250-N). In one embodiment, chipset 210 is a graphics controller to communicate with graphics cards 260 (260-1, . . . , 260-N). In one embodiment, main memory 212 may include, but is not limited to, random access memory (RAM), dynamic RAM (DRAM), static RAM (SRAM), synchronous DRAM (SDRAM), double data rate (DDR) SDRAM (DDR-SDRAM), Rambus DRAM (RDRAM) or any device capable of supporting high-speed buffering of data.

In one embodiment, an operating system of prover platform 200 may load trusted software (SW) module 400 within memory 220. Representatively, trusted software module 400 is, in one embodiment, tamper resistant software, such as a run-time protected application, which may be referred to herein as a verifier. In one embodiment, trusted SW module 400 may require equivalently trusted or protected access to peripheral devices, such as, graphics cards 260 and I/O device cards 250, referred to herein as trusted hardware devices or THDs. In general, such access requires that trusted SW module 400 be able to identify the devices' capabilities and/or specific manufacturer and version number of the device, and then establish an authenticated, encrypted session, referred to herein as a “secure session,” with the device to permit the exchange of data that cannot be snooped or spoofed by other software in the system.

The traditional method of both identifying the device and simultaneously establishing a secure session is to use a one-side authenticated Diffie-Hellman (DH) key exchange process. In this process, the device is assigned a unique public/private Rivest, Shamir and Adelman (RSA) or elliptic curve cryptography (ECC) key pair. The device holds and protects the private key while the public key, along with authenticating certificates may be released to a verifier. During the DH key exchange process, the device signs a message using its own private key, which is verified using the corresponding public key. This permits the verifier to authenticate that the message did, in fact, come from the device of interest.

However, because the authentication process uses RSA or ECC keys, the device has a unique and provable identity. Any verifier that can get the device to sign a message with its private key can prove that the specific device is present in a system. Given that devices rarely migrate between systems, this also represents a provable unique system identity. Furthermore, the device's public key, itself, represents a constant, unique value; referred to herein as “unique, device identification information”. In some circles, these characteristics are construed as a significant privacy problem. Accordingly, in one embodiment, a direct proof (DP) signature key is used instead of a traditional RSA or ECC keys using THD 300, as further illustrated in FIG. 3.

FIG. 3 illustrates THD 300 of prover platform 200, in accordance with one embodiment. THD 300 is a cryptographic device that is manufactured by device manufacturer(s) 110. In one embodiment, THD 300 comprises processor unit 310 with a small amount of on-chip memory encapsulated within a package. THD 300 provides authentication information to verifier platform 102 that would enable it to determine that the authentication information is transmitted from a valid THD. The authentication information used is non-unique data that would make it highly unlikely that the THD's or prover platform's identity can be determined by verifier platform 102.

In one embodiment, THD 300 further comprises non-volatile memory 320 (e.g., flash) to permit storage of cryptographic information such as one or more of the following: keys, hash values, signatures, certificates, etc. In one embodiment, the cryptographic information is a direct proof (DP) signature key received from a certifying manufacturer of the respective device. As shown below, a hash value of “X” may be represented as “Hash(X)”. Of course, it is contemplated that such information may be stored within external memory 240 of platform 200 in lieu of flash memory 320. The cryptographic information may be encrypted, especially if stored outside THD 300.

In one embodiment, THD 300 includes authentication logic 340 to respond to an authentication request from a verifier platform. In one embodiment, authentication logic 340 convinces or proves to a verifier that THD 300 has stored cryptographic information generated by a certifying device manufacturer, without revealing the cryptographic information or any unique device identification information. As a result, authentication logic 340 performs the requested authentication while preserving the identity of the device. Authentication logic 340 is further illustrated with reference to FIG. 4.

Referring again to FIG. 2, in one embodiment, graphics cards 260 and I/O device cards 250 include THD 300 to enable trusted software module 400 to establish trustable, protected access with the various peripheral devices of second platform 200. As illustrated with reference to FIG. 4, authentication logic 340 includes one-way authentication logic 360. In one embodiment, one-way authentication logic 360 responds to, for example, a one-way authentication key exchange request from trusted SW module 400. As described in further detail below, using key logic 370, THD 300 stores a DP signature key assigned to THD 300 from a certifying manufacturer.

As a result, digital signature logic 390 signs a message transmitted to SW module 400 during the authentication process using its DP private signature key. In one embodiment, the signature key is verified according to a public key for a family of platforms defined by the manufacturer of the THD. Accordingly, SW module 400 is able to authenticate a peripheral device within system 200 without requiring disclosure of any unique device identification information. Subsequently, secure session logic 380 uses a session key S to encrypt transmitted information to SW module 400 and decrypt received information from SW module 400. The session key S could also be used by the sender to add message authentication code values, which are then checked by the receiver of the message.

As further illustrated in FIG. 4, direct proof logic 350 engages in an interactive direct proof, as described in further detail below, to convince a verifier that the prover platform 200 contains cryptographic information from a certifying manufacturer without revealing the cryptographic information. As described below, key logic 370 performs platform set-up of THD 300 to receive a unique, secret private pair (c,f). In one embodiment, f is close to a fixed value Z, i.e. 0<f−Z<W for a fixed value W and the pair (c,f) satisfies the equation c=f^dmod n, and e,n,Z,W are part of the public key and “d” is a private key of a certifying manufacturer of TMP 300.

II. Platform Set-Up

A “platform family” may be defined by the device manufacturer to include one or more types of platforms or trusted hardware devices. For instance, a platform family may be the set of all platforms (members) that have the same security relevant information. This security relevant information could include the secret key pair (c,f) from the certifying manufacturer. It could also include the manufacturer and model number of the particular platform or device. For each platform family, a device manufacturer creates the cryptographic parameters that the manufacturer uses for that platform family. The device manufacturer creates a signature key that it uses to sign the secrets for the devices (e.g., platform 200 or THD 300) that it manufactures as shown in FIGS. 5-6.

FIG. 5 is a flowchart illustrating a method 500 to form a platform family certificate (PFC) in accordance with one embodiment. In one embodiment, the device manufacturer utilizes a public key cryptographic function (e.g., an RSA function) to create an RSA public/private key pair with public modulus n, public exponent e, and private exponent d (block 510). The public key is based on values e,n while the private key is based on d,n. This can be created using well known methods, such as those described in Applied Cryptography, by Bruce Schneier, John Wiley & Sons; ISBN: 0471117099; Second Edition (1996). In one embodiment, modulus n should be chosen large enough so that it is computationally infeasible to factor n.

The device manufacturer specifies a parameter Z, which is an integer between zero (0) and n (block 520). The device manufacturer specifies a security parameter W, which is an integer between zero (0) and n (block 530). However, picking W too small or too large may introduce a security failure. In one embodiment of the invention, W is selected to be approximately 2¹⁶⁰. Selecting W to be between 2⁸⁰and the square root of n is recommended. In one embodiment of the invention, the device manufacturer computes a prime number P, such that P=u*n+1 (block 540). Any value of u can be used; however, to retain an acceptable level of security, the value P should be large enough so that computing a discrete logarithm “mod P” is computationally infeasible.

The device manufacturer generates a Platform Family Certificate that comprises cryptographic parameters e, n, u, P, Z, W, the security relevant information of the platform family, and the name of the device manufacturer (block 550). In one embodiment, the parameters u and P would not both be included since given n and one of these parameters, the other can be computed by P=u*n+1. In one embodiment, the device manufacturer uses the same cryptographic parameters e, n, u, P, W for several different platform families, and just varies the value Z for the different platforms. In this case, the values of Z may be chosen to differ by approximately or at least 4 W, although the selected difference is a design choice.

Once the Platform Family Certificate is generated, the device manufacturer provides the Platform Family Certificate to the platforms or devices it manufactures which belong to that particular platform family (block 560). The distribution of cryptographic parameters associated with the Platform Family Certificate from a prover (e.g., prover platform 200 in FIG. 1) to a verifier may be accomplished in a number of ways. However, these cryptographic parameters should be distributed to the verifier in such a way that the verifier is convinced that the Platform Family Certificate was generated by the device manufacturer.

For instance, one accepted method is by distributing the parameters directly to the verifier. Another accepted method is by distributing the Platform Family Certificate signed by a certifying authority, being the device manufacturer as one example. In this latter method, the public key of the certifying authority should be distributed to the verifier, and the signed Platform Family Certificate can be given to each platform member in the platform family (prover platform). The prover platform can then provide the signed Platform Family Certificate to the verifier.

FIG. 6 is a flowchart illustrating a method 600 for the setup performed for a prover platform or trusted hardware device manufactured according to one embodiment, such as, for example, by key logic 370, as shown in FIG. 4. The THD of the prover platform chooses a random number f such that 0<f−Z<W (block 610). The THD may blind this random number f before sending it to the certifying manufacturer for signature (block 620). This blinding operation is performed to obfuscate the exact contents of the random number f from the certifying manufacturer. In one embodiment, the THD chooses a random value, B, where 1<B<n−1 (block 622), and computes A=B^emod n (block 624). Then, the THD computes f′=f*A mod n (block 626). If the THD does not blind f, then the THD uses f′=f and A=1 (block 628).

After performing these computations, THD sends f′ to the certifying manufacturer (block 630). The certifying manufacturer computes c′=f′^dmod n (block 640), and provides c′ to the prover (block 650). The THD of the prover computes c=c′*B⁻¹mod n (block 660). Notice that this implies that c=f^dmod n. The values c and f are then stored in the THD or are encrypted by the THD and stored in external storage within the prover (block 670). As described herein, c,f is referred to as a signature key of the THD, or referred to as cryptographic information and may also be referred to herein as a “member key”.

Operation of the THD to perform a direct proof to convince a verifier that the trusted hardware device or prover platform possesses cryptographic information from a certifying manufacturer is described within co-pending U.S. application Ser. No. 10/675,165, filed Sep. 30, 2003. In the Direct Proof scheme, the prover's signature used in a direct proof (“direct proof signature”) is validated using a public key if the platform manufacturer (issuer). Thus all members can have their signatures validated using the same public key. It can be proven that a direct proof signature created by a member does not identify which member created the direct proof signature.

To prove to a verifier that the THD contains a unique secret pair, the THD may obtain a value for B to use as a base according to the random base option. For example, the THD may compute k=B^fmod N and construct a Proof that the THD possesses secret key pair (f,c), such that f=c^emod n and k=B^fmod n, without revealing any additional information about f and c. The TPM may give B,k and the proof as a direct proof signature to the verifier in response to a signature request. Accordingly, as described herein, the values B and k and the proof are referred to herein as a direct proof signature. In one embodiment, the TPM chooses a random base value, B, where 1<B<n−1 (block 622), and computes k=B^fmod n (block 624), in accordance with the “random base option”. Alternatively, verifier provides base value B to the TPM in accordance with the “named base option”. THD may use different B values with different verifiers so that the verifiers may not know that they received the proof from the same THD.

Accordingly, as described above, direct proof defines a protocol in which a certifying manufacturer (issuer) defines a family of members that share common characteristics, as defined by the issuer. The issuer generates a family public key and private key (Fpub and Fpri) that represents the family as a whole. Using Fpri, the issuer can also generate a direct proof signature key (DPpri) for each individual member in the family, as described above. Accordingly, any message signed by an individual DPpri can only be verified using the family public key Fpub. However, such verification only proves that the signer is a member of a platform family. As a result, no unique device identification information about the individual member is exposed.

Accordingly, FIG. 7 illustrates a method 700 performed by, for example, one-way authentication logic 360 of THD 300, as illustrated with reference to FIG. 4, in accordance with one embodiment. At process block 710, it is determined whether a one-way authentication request is received from a verifier. In one embodiment, the verifier is a trusted software executable, such as, for example, trusted software module 400, as illustrated with reference to FIG. 1. In one embodiment, a trusted hardware device (prover) is a graphics card, an I/O card or other like hardware device.

Representatively, at process block 720, the trusted hardware device picks a Diffie-Hellman (DH) private key x at random. At process block 730, the hardware device computes a public key h, which equals h=g^xmod p. Once the public key h is computed, at process block 740, the hardware device signs the public key using, for example, a DP private signature key held by, for example, a THD of the trusted hardware device. As indicated above, by signing public key h with DP private signing key, an identity of the hardware device is preserved.

At process block 750, the hardware device releases the signed public key to the verifier. At process block 760, it is determined whether a public key k is received from the verifier. Once received, at process block 770, the hardware device computes shared key, or shared secret, which equals k^xmod p. Once the share key, or shared secret, is computed, at process block 780, the trusted hardware device computes session key S according to a function of the shared secret h (shared secret). Once the session key S is computed, at process block 790, the session key S encrypts subsequent traffic with the verifier platform to establish an encrypted session between, for example, graphics card 260-1 and trusted SW module 400, in accordance with one embodiment.

FIG. 8 is a flowchart illustrating a method 800 performed by a verifier, such as, for example, trusted SW module 400 of FIG. 1, in accordance with one embodiment. At process block 810, a verifier platform issues a one-way authentication request to a detected hardware device. Once issued, at process block 820, the verifier picks or selects a DH private key y at random. At process block 830, the verifier computes a DH public key j (public key j=g^ymod p.) Once the public key j is computed, the verifier sends the public key j to the detected hardware device.

As part of the one-way authentication key exchange request process, as described herein, the verifier will receive a signed public key h from the detected hardware device. Accordingly, at process block 850, the verifier will verify the signed h using the family public key for the device family of the detected hardware device. In one embodiment, this is performed by receiving a family platform certificate for a family defined by a certifying manufacturer of the hardware device, which includes the hardware device.

In one embodiment, the family platform certificate may include, but is not limited to, cryptographic parameters defined by the issuer of the platform family, including a public key of the platform family and a name of the certifying manufacturer. Accordingly, using the family public key, the verifier, such as, for example, trusted SW module 400 of FIG. 1, may verify that the identified, or detected, hardware device is a member of an authenticated platform family. Otherwise, at process block 852, the trusted SW module 400 denies one-way authentication of the detected hardware device.

In one embodiment, as part of the verification process, the verifier may have one or more revoked DP private signature keys. Accordingly, in one embodiment, the verifier may want to establish that the DP signature that was received was not created using one of the revoked keys. Each DP signature contains a pseudonym, k=B^fmod P, for a known base B, and private key f. The verifier can take each of the revoked keys, f1, . . . , fr, and compute k_i=B^fimod P. If k=k_i, then the verifier knows that the signature was computed using revoked key fi, and will thus reject the signature.

Once the detected hardware device is authenticated as a trusted hardware device, at process block 870, the verifier computes a shared secret of the form k^ymod p. At process block 880, the verifier computes session key S according to a function H of the shared secret key (SSK) (H(SSK)). Finally, at process block 890, the verifier will use session key S to encrypt and integrity protect subsequent traffic between the verifier and the detected hardware device to establish a secure session to prohibit snooping or identification of data transmitted between the trusted hardware device and the verifier.

Accordingly, in one embodiment, a device, such as a graphics, sound, video or other like card, including a THD as described herein, can be authenticated as belonging to a specific family of devices, which may include assurances about the behavior or trustworthiness of the device. However, such device, once detected and issued a one-way authenticated key exchange request, may engage in such request to establish an encrypted session without exposing any uniquely identified information that could be used to establish a unique identity representing the system. As such, one-way authenticated key exchange requests are provided or enabled by THD described herein, while avoiding any privacy concerns associated with conventional techniques.

There are other methods for forming Direct Proof signatures. The invention can use these other methods for Direct Proof signatures as well. It is to be understood that even though numerous characteristics and advantages of various embodiments of the present invention have been set forth in the foregoing description, together with details of the structure and function of various embodiments of the invention, this disclosure is illustrative only. In some cases, certain subassemblies are only described in detail with one such embodiment. Nevertheless, it is recognized and intended that such subassemblies may be used in other embodiments of the invention. Changes may be made in detail, especially matters of structure and management of parts within the principles of the embodiments of the present invention to the full extent indicated by the broad general meaning of the terms in which the appended claims are expressed.

Having disclosed exemplary embodiments and the best mode, modifications and variations may be made to the disclosed embodiments while remaining within the scope of the embodiments of the invention as defined by the following claims.

Claims

1. A method comprising: authenticating a digital signature of a hardware device according to a public key of an issuer of a platform family that includes the hardware device, wherein a private signature key used by the hardware device to sign a received message is jointly computed by the hardware device and the issuer during a setup procedure with the issuer, but is unknown to the issuer;establishing a secure session with the authenticated hardware device according to a session key formed from a key exchange using the received message; andusing the same public key of the issuer to authenticate multiple hardware devices, the hardware devices to compute different private signature keys, without disclosing any unique identification information of any authenticated hardware devices,wherein the different private signature keys are jointly computed by the hardware device and the issuer during respective setup procedures with the issuer, but are unknown to the issuer.
2. The method of claim 1, wherein authenticating comprises: receiving a message from the hardware device including the digital signature formed according to the private signature key assigned to the hardware device by the issuer;verifying the digital signature of the hardware device according to the public key of the issuer without disclosure of any unique, identification information of the hardware device; andcomputing the session key according to a shared key formed from the key exchange using the received message.
3. The method of claim 2, wherein computing the session key comprises: computing a shared key with the hardware device from the key exchange using the digitally signed message received from the hardware device; andprocessing the shared key to form the session key.
4. The method of claim 1, wherein prior to authenticating, the method comprises: selecting a random secret value y;computing a public key k according to the random secret value y; andtransmitting the public key k to the hardware device.
5. The method of claim 1, wherein authenticating comprises: identifying the issuer of the private signature key to the hardware device;selecting a family public key from a family of members defined by the issuer; andverifying, according to the selected family public key, that the hardware device is a member of the family defined by the issuer.
6. The method of claim 5, wherein identifying the issuer comprises: determining a digital certificate for the hardware device; andidentifying the public key of the issuer according to the digital certificate.
7. The method of claim 1, wherein establishing the secure session comprises: encrypting transmitted information to the hardware device with the session key; anddecrypting received information from the hardware device using the session key.
8. The method of claim 1, wherein authenticating further comprises: denying authentication of the hardware device if the private signature key of the device is compromised.
9. The method of claim 8, wherein denying authentication further comprises: determining whether a digital signature attached to the digitally signed message was generated with a revoked private signing key; andif the digital signature was created with a revoked key, rejecting the digital signature.
10. The method of claim 8, wherein denying authentication further comprises: (a) selecting a revoked key from a revoked key list;(b) verifying that the digital signature was not created with the revoked key; andrepeating (a)-(b) for each revoked key listed in the revoked key list.
11. A method comprising: transmitting a message to a verifier in response to an authentication request, the message signed by a hardware device using a private signature key;authenticating, by the verifier, a digital signature of the hardware device according to a public key of an issuer of a platform family that includes the hardware device, wherein the private signature key used by the hardware device to sign the message is jointly generated by the hardware device and the issuer during a setup procedure with the issuer, but is unknown to the issuer, and the hardware device is authenticated, without disclosing any unique identification information of the hardware device; andestablishing a secure session with the verifier according to a session key formed from a key exchange using a message received from the verifier.
12. The method of claim 11, wherein prior to transmitting the signed message, the method further comprises: receiving a one-way authenticated key exchange request from the verifier;computing a public key k according to a selected random value x; anddigitally signing the public key using the private signature key of the hardware device.
13. The method of claim 11, wherein prior to transmitting the signed message, the method further comprises: generating, by the issuer, a family public/private key pair for a family of devices defined by the issuer;computing the private signature key for the hardware device using the family private key without retaining a copy of the private signature key assigned to the hardware device;and transmitting the private signature key to the hardware device.
14. The method of claim 11, wherein establishing the secure session comprises: computing a shared secret key according to a public key received from the verifier; andprocessing the shared key to form the session key.
15. The method of claim 11, wherein establishing the secure session comprises: encrypting transmitted information to the verifier with the session key; anddecrypting received information from the verifier using the session key.
16. The method of claim 11, wherein prior to transmitting the signed message, the method further comprises: receiving a platform family certificate for a family of devices defined by the issuer, the platform class certificate including at least cryptographic parameters defined by the issuer for the platform family,a public key of the issuer and a name of the issuer; andtransmitting the received platform family certificate to the verifier.
17. The method of claim 16, wherein transmitting the platform family certificate comprises: signing, by a certifying authority, the platform family certificate; andproviding a public key of the certifying authority to the verifier to enable the verifier to authenticate the signed platform family certificate once received from the hardware device.
18. The method of claim 11, wherein prior to transmitting the digitally signed message, the method further comprises: receiving a unique secret key pair (f,c), where F is the private signature key of the hardwaredevice; anddigitally signing the message according to the private signature key f.
19. The method of claim 18, wherein the secret key pair includes the private signature key f of the form ce mod n and private key c is of the form c=f mod n, where He”, “n” is a public key and “d” is a private key of a certifying manufacturer of the hardware device.
20. An apparatus, comprising: a flash memory to store cryptographic information received from a certifying manufacturer of a platform family that includes the apparatus, wherein the cryptographic information is used to jointly compute a private signature key by the hardware device and the certifying manufacturer during a setup procedure with the certifying manufacturer, but is unknown to the certifying manufacturer; anda trusted platform module to transmit a message, signed using the private signature key, to a verifier in response to an authentication request, the trusted platform module to establish a secure session with the verifier according to a session key, the session key formed from a key exchange using a message received from the verifier, without disclosing any unique identification information of the apparatus.
21. The apparatus of claim 20, wherein the trusted platform module further comprises: one-way authentication logic to receive a one-way authenticated key exchange request from the verifier and to compute a public key k according to a selected random value x; anddigital signature logic to digitally sign the public key k using a private signature key of the apparatus.
22. The apparatus of claim 20, wherein the trusted platform module further comprises: one-way authentication logic to compute a shared secret key with the verifier according to a public key received from the verifier and to process the shared key to form the session key to enable establishment of the secure session with the verifier.
23. The apparatus of claim 20, wherein the trusted platform module comprises: secure session logic to encrypt transmitted information to the verifier using the session key and to decrypt received information from the verifier using the session key.
24. The apparatus of claim 20, wherein the apparatus is a graphics card.
25. The apparatus of claim 20, wherein the cryptographic information comprises: a secret key pair (f, c), where f is a private signature key of the form ce mod n and c is a private key of the form c f mod n, where He”, “n” is a public key and “d” is a private key of the certifying manufacturer.
26. A system comprising: a processor to execute a trusted software module to issue a one-way authentication key exchange request to the hardware device;a chipset coupled to the processor; anda hardware device coupled to the chipset, the hardware device including a trusted platform module, the trusted platform module to transmit a signed message to the trusted software module in response to a one-way authentication request from the trusted software module and to establish a secure session with the trusted software module according to a session key formed from a key exchange using a message received from the trusted software module without disclosing any unique identification information of the hardware device,wherein the trusted software module to authenticate a digital signature of a hardware deviceaccording to a public key of an issuer of a platform family that includes the hardware device, wherein a private signature key used by the hardware device to sign the message is jointly computed by the hardware device and the issuer during a setup procedure with the issuer, but is unknown to the issuer.
27. The system of claim 26, wherein the chipset comprises a graphics controller.
28. The system of claim 26, wherein the hardware device comprises a graphics card.
29. The system of claim 26, wherein the trusted software module is to receive a platform family certificate signed by a certifying authority, the platform family certificate to include cryptographic parameters defined by the certifying manufacturer for a platform family, and a public key of the certifying manufacturer to enable authentication of the digital signature of the hardware device.
30. A non-transitory computer-readable storage medium having stored thereon instructions which may be used to program a system to perform a method, comprising: authenticating a digital signature of a hardware device according to a public key of an issuer of a platform family that includes the hardware device, wherein a private signature key used by the hardware device to sign a received message is jointly computed by the hardware device and the issuer during a setup procedure with the issuer, but is unknown to the issuer;establishing a secure session with the authenticated hardware device according to a session key formed from a key exchange using the received message; andusing the same public key of the issuer to authenticate multiple hardware devices that usedifferent private signature keys without disclosing any unique identification information of any authenticated hardware devices,wherein the different private signature keys are jointly computed by the hardware device and the issuer during respective setup procedures with the issuer, but are unknown to the issuer.
31. The computer-readable storage medium of claim 30, wherein authenticating comprises: receiving a message from the hardware device including the digital signature formed according to the private signature key assigned to the hardware device by the issuer;verifying the digital signature of the hardware device according to the public key of the issuer without disclosure of any unique, identification information of the hardware device; andcomputing the session key according to a shared key formed from key exchange using the received message.
32. The computer-readable storage medium of claim 31, wherein computing the session key comprises: computing a shared key with the hardware device from the key exchange using the digitally signed message received from the hardware device; andprocessing the shared key to form the session key.
33. The computer-readable storage medium of claim 30, wherein prior to authenticating, the method comprises: selecting a random secret value y;computing a public key k according to the random secret value y; andtransmitting the public key k to the hardware device.
34. The computer-readable storage medium of claim 30, wherein authenticating comprises: identifying the issuer of the private signature key to the hardware device;selecting a family public key from a family of members defined by the issuer; andverifying, according to the selected family public key, that the hardware device is a member of the family defined by the issuer.
35. The computer-readable storage medium of claim 34, wherein identifying the issuer comprises: determining a digital certificate for the hardware device; andidentifying the public key of the issuer according to the digital certificate.
36. The computer-readable storage medium of claim 30, wherein establishing the secure session comprises: encrypting transmitted information to the hardware device with the session key; anddecrypting received information from the hardware device using the session key.
37. The computer-readable storage medium of claim 30, wherein authenticating further comprises: denying authentication of the hardware device if the private signature key of the device is compromised.
38. The computer-readable storage medium of claim 37, wherein denying authentication further comprises: determining whether a digital signature attached to the digitally signed message was generated with a revoked private signing key; andif the digital signature was created with a revoked key, rejecting the digital signature.
39. The computer-readable storage medium of claim 37, wherein denying authentication further comprises: (a) selecting a revoked key from a revoked key list;(b) verifying that the digital signature was not created with the revoked key; andrepeating (a)-(b) for each revoked key listed in the revoked key list.

US Referenced Citations (295)

Number	Name	Date	Kind
3699532	Schaffer et al.	Oct 1972	A
3996449	Attanasio et al.	Dec 1976	A
4037214	Birney et al.	Jul 1977	A
4162536	Morley	Jul 1979	A
4207609	Luiz et al.	Jun 1980	A
4247905	Yoshida et al.	Jan 1981	A
4276594	Morley	Jun 1981	A
4278837	Best	Jul 1981	A
4307447	Provanzano et al.	Dec 1981	A
4319233	Matsuoka et al.	Mar 1982	A
4319323	Ermolovich et al.	Mar 1982	A
4347565	Kaneda et al.	Aug 1982	A
4366537	Heller et al.	Dec 1982	A
4403283	Myntti et al.	Sep 1983	A
4419724	Branigin et al.	Dec 1983	A
4430709	Schleupen et al.	Feb 1984	A
4521852	Guttag	Jun 1985	A
4529870	Chaum	Jul 1985	A
4571672	Hatada et al.	Feb 1986	A
4621318	Maeda	Nov 1986	A
4759064	Chaum	Jul 1988	A
4795893	Ugon	Jan 1989	A
4802084	Ikegaya et al.	Jan 1989	A
4825052	Chemin et al.	Apr 1989	A
4843541	Bean et al.	Jun 1989	A
4907270	Hazard	Mar 1990	A
4907272	Hazard	Mar 1990	A
4910774	Barakat	Mar 1990	A
4974159	Hargrove et al.	Nov 1990	A
4975836	Hirosawa et al.	Dec 1990	A
5007082	Cummins	Apr 1991	A
5022077	Bealkowski et al.	Jun 1991	A
5075842	Lai	Dec 1991	A
5079737	Hackbarth	Jan 1992	A
5187802	Inoue et al.	Feb 1993	A
5230069	Brelsford et al.	Jul 1993	A
5237616	Abraham et al.	Aug 1993	A
5255379	Melo	Oct 1993	A
5287363	Wolf et al.	Feb 1994	A
5293424	Holtey et al.	Mar 1994	A
5295251	Wakui et al.	Mar 1994	A
5317705	Gannon et al.	May 1994	A
5319760	Mason et al.	Jun 1994	A
5361375	Ogi	Nov 1994	A
5386552	Garney	Jan 1995	A
5421006	Jablon et al.	May 1995	A
5434999	Goire et al.	Jul 1995	A
5437033	Inoue et al.	Jul 1995	A
5442645	Ugon et al.	Aug 1995	A
5455909	Blomgren et al.	Oct 1995	A
5459867	Adams et al.	Oct 1995	A
5459869	Spilo	Oct 1995	A
5469557	Salt et al.	Nov 1995	A
5473692	Davis	Dec 1995	A
5479509	Ugon	Dec 1995	A
5504922	Seki et al.	Apr 1996	A
5506975	Onodera	Apr 1996	A
5511217	Nakajima et al.	Apr 1996	A
5515441	Faucher	May 1996	A
5522075	Robinson et al.	May 1996	A
5528231	Patarin	Jun 1996	A
5533126	Hazard et al.	Jul 1996	A
5555385	Osisek	Sep 1996	A
5555414	Hough et al.	Sep 1996	A
5560013	Scalzi et al.	Sep 1996	A
5564040	Kubala	Oct 1996	A
5566323	Ugon	Oct 1996	A
5568552	Davis	Oct 1996	A
5574936	Ryba et al.	Nov 1996	A
5582717	Di Santo	Dec 1996	A
5604805	Brands	Feb 1997	A
5606617	Brands	Feb 1997	A
5615263	Takahashi	Mar 1997	A
5628022	Ueno et al.	May 1997	A
5628023	Bryant et al.	May 1997	A
5631961	Mills et al.	May 1997	A
5633929	Kaliski, Jr.	May 1997	A
5657445	Pearce	Aug 1997	A
5668971	Neufeld	Sep 1997	A
5680547	Chang	Oct 1997	A
5684948	Johnson et al.	Nov 1997	A
5699431	Van Oorschot et al.	Dec 1997	A
5706469	Kobayashi	Jan 1998	A
5717903	Bonola	Feb 1998	A
5720609	Pfefferle	Feb 1998	A
5721222	Bernstein et al.	Feb 1998	A
5724425	Chang et al.	Mar 1998	A
5729760	Poisner	Mar 1998	A
5737604	Miller et al.	Apr 1998	A
5737760	Grimmer, Jr. et al.	Apr 1998	A
5740178	Jacks et al.	Apr 1998	A
5752046	Oprescu et al.	May 1998	A
5757918	Hopkins et al.	May 1998	A
5757919	Herbert et al.	May 1998	A
5764969	Kahle et al.	Jun 1998	A
5771291	Newton et al.	Jun 1998	A
5796835	Saada	Aug 1998	A
5796845	Serikawa et al.	Aug 1998	A
5805712	Davis	Sep 1998	A
5809546	Greenstein et al.	Sep 1998	A
5815665	Teper et al.	Sep 1998	A
5825875	Ugon	Oct 1998	A
5825880	Sudia et al.	Oct 1998	A
5835594	Albrecht et al.	Nov 1998	A
5844986	Davis	Dec 1998	A
5852717	Bhide et al.	Dec 1998	A
5854913	Goetz et al.	Dec 1998	A
5857021	Kataoka et al.	Jan 1999	A
5867577	Patarin	Feb 1999	A
5872994	Akiyama et al.	Feb 1999	A
5890189	Nozue et al.	Mar 1999	A
5900606	Rigal	May 1999	A
5901225	Ireton et al.	May 1999	A
5903752	Dingwall et al.	May 1999	A
5919257	Trostle	Jul 1999	A
5924094	Sutter	Jul 1999	A
5935242	Madany et al.	Aug 1999	A
5935247	Pai et al.	Aug 1999	A
5937063	Davis	Aug 1999	A
5944821	Angelo	Aug 1999	A
5953502	Helbig, Sr.	Sep 1999	A
5956408	Arnold	Sep 1999	A
5970147	Davis et al.	Oct 1999	A
5978475	Schneier et al.	Nov 1999	A
5978481	Ganesan et al.	Nov 1999	A
5987557	Ebrahim	Nov 1999	A
6014745	Ashe	Jan 2000	A
6032260	Sasmazel et al.	Feb 2000	A
6032261	Hulyalkar	Feb 2000	A
6035374	Panwar et al.	Mar 2000	A
6036061	O'Donnell	Mar 2000	A
6036601	Heckel	Mar 2000	A
6038322	Harkins	Mar 2000	A
6044478	Green	Mar 2000	A
6055637	Hudson et al.	Apr 2000	A
6058478	Davis	May 2000	A
6061794	Angelo	May 2000	A
6075938	Bugnion et al.	Jun 2000	A
6078667	Johnson	Jun 2000	A
6085296	Karkhanis et al.	Jul 2000	A
6088262	Nasu	Jul 2000	A
6092095	Maytal	Jul 2000	A
6093213	Favor et al.	Jul 2000	A
6101584	Satou et al.	Aug 2000	A
6108644	Goldschlag et al.	Aug 2000	A
6115816	Davis	Sep 2000	A
6125430	Noel et al.	Sep 2000	A
6131166	Wong-Insley	Oct 2000	A
6138239	Veil	Oct 2000	A
6148379	Schimmel	Nov 2000	A
6151676	Cuccia et al.	Nov 2000	A
6154841	Oishi	Nov 2000	A
6158546	Hanson et al.	Dec 2000	A
6173417	Merrill	Jan 2001	B1
6175924	Arnold	Jan 2001	B1
6175925	Nardone et al.	Jan 2001	B1
6178509	Nardone	Jan 2001	B1
6182089	Ganapathy et al.	Jan 2001	B1
6185316	Buffam	Feb 2001	B1
6188257	Buer	Feb 2001	B1
6192455	Bogin et al.	Feb 2001	B1
6199152	Kelly et al.	Mar 2001	B1
6205550	Nardone et al.	Mar 2001	B1
6212635	Reardon	Apr 2001	B1
6222923	Schwenk	Apr 2001	B1
6246771	Stanton et al.	Jun 2001	B1
6249872	Wildgrube et al.	Jun 2001	B1
6252650	Nakamura	Jun 2001	B1
6269392	Cotichini et al.	Jul 2001	B1
6272533	Browne et al.	Aug 2001	B1
6272637	Little et al.	Aug 2001	B1
6275933	Fine et al.	Aug 2001	B1
6278782	Ober et al.	Aug 2001	B1
6282650	Davis	Aug 2001	B1
6282651	Ashe	Aug 2001	B1
6282657	Kaplan et al.	Aug 2001	B1
6292874	Barnett	Sep 2001	B1
6301646	Hostetter	Oct 2001	B1
6308270	Guthery et al.	Oct 2001	B1
6314409	Schneck et al.	Nov 2001	B2
6321314	Van Dyke	Nov 2001	B1
6327652	England et al.	Dec 2001	B1
6330670	England et al.	Dec 2001	B1
6339815	Feng et al.	Jan 2002	B1
6339816	Bausch	Jan 2002	B1
6357004	Davis	Mar 2002	B1
6363485	Adams	Mar 2002	B1
6374286	Gee et al.	Apr 2002	B1
6374317	Ajanovic et al.	Apr 2002	B1
6378068	Foster et al.	Apr 2002	B1
6378072	Collins et al.	Apr 2002	B1
6389403	Dorak, Jr.	May 2002	B1
6389537	Davis et al.	May 2002	B1
6397242	Devine et al.	May 2002	B1
6397379	Yates, Jr. et al.	May 2002	B1
6411715	Liskov et al.	Jun 2002	B1
6412035	Webber	Jun 2002	B1
6421702	Gulick	Jul 2002	B1
6435416	Slassi	Aug 2002	B1
6445797	McGough et al.	Sep 2002	B1
6463535	Drews et al.	Oct 2002	B1
6463537	Tello	Oct 2002	B1
6473508	Young et al.	Oct 2002	B1
6473800	Jerger et al.	Oct 2002	B1
6496847	Bugnion et al.	Dec 2002	B1
6499123	McFarland et al.	Dec 2002	B1
6505279	Phillips et al.	Jan 2003	B1
6507904	Ellison et al.	Jan 2003	B1
6529909	Bowman-Amuah	Mar 2003	B1
6535988	Poisner	Mar 2003	B1
6557104	Vu et al.	Apr 2003	B2
6560627	McDonald et al.	May 2003	B1
6609199	DeTreville	Aug 2003	B1
6615278	Curtis	Sep 2003	B1
6633963	Ellison et al.	Oct 2003	B1
6633981	Davis	Oct 2003	B1
6651171	England et al.	Nov 2003	B1
6678825	Ellison et al.	Jan 2004	B1
6684326	Cromer et al.	Jan 2004	B1
6711263	Nordenstam et al.	Mar 2004	B1
6738904	Linnartz et al.	May 2004	B2
6792113	Ansell et al.	Sep 2004	B1
6826616	Larson et al.	Nov 2004	B2
6987853	Uner	Jan 2006	B2
6988250	Proudler et al.	Jan 2006	B1
7028149	Grawrock et al.	Apr 2006	B2
7133990	Link et al.	Nov 2006	B2
7165181	Brickell	Jan 2007	B2
7178030	Scheidt et al.	Feb 2007	B2
7181620	Hur	Feb 2007	B1
7216110	Ogg et al.	May 2007	B1
7233666	Lee et al.	Jun 2007	B2
7299500	Klebe et al.	Nov 2007	B1
7526651	Arditti Modiano et al.	Apr 2009	B2
20010011267	Kihara et al.	Aug 2001	A1
20010021969	Burger et al.	Sep 2001	A1
20010027511	Wakabayashi et al.	Oct 2001	A1
20010027527	Khidekel et al.	Oct 2001	A1
20010037450	Metlitski et al.	Nov 2001	A1
20010044786	Ishibashi	Nov 2001	A1
20010044886	Cassagnol et al.	Nov 2001	A1
20020004900	Patel	Jan 2002	A1
20020007456	Peinado et al.	Jan 2002	A1
20020012432	England et al.	Jan 2002	A1
20020023032	Pearson et al.	Feb 2002	A1
20020044567	Voit et al.	Apr 2002	A1
20020048369	Ginter et al.	Apr 2002	A1
20020065136	Day	May 2002	A1
20020080190	Hamann et al.	Jun 2002	A1
20020147916	Strongin et al.	Oct 2002	A1
20020166053	Wilson	Nov 2002	A1
20020166061	Falik et al.	Nov 2002	A1
20020169717	Challener	Nov 2002	A1
20020178354	Ogg et al.	Nov 2002	A1
20020178534	Massaro	Dec 2002	A1
20020198302	Rouse et al.	Dec 2002	A1
20030002668	Graunke et al.	Jan 2003	A1
20030018892	Tello	Jan 2003	A1
20030037237	Abgrall et al.	Feb 2003	A1
20030041250	Proudler	Feb 2003	A1
20030074548	Cromer et al.	Apr 2003	A1
20030105718	Hurtado et al.	Jun 2003	A1
20030112008	Hennig	Jun 2003	A1
20030114144	Minemura	Jun 2003	A1
20030115453	Grawrock	Jun 2003	A1
20030126442	Glew et al.	Jul 2003	A1
20030126453	Glew et al.	Jul 2003	A1
20030159056	Cromer et al.	Aug 2003	A1
20030182584	Banes et al.	Sep 2003	A1
20030188156	Yasala et al.	Oct 2003	A1
20030188179	Challener et al.	Oct 2003	A1
20030195857	Acquisti	Oct 2003	A1
20030196085	Lampson et al.	Oct 2003	A1
20030231328	Chapin et al.	Dec 2003	A1
20030235175	Naghiam et al.	Dec 2003	A1
20040003324	Uhlig et al.	Jan 2004	A1
20040039924	Baldwin et al.	Feb 2004	A1
20040064694	Lee et al.	Apr 2004	A1
20040103281	Brickell	May 2004	A1
20040117539	Bennett et al.	Jun 2004	A1
20040123288	Bennett et al.	Jun 2004	A1
20040240667	Lee et al.	Dec 2004	A1
20040260926	Arditti Modiano et al.	Dec 2004	A1
20050010535	Camenisch	Jan 2005	A1
20050081038	Arditti Modiano et al.	Apr 2005	A1
20050100161	Husemann et al.	May 2005	A1
20050114682	Zimmer et al.	May 2005	A1
20050154890	Vembu	Jul 2005	A1
20050283586	Mondal et al.	Dec 2005	A1
20060013399	Brickell et al.	Jan 2006	A1
20060013400	Sutton	Jan 2006	A1
20060013402	Sutton et al.	Jan 2006	A1
20060020786	Helms et al.	Jan 2006	A1
20060117181	Brickell	Jun 2006	A1
20070192829	Ford	Aug 2007	A1

Foreign Referenced Citations (70)

Number	Date	Country
1985466	Jun 2007	CN
101019368	Aug 2007	CN
101019369	Aug 2007	CN
4217444	Dec 1992	DE
10218835	Apr 2002	DE
112005001666	May 2007	DE
112005001672	May 2007	DE
112005001654	Nov 2007	DE
0473913	Mar 1992	EP
0 492 692	Jul 1992	EP
0600112	Jun 1994	EP
0602867	Jun 1994	EP
0877314	Nov 1998	EP
0892521	Jan 1999	EP
0930567	Jul 1999	EP
0961193	Dec 1999	EP
0965902	Dec 1999	EP
1030237	Aug 2000	EP
1055989	Nov 2000	EP
1056014	Nov 2000	EP
1067470	Jan 2001	EP
1085396	Mar 2001	EP
1146715	Oct 2001	EP
1209563	May 2002	EP
1271277	Jan 2003	EP
1617587	Jan 2006	EP
2620248	Mar 1989	FR
2700430	Jul 1994	FR
2714780	Jul 1995	FR
2742618	Jun 1997	FR
2752122	Feb 1998	FR
2763452	Nov 1998	FR
2830147	Mar 2003	FR
2439160	Dec 2007	GB
2000076139	Mar 2000	JP
2006293472	Oct 2006	JP
WO9524696	Sep 1995	WO
WO9729567	Aug 1997	WO
WO9812620	Mar 1998	WO
WO9834365	Aug 1998	WO
WO9844402	Oct 1998	WO
WO9905600	Feb 1999	WO
WO9909482	Feb 1999	WO
WO9918511	Apr 1999	WO
WO-9931842	Jun 1999	WO
WO9957863	Nov 1999	WO
WO9965579	Dec 1999	WO
WO0021238	Apr 2000	WO
WO-0049764	Aug 2000	WO
WO0062232	Oct 2000	WO
WO-0069206	Nov 2000	WO
WO0127723	Apr 2001	WO
WO0127821	Apr 2001	WO
WO-0143476	Jun 2001	WO
WO-0163954	Aug 2001	WO
WO0163994	Aug 2001	WO
WO0175564	Oct 2001	WO
WO0175565	Oct 2001	WO
WO0175595	Oct 2001	WO
WO0201794	Jan 2002	WO
WO0217555	Feb 2002	WO
WO-0245452	Jun 2002	WO
WO-0245453	Jun 2002	WO
WO02060121	Aug 2002	WO
WO-02073928	Sep 2002	WO
WO02086684	Oct 2002	WO
WO03058412	Jul 2003	WO
WO-2006019614	Feb 2006	WO
WO-2006023151	Mar 2006	WO
WO-2006025952	Mar 2006	WO

Non-Patent Literature Citations (72)

Entry
Chang, Tin-Wei; “Efficient Authentication Schemes Based on Group Certificate and Their Application on Mobile Communication Systems”, Department of Electrical Engineering, National Cheng Kung University, Tainan, Taiwan, Thesis for Master of Science, Published: Jun. 2003.
Menezes, Vanstone, Oorschot: “Handbook of Applied Cryptography”, CRC Press LLC, USA, 1997, pp. 405-406, 409-410, 433-435, 576-580. XP002353062.
Ateniese, Giuseppe , et al., “A Practical and Provably Secure Coalition-Resistant Group Signature Scheme”, Advances in Cryptology—CRYPTO2000, vol. 1880 of Lecture Notes in Computer Sciemce, Int'; Assoc for Crypt Res, Spring-Verlag, Berlin, Germany,(2000),255-270.
Berg, Cliff , “How Do I Create a Signed Applet?”, Dr. Dobb's Journal, (Aug. 1997),1-9.
Brands, Stefan , “Restrictive Blinding of Secret-Key Certificates”, Springer-Verlag XP002201306, (1995),Chapter 3.
Chien, Andrew A., et al., “Safe and Protected Execution for the Morph/AMRM Reconfigurable Processor”,7th Annual IEEE Symposium, FCCM '99 Proceedings, XP010359180, ISBN 0-7695-0375-6, Los Alamitos, CA, (Apr. 21, 1999),209-221.
Compaq Computer Corporation, “Trusted Computing Platform Alliance (TCPA) Main Specification Version 1.1a”, XP002272822 (Jan. 25, 2001),1-321.
Coulouris, George , et al., “Distributed Systems, Concepts and Designs”, 2nd Edition (1994),422-424.
Crawford, John , “Architecture of the Intel 80386”, Proceedings of the IEEE International Conference on Computer Design: VLSI in Computers and Processors (ICCD '86), (Oct. 6, 1986),155-160.
Davida, George I., et al., “Defending Systems Against Viruses through Cryptographic Authentication”, Proceedings of the Symposium on Security and Privacy, IEEE Comp. Soc. Press, ISBN 0-8186-1939-2,(May 1989).
Fabry, R.S. , “Capability-Based Addressing” Fabry, R.S., “Capability-Based Addressing,” Communications of the ACM, vol. 17, No. 7, (Jul. 1974),403-412.
Frieder, Gideon , “The Architecture and Operational Characteristics of the Vmx Host Machine”, The Architecture and Operational Characteristics of the VMX Host Machine, IEEE, (1982),9-16.
Goldberg, Robert P., “Survey of Virtual Machine Research”, Computer Magazine, (Jun. 1974),34-35.
Gong, Li , et al., “Going Behond the Sandbox: An Overview of the New Security Architecture in the Java Development Kit 1.2”, Proceedings of the USENIX Symposium on Internet Technologies and Systems, Monterey, CA,(Dec. 1997).
Gum, P. H., “System/370 Extended Architecture: Facilities for Virtual Machines”, IBM J. Research Development, vol. 27, No. 6, (Nov. 1983),530-544.
Heinrich, Joe , “MIPS R4000 Microprocessor User's Manual, Second Edition”, Chapter 4 “Memory Management”, (Jun. 11, 1993),61-97.
HP Mobile Security Overview, “HP Mobile Security Overview”, (Sep. 2002),1-10.
IBM, “Information Display Technique for a Terminate Stay Resident Program IBM Technical Disclosure Bulletin”, TDB-ACC-No. NA9112156, vol. 34, Issue 7A, (Dec. 1, 1991),156-158.
IBM Corporation, “IBM ThinkPad T30 Notebooks”, IBM Product Specification, located at www-1.ibm.com/services/files/cisco—t30—spec—sheet—070202.pdf, last visited Jun. 23, 2004,(Jul. 2, 2002),1-6.
Intel, “IA-32 Intel Architecture Software Developer's Manual”, vol. 3: System Programming Guide, Intel Corporation—2003,13-1 through 13-24.
Intel, “Inte1386 DX Microprocessor 32-Bit CHMOS Microprocessor With Integrated Memory Management”, (1995),5-56.
Intel Corporation, “IA-64 System Abstraction Layer Specification”, Intel Product Specification, Order No. 245359-001, (Jan. 2000),1-112.
Intel Corporation, “Intel 82802AB/82802AC Firmware Hub (FWH)”, Intel Product Datasheet, Document No. 290658-004,(Nov. 2000),1-6, 17-28.
Intel Corporation, “Intel IA-64 Architecture Software Developer's Manual”, vol. 2: IA-64 System Architecture, Order No. 245318-001, (Jan. 2000),i, ii, 5.1-5.3, 11.1-11.8, 11.23-11.26.
Karger, Paul A., et al., “A VMM Security Kernal for the VAX Architecture”, Proceedings of the Symposium on Research in Security and Privacy, XP010020182 ISBN 0-8186-2060-9, Boxborough, MA, (May 7, 1990),2-19.
Kashiwagi, Kazuhiko , et al., “Design and Implementation of Dynamically Reconstructing System Software”, Software Engineering Conference, Proceedings 1996 Asia-Pacific Seoul, South Korea Dec. 4-7, 1996, Los Alamitos, CA USA, IEEE Comput. Soc, US, ISBN 0-8186-7638-8,(1996).
Lawton, Kevin , et al., “Running Multiple Operating Systems Concurrently on an IA32 PC Using Virtualization Techniques”, http://www.plex86.org/research/paper.txt, (Nov. 29, 1999),1-31.
Luke, Jahn , et al., “Replacement Strategy for Aging Avionics Computers”, IEEE AES Systems Magazine, XP002190614,(Mar. 1999).
Menezes, Alfred J., et al., “Handbook of Applied Crypography”, CRC Press Series on Discrete Mathematices and its Applications, Boca Raton, FL, XP002165287, ISBN 0849385237,(Oct. 1996),403-405, 506-515, 570.
Motorola, “M68040 User's Manual”, (1993),1-1 to 8-32.
Nanba, S. , “VM/4: ACOS-4 Virtial Machine Architecture”, VM/4: ACOS-4 Virtial Machine Architecture, IEEE, (1985),171-178.
Robin, John S., et al., “Analysis of the Pentium's Ability to Support a Secure Virtual Machine Monitor”, Proceedings of the 9th USENIX Security Symposium, XP002247347, Denver, Colorado, (Aug. 14, 2000),1-17.
Rosenblum, M. , “Virtual Platform: A Virtual Machine Monitor for Commodity PC”, Proceedings of the 11th Hotchips Conference, (Aug. 17, 1999),185-196.
RSA Security, “Hardware Authenticators”, www.rsasecurity.com/node.asp?id=1158, 1-2.
RSA Security, “RSA SecurID Authenticators”, www.rsasecurity.com/products/securid/datasheets/SID—DS—0103.pdf, 1-2.
RSA Security, “Software Authenticators”, www.srasecurity.com/node.asp?id=1313, 1-2.
Saez, Sergio , et al., “A Hardware Scheduler for Complex Real-Time Systems”, Proceedings of the IEEE International Symposium on Industrial Electronics, XP002190615,(Jul. 1999),43-48.
Schneier, Bruce , “Applied Cryptography: Protocols, Algorithm, and Source Code in C”, Wiley, John & Sons, Inc., XP002939871; ISBN 0471117099,(Oct. 1995),47-52.
Schneier, Bruce , “Applied Cryptography: Protocols, Algorithm, and Source Code in C”, Wiley, John & Sons, Inc., XP002138607; ISBN 0471117099,(Oct. 1995),56-65.
Schneier, Bruce , “Applied Cryptography: Protocols, Algorithms, and Source Code in C”, Wiley, John & Sons, Inc., XP0021111449; ISBN 0471117099,(Oct. 1995),169-187.
Schneier, Bruce , “Applied Cryptography: Protocols, Algorithms, and Source Code in C”, 2nd Edition; Wiley, John & Sons. Inc., XP002251738; ISBN 0471128457,(Nov. 1995),28-33; 176-177; 216-217; 461-473; 518-522.
Sherwood, Timothy , et al., “Patchable Instruction ROM Architecture”, Department of Computer Science and Engineering, University of California, San Diego, La Jolla, CA, (Nov. 2001).
Hall, J. S., et al., “Virtualizing the VAX Architecture”, ACM SIGARCH Computer Architecture News, Proceedings of the 18th Annual International Symposium on Computer Architecture, vol. 19, Issue No. 3, (Apr. 1991), 10 pages.
Intel Corporation, Final Office Action mailed Jul. 9, 2008, U.S. Appl. No. 10/782,572, 9 pages.
Intel Corporation, Office Action mailed Dec. 23, 2008, U.S. Appl. No. 10/782,572, 8 pages.
Intel Corporation, Office Action mailed Jul. 22, 2009, U.S. Appl. No. 10/782,572, 10 pages.
Intel Corporation, Notice of Allowance mailed Dec. 11, 2008, U.S. Appl. No. 10/866,252, 7 pages.
Rosenberg, J. B., “How Debuggers Work (Algorithms, Data Structures, and Architecture”, Chapters 3 and 5 Hardware Debugger Facilities, Wiley Computer Publishing, United States, (1996), pp. 42-43, 95, 96 and 99.
Hawthorne, W. M., “An Alternative to Public Key Encryption”, European Convention on Security and Detection, Found at: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=491615&isnumber=10615, (May 1995), 142-145.
Intel Corporation, U.S. Patent and Trademark Office Official Action in related U.S. Appl. No. 10/892,256 dated Sep. 29, 2008, with corresponding Reply to Official Action filed Dec. 24, 2008.
Intel Corporation, U.S. Patent and Trademark Office Official Action in related U.S. Appl. No. 10/892,280 dated Nov. 26, 2008.
Intel Corporation, U.S. Patent and Trademark Office Official Action in related U.S. Appl. No. 10/892,280 dated Sep. 12, 2007, with corresponding Reply to Official Action filed Jan. 24, 2008.
Intel Corporation, U.S. Patent and Trademark Office Final Official Action in related U.S. Appl. No. 10/892,280 dated May 14, 2008, with corresponding Reply to Final Official Action filed Jul. 9, 2008.
Intel Corporation, U.S. Patent and Trademark Office Official Action in related U.S. Appl. No. 10/892,256 dated Jul. 23, 2007, with corresponding Reply to Official Action filed Dec. 20, 2007.
Intel Corporation, U.S. Patent and Trademark Office Final Official Action in related U.S. Appl. No. 10/892,256 dated Apr. 1, 2008, with corresponding Reply to Final Official Action filed May 30, 2008, Advisory Action mailed on Jun. 16, 2008.
Intel Corporation, PCT International Search Report and Written Opinion of the International Searching Authority, Application No. PCT/US2005/024486, mailed Sep. 18, 2006.
Intel Corporation, PCT Preliminary Report on Patentability (Chapter 1 of the Patent Cooperation Treaty), Application No. PCT/US2005/024486, mailed Jan. 25, 2007.
Intel Corporation, PCT International Search Report and Written Opinion of the International Searching Authority, Application No. PCT/US2005/024374, mailed Sep. 18, 2006.
Intel Corporation, PCT Preliminary Report on Patentability (Chapter 1 of the Patent Cooperation Treaty), Application No. PCT/US2005/024374, mailed Jan. 25, 2007.
Intel Corporation, PCT International Search Report and Written Opinion of the International Searching Authority, Application No. PCT/US2005/024251, mailed Oct. 6, 2005.
Intel Corporation, PCT International Search Report and Written Opinion of the International Searching Authority, Application No. PCT/US2005/024253, mailed Sep. 18, 2006.
Intel Corporation, PCT Preliminary Report on Patentability (Chapter 1 of the Patent Cooperation Treaty), Application No. PCT/US2005/024253, mailed Jan. 25, 2007.
Intel Corporation, U.S. Patent and Trademark Office, Final Office Action dated Mar. 24, 2009 in related U.S. Appl. No. 10/892,256.
Intel Corporation, U.S. Patent and Trademark Office, Office Action dated Jun. 15, 2009, with Reply to Office Action filed on Sep. 15, 2009, in related U.S. Appl. No. 10/892,265.
Intel Corporation, U.S. Patent and Trademark Office Official Action in related U.S. Appl. No. 10/892,265 dated Nov. 25, 2008, with corresponding Reply to Official Action filed Feb. 25, 2009.
Intel Corporation, U.S. Patent and Trademark Office Official Action in related U.S. Appl. No. 10/892,265 dated Sep. 12, 2007, with corresponding Reply to Official Action filed Jan. 24, 2008.
Intel Corporation, U.S. Patent and Trademark Office Final Official Action in related U.S. Appl. No. 10/892,265 dated Apr. 17, 2008, with corresponding Reply to Final Official Action filed Jun. 17, 2008.
Intel Corporation, Non-Final Office Action mailed Jun. 2, 2009, U.S. Appl. No. 11/387,203, filed Mar. 22, 2006, First Named Inventor: Ernest Brickell.
Intel Corporation, Final Office Action mailed Dec. 7, 2009, U.S. Appl. No. 11/387,203, filed Mar. 22, 2006.
Menezes, Alfred J., et al., Handbook of Applied Cryptography, CRC Press, LLC, pp. 321-322, 330-331, 388-390, 394-395, 397-398, 472, 515-516, 548-552, (1997).
Menezes, Alfred J., et al., “Hash Functions and Data Integrity”, Handbook of Applied Cryptography, CRC Press Inc., 1997, Chapter 9.
Schneier, Bruce, Applied Cryptography Second Edition, John Wiley & Sons, (1996), pp. 513-514.

Related Publications (1)

	Number	Date	Country
	20060117181 A1	Jun 2006	US

Apparatus and method for establishing a secure session with a device without exposing privacy-sensitive information

Information

Patent Number

Date Filed

Date Issued

Inventors

Original Assignees

Examiners

Agents

CPC

US Classifications

Field of Search

US

International Classifications