Secure hardware for cross-device trusted applications
US-2015256332-A1 · Sep 10, 2015 · US
Secure hardware for cross-device trusted applications
US10404466B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10404466-B2 |
| Application number | US-201715459593-A |
| Country | US |
| Kind code | B2 |
| Filing date | Mar 15, 2017 |
| Priority date | Mar 6, 2014 |
| Publication date | Sep 3, 2019 |
| Grant date | Sep 3, 2019 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Various technologies described herein pertain to a computing device that includes secure hardware (e.g., a TPM, a secure processor of a processing platform, protected memory that includes a software-based TPM, etc.). The secure hardware includes a shared secret, which is shared by the secure hardware and a server computing system. The shared secret is provisioned by the server computing system or a provisioning computing system of a party affiliated with the server computing system. The secure hardware further includes a cryptographic engine that can execute a cryptographic algorithm using the shared secret or a key generated from the shared secret. The cryptographic engine can execute the cryptographic algorithm to perform encryption, decryption, authentication, and/or attestation.
First claim
Opening claim text (preview).
What is claimed is: 1. A method for controlling synchronizing of a hardware protected state across multiple computing devices, comprising: accessing a first shared secret in storage of a server computing system, the first shared secret being shared by the server computing system and first secure hardware of a first computing device; accessing a second shared secret in the storage of the server computing system, the second shared secret being shared by the server computing system and second secure hardware of a second computing device; and synchronizing the hardware protected state between the first secure hardware and the second secure hardware, the hardware protected state being synchronized based on: first encrypted messages communicated between the server computing system and the first computing device, the first encrypted messages being encrypted based on the first shared secret shared by the server computing system and the first secure hardware; and second encrypted messages communicated between the server computing system and the second computing device, the second encrypted messages being encrypted based on the second shared secret shared by the server computing system and the second secure hardware. 2. The method of claim 1 , further comprising: storing data in the storage of the server computing system; encrypting a first message for the first secure hardware, the first message comprises the data, the first message encrypted based on the first shared secret to generate a first encrypted message; transmitting the first encrypted message to the first computing device; encrypting a second message for the second secure hardware, the second message comprises the data, the second message encrypted based on the second shared secret to generate a second encrypted message; and transmitting the second encrypted message to the second computing device. 3. The method of claim 1 , further comprising: storing data in the storage of the server computing system; encrypting a message for the first secure hardware, the message comprises the data, the message encrypted based on the first shared secret to generate an encrypted message; transmitting the encrypted message to the first computing device; modifying the data in the storage of the server computing system subsequent to transmitting the encrypted message to the first computing device; encrypting a subsequent message for the first secure hardware, the subsequent message comprises the data as modified, the subsequent message encrypted based on the first shared secret to generate a subsequent encrypted message; and transmitting the subsequent encrypted message to the first computing device. 4. The method of claim 3 , wherein the data is a clock value. 5. The method of claim 1 , wherein the first shared secret and the second shared secret are provisioned by the server computing system. 6. The method of claim 1 , wherein the first shared secret and the second shared secret are provisioned by a provisioning computing system of a party affiliated with the server computing system. 7. The method of claim 1 , further comprising: identifying that the hardware protected state is to be synchronized between the first secure hardware of the first computing device and the second secure hardware of the second computing device. 8. The method of claim 7 , wherein the first secure hardware of the first computing device and the second secure hardware of the second computing device are identified based on credentials of a user. 9. The method of claim 1 , wherein the hardware protected state comprises clock values provided by the server computing system to the first secure hardware of the first computing device and the second secure hardware of the second computing device. 10. The method of claim 1 , wherein the hardware protected state comprises data, the method further comprising: storing the data in the storage of the server computing system, wherein the data is synchronized between the first secure hardware and the second secure hardware. 11. The method of claim 10 , further comprising: receiving an encrypted message from the first computing device, wherein the encrypted message comprises the data; and decrypting the encrypted message using at least one of the first shared secret or a key generated from the first shared secret to output the data; wherein the data is stored in the storage of the server computing system responsive to the decrypting of the encrypted message. 12. The method of claim 10 , wherein the data is written to the storage of the server computing system by the server computing system. 13. A server computing system, comprising: at least one processor; and storage, comprising: a first shared secret, the first shared secret being shared by the server computing system and first secure hardware of a first computing device; and a second shared secret, the second shared secret being shared by the server computing system and second secure hardware of a second computing device; wherein the storage further comprises computer-executable instructions that, when executed by the at least one processor, cause the at least one processor to perform acts including: accessing the first shared secret; accessing the second shared secret; and synchronizing a hardware protected state between the first secure hardware and the second secure hardware using the first shared secret and the second shared secret, wherein the hardware protected state is synchronized based on: first encrypted messages communication between the server computing system and the first computing device, the first encrypted messages being encrypted based on the first shared secret shared by the server computing system and the first secure hardware; and second encrypted messages communicated between the server computing system and the second computing device, the second encrypted messages being encrypted based on the second shared secret shared by the server computing system and the second secure hardware. 14. The server computing system of claim 13 , wherein the storage further comprises computer-executable instructions that, when executed by the at least one processor, cause the at least one processor to perform acts including: storing data in the storage of the server computing system; encrypting a first message for the first secure hardware, the first message comprises the data, the first message encrypted based on the first shared secret to generate a first encrypted message; transmitting the first encrypted message to the first computing device; encrypting a second message for the second secure hardware, the second message comprises the data, the second message encrypted based on the second shared secret to generate a second encrypted message; and transmitting the second encrypted message to the second computing device. 15. The server computing system of claim 13 , wherein the storage further comprises computer-executable instructions that, when executed by the at least one processor, cause the at least one processor to perform acts including: storing data in the storage of the server computing system; encrypting a message for the first secure hardware, the message comprises the data, the message encrypted based on the first shared secret to generate an encrypted message; transmitting the encrypted message to the first computing device; modifying the data in the storage of the server computing system subsequent to transmitting the encrypted message to the first computing device; encrypting a subsequent message for the first secure hardware, the subsequent mes
Assignees
Inventors
Classifications
Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes · CPC title
Third party · CPC title
- H04L9/3234Primary
involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token (network architectures or network communication protocols for supporting authentication of entities using an additional device in a packet data network H04L63/0853) · CPC title
using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM] · CPC title
to assure secure storage of data (address-based protection against unauthorised use of memory G06F12/14; record carriers for use with machines and with at least a part designed to carry digital markings G06K19/00) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10404466B2 cover?
- Various technologies described herein pertain to a computing device that includes secure hardware (e.g., a TPM, a secure processor of a processing platform, protected memory that includes a software-based TPM, etc.). The secure hardware includes a shared secret, which is shared by the secure hardware and a server computing system. The shared secret is provisioned by the server computing system …
- Who is the assignee on this patent?
- Microsoft Technology Licensing Llc
- What technology area does this patent fall under?
- Primary CPC classification H04L9/3234. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Sep 03 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).