Machine learning algorithm for user engagement based on confidential data statistical information
US-10515317-B1 · Dec 24, 2019 · US
Technologies for secure key provisioning with a manageability engine
US11650935B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11650935-B2 |
| Application number | US-201816234726-A |
| Country | US |
| Kind code | B2 |
| Filing date | Dec 28, 2018 |
| Priority date | Jun 20, 2018 |
| Publication date | May 16, 2023 |
| Grant date | May 16, 2023 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Technologies for secure key provisioning include a computing device having a processor with secure enclave support and a manageability controller. The manageability controller receives a secret key from a network source via a network interface that is isolated from untrusted software of the computing device. The manageability controller authenticates a secure enclave of the computing device and, if successful, securely provisions a session key derived from the secret key to the secure enclave. The manageability controller may provision additional session keys after expiration of the session key. The manageability controller may monitor for revocation of the secret key by the network source. If revoked, the manageability controller does not provision additional session keys to the secure enclave. The manageability controller may also provision the session key to a sensor device protected by the secret key, which is pre-provisioned to the sensor device. Other embodiments are described and claimed.
First claim
Opening claim text (preview).
The invention claimed is: 1. An apparatus comprising: a manageability controller circuitry coupled to or hosted by one or more processors, the manageability controller circuitry comprising: a remote communicator circuitry to receive a secret key from a network source; and a local authenticator circuitry to (i) authenticate a secure enclave of the apparatus, wherein the secure enclave is isolated from untrusted software of the apparatus, and (ii) securely provision a first session key derived from the secret key to the secure enclave in response to authentication of the secure enclave, wherein the local authenticator circuitry is further to securely provision a second session key derived from the secret key to the secure enclave in response to a determination that the first session key has expired, wherein the secure enclave comprises a trusted execution environment established with secure enclave support of the one or more processors, wherein the secure enclave facilitates a cryptographic operation with the first or second session keys in response to the secure provisioning of the first or second session keys, wherein the manageability controller circuitry further comprises a revocation manager circuitry to monitor a master key for revocation from the network source, wherein the master key includes the secret key, and wherein to monitor includes to determine whether the secret key has been revoked by the network source, wherein the revocation manager circuitry to determine whether the first session key has expired in response to the secure provisioning of the first session key to the secure enclave, wherein to securely provision the second session key comprises to securely provision the second session key in response to a determination that the secret key has not been revoked. 2. The apparatus of claim 1 , wherein to determine whether the secret key has been revoked comprises to communicate with the network source via a network interface that is isolated from the untrusted software, wherein the manageability controller circuitry comprises a coprocessor having a network interface associated with the network source, wherein the network interface is isolated from the untrusted software. 3. The apparatus of claim 1 , further comprising a peripheral device to perform the cryptographic operation to receive encrypted data from the peripheral device, wherein the encrypted data is encrypted with the first or second session keys. 4. The apparatus of claim 3 , wherein the local authenticator circuitry is further to securely provision the first or second session key to the peripheral device in response to the authentication of the secure enclave, wherein the session key is encrypted with the secret key, and wherein the secret key is pre-provisioned to the peripheral device, wherein the local authenticator circuitry is further to securely provision the first or second session key to the peripheral device via a secure sideband channel in response to the authentication of the secure enclave. 5. The apparatus of claim 1 , wherein to authenticate the secure enclave comprises to perform a local attestation to verify an identity of the secure enclave, wherein the untrusted software comprises one or more of a pre-boot firmware environment, an operating system, or a hypervisor. 6. A method comprising: receiving, by a manageability controller circuitry, a secret key from a network source, wherein the manageability controller circuitry is coupled to or hosted by one or more processors of a computing device; authenticating, by the manageability controller circuitry, a secure enclave of the computing device, wherein the secure enclave is isolated from untrusted software of the computing device; securely provisioning, by the manageability controller, a first session key derived from the secret key to the secure enclave in response to authenticating the secure enclave, wherein security provisioning further includes securely provisioning a second session key derived from the secret key to the secure enclave in response to a determination that the first session key has expired, wherein the secure enclave comprises a trusted execution environment established with secure enclave support of the one or more processors, wherein the secure enclave facilitates a cryptographic operation with the first or second session keys in response to the secure provisioning of the first or second session keys; and monitoring, by a revocation manager circuitry of the manageability controller circuitry, a master key for revocation from the network source, wherein the master key includes the secret key, and wherein monitoring includes determining whether the secret key has been removed revoked by the network source; and determining, by the manageability controller circuitry, whether the first session key has expired in response to the secure provisioning of the first session key to the secure enclave, wherein to securely provision the second session key comprises to securely provision the second session key in response to a determination that the secret key has not been revoked. 7. The method of claim 6 , wherein to determine whether the secret key has been revoked comprises to communicate with the network source via a network interface that is isolated from the untrusted software, wherein the manageability controller circuitry comprises a coprocessor having a network interface associated with the network source, wherein the network interface is isolated from the untrusted software. 8. The method of claim 7 , further comprising performing, by the manageability controller circuitry, the cryptographic operation to receive encrypted data from the peripheral device, wherein the encrypted data is encrypted with the first or second session keys. 9. The method of claim 8 , further comprising: securely provisioning, by the manageability controller circuitry, the first or second session keys to the peripheral device in response to the authentication of the secure enclave, wherein the session key is encrypted with the secret key, and wherein the secret key is pre-provisioned to the peripheral device; and securely provisioning, by the manageability controller circuitry, the first or second session keys to the peripheral device via a secure sideband channel in response to the authentication of the secure enclave. 10. The method of claim 6 , wherein to authenticate the secure enclave comprises to perform a local attestation to verify an identity of the secure enclave, wherein the untrusted software comprises one or more of a pre-boot firmware environment, an operating system, or a hypervisor. 11. At least one non-transitory computer-readable medium having stored thereon instructions which, when executed, cause a computing device to perform operations comprising: receiving a secret key from a network source, wherein receiving is facilitated by a manageability controller circuitry coupled to or hosted by one or more processors of the computing device; authenticating a secure enclave of the computing device, wherein the secure enclave is isolated from untrusted software of the computing device; securely provisioning a first session key derived from the secret key to the secure enclave in response to authenticating the secure enclave, wherein security provisioning further includes securely provisioning a second session key derived from the secret key to the secure enclave in response to a determination that the first session key has expired, wherein the secure enclave comprises a trusted execution environment established with secure enclave support of the one or more processors, wherein the secure enclave facilitates a cryptographic operation with the first or second s
Assignees
Inventors
Classifications
Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities · CPC title
Revocation or update of secret information, e.g. encryption key update or rekeying · CPC title
- G06F12/1408Primary
by using cryptography (for digital transmission H04L9/00) · CPC title
Protecting data integrity, e.g. using checksums, certificates or signatures · CPC title
Network integration; Enabling network access in virtual machine instances · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11650935B2 cover?
- Technologies for secure key provisioning include a computing device having a processor with secure enclave support and a manageability controller. The manageability controller receives a secret key from a network source via a network interface that is isolated from untrusted software of the computing device. The manageability controller authenticates a secure enclave of the computing device and…
- Who is the assignee on this patent?
- Intel Corp
- What technology area does this patent fall under?
- Primary CPC classification G06F12/1408. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue May 16 2023 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 10 related publications on this page (citations in our corpus or others sharing the same primary CPC).