Implementing authentication protocol for merging multiple server nodes with trusted platform modules utilizing provisioned node certificates to support concurrent node add and remove
US-2020067912-A1 · Feb 27, 2020 · US
Method and apparatus for establishing trusted channel between user and trusted computing cluster
US11728978B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11728978-B2 |
| Application number | US-202117401064-A |
| Country | US |
| Kind code | B2 |
| Filing date | Aug 12, 2021 |
| Priority date | Dec 12, 2018 |
| Publication date | Aug 15, 2023 |
| Grant date | Aug 15, 2023 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Some embodiments of the present specification provide a method and an apparatus for establishing a trusted channel between a user and a trusted computing cluster. According to the method, when a user wants to establish a trusted channel with a trusted computing cluster, the user only negotiates a session key with any first trusted computing unit in the cluster to establish the trusted channel. Then, the first trusted computing unit encrypts the session key using a cluster key common to the trusted computing cluster to which the first trusted computing unit belongs, and sends the encrypted session key to a cluster manager. The cluster manager transmits the encrypted session key in the trusted computing cluster, so that other trusted computing units in the cluster obtain the session key and join the trusted channel. Thus, the user establishes a trusted channel with the entire trusted computing cluster.
First claim
Opening claim text (preview).
The invention claimed is: 1. A method for establishing a trusted channel between a user and a trusted computing cluster, the trusted computing cluster including a plurality of trusted computing units each maintaining a first cluster key, the method comprising: obtaining, by a first trusted computing unit of the trusted computing cluster, a first session key through negotiation with a user, and establishing a first trusted channel with the user, the first session key configured to encrypt data to be transmitted through the first trusted channel; encrypting, by the first trusted computing unit, the first session key using the first cluster key to obtain a first encrypted key; and causing the first encrypted key to be sent to a second trusted computing unit in of the trusted computing cluster. 2. The method according to claim 1 , wherein the obtaining the first session key through negotiation with the user includes: sending a first public key of a first key pair of the first trusted computing unit to the user, the first key pair including the first public key and a first private key, and obtaining a user public key provided by the user; and generating the first session key based on the first public key, the first private key, and the user public key. 3. The method according to claim 1 , comprising: before the causing the first encrypted key to be sent to the second trusted computing unit: sending an identifier request message for the first trusted channel to a cluster manager; obtaining, from the cluster manager, a first session identifier allocated to the first trusted channel; and causing the first session identifier to be sent together with the first encrypted key to the second trusted computing unit. 4. A method, comprising: receiving, from a first trusted computing unit, an encrypted key, the encrypted key corresponding to a trusted channel between the first trusted computing unit and a user outside a trusted computing environment of the first trusted computing unit; determining a trusted computing cluster to which the first trusted computing unit belongs; and sending the encrypted key to a second trusted computing unit of the trusted computing cluster, enabling the second trusted computing unit to decrypt the encrypted key using a cluster key of the trusted computing cluster to obtain a session key for the trusted channel and to join the trusted channel based on the session key. 5. The method of claim 4 , comprising: receiving from the first trusted computing unit, a session identifier corresponding to the trusted channel; and obtaining, based on the session identifier, a list of trusted computing units of the trusted computing cluster that join the trusted channel, the list including the first trusted computing unit. 6. The method of claim 5 , comprising: before the sending the encrypted key to the second trusted computing unit of the trusted computing cluster, removing all trusted computing units from the list except for the first trusted computing unit. 7. The method according to claim 4 , further comprising: receiving, from the first trusted computing unit, a request for an identifier with respect to the trusted channel; allocating a session identifier to the trusted channel in response to the request; and adding the first trusted computing unit to a list of trusted computing unit of the trusted computing cluster corresponding to the session identifier. 8. The method according to claim 7 , comprising: sending the session identifier to the second trusted computing unit; and adding the second trusted computing unit to the list of trusted computing units. 9. The method according to claim 4 , wherein the determining the trusted computing cluster to which the first trusted computing unit belongs includes: using a maintained cluster information table to determine the trusted computing cluster to which the first trusted computing unit belongs and each trusted computing unit included in the trusted computing cluster. 10. A non-transitory storage medium having computer executable instructions stored thereon, which when executed by one or more processors, configure the one or more processors to perform acts including: receiving, from a first trusted computing unit, an encrypted key, the encrypted key corresponding to a trusted channel between the first trusted computing unit and a user outside a trusted computing environment of the first trusted computing unit; determining a trusted computing cluster to which the first trusted computing unit belongs; and sending the encrypted key to a second trusted computing unit of the trusted computing cluster, enabling the second trusted computing unit to decrypt the encrypted key using a cluster key of the trusted computing cluster to obtain a session key for the trusted channel and to join the trusted channel based on the session key. 11. The storage medium according to claim 10 , wherein the acts include: receiving from the first trusted computing unit, a session identifier corresponding to the trusted channel; and obtaining, based on the session identifier, a list of trusted computing units of the trusted computing cluster that join the trusted channel, the list including the first trusted computing unit. 12. The storage medium according to claim 11 , wherein the acts include: before the sending the encrypted key to the second trusted computing unit of the trusted computing cluster, removing all trusted computing units from the list except for the first trusted computing unit. 13. The storage medium according to claim 10 , wherein the acts include: receiving, from the first trusted computing unit, a request for an identifier with respect to the trusted channel; allocating a session identifier to the trusted channel in response to the request; and adding the first trusted computing unit to a list of trusted computing unit of the trusted computing cluster corresponding to the session identifier. 14. The storage medium according to claim 13 , wherein the acts include: sending the session identifier to the second trusted computing unit; and adding the second trusted computing unit to the list of trusted computing units. 15. The storage medium according to claim 10 , wherein the determining the trusted computing cluster to which the first trusted computing unit belongs includes: using a maintained cluster information table to determine the trusted computing cluster to which the first trusted computing unit belongs and each trusted computing unit included in the trusted computing cluster. 16. A computing device, comprising: a processor; a memory having computer executable instructions stored thereon, which, when executed by the processor, configure the processor to perform acts including: receiving, from a first trusted computing unit, an encrypted key, the encrypted key corresponding to a trusted channel between the first trusted computing unit and a user outside a trusted computing environment of the first trusted computing unit; determining a trusted computing cluster to which the first trusted computing unit belongs; and sending the encrypted key to a second trusted computing unit of the trusted computing cluster, enabling the second trusted computing unit to decrypt the encrypted key using a cluster key of the trusted computing cluster to obtain a session key for the trusted channel and to join the trusted channel based on the session key. 17. The computing device according to claim 16 , wherein the acts include: receiving from the first trusted computing unit, a session identif
Assignees
Inventors
Classifications
- H04L9/083Primary
involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] · CPC title
using key encryption key · CPC title
using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates · CPC title
Generation of secret information including derivation or calculation of cryptographic keys or passwords · CPC title
using a plurality of channels (network architectures or network communication protocols using different networks H04L63/18) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11728978B2 cover?
- Some embodiments of the present specification provide a method and an apparatus for establishing a trusted channel between a user and a trusted computing cluster. According to the method, when a user wants to establish a trusted channel with a trusted computing cluster, the user only negotiates a session key with any first trusted computing unit in the cluster to establish the trusted channel. …
- Who is the assignee on this patent?
- Advanced New Technologies Co Ltd
- What technology area does this patent fall under?
- Primary CPC classification H04L9/083. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Aug 15 2023 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 5 related publications on this page (citations in our corpus or others sharing the same primary CPC).