Integrated circuit for obtaining enhanced privileges for a network-based resource and performing actions in accordance therewith
US-2022166762-A1 · May 26, 2022 · US
Last resort safe schema
US12216756B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12216756-B2 |
| Application number | US-202217974883-A |
| Country | US |
| Kind code | B2 |
| Filing date | Oct 27, 2022 |
| Priority date | Oct 27, 2022 |
| Publication date | Feb 4, 2025 |
| Grant date | Feb 4, 2025 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Presented herein are systems and methods for enabling and providing safe and secure last resort access to a computing system. Embodiments may leverage trusted platform modules that exists in information handling systems to provide a more convenient and more secure rescue account. In one or more embodiments, the last resort access may be based on federated approval from a vendor/provider and a customer. In one or more embodiments, part of the cryptographic information is stored/controlled by a provisioner (or vendor), and another part is stored/controlled by the customer. Since both parts are involved in the last resort access process in order to gain access, neither entity alone can gain access to the information handling system.
First claim
Opening claim text (preview).
What is claimed is: 1. A computer-implemented method comprising: receiving from a user a request to start a secure session with an information handling system to gain access to an account via a last resort access process; requesting from the user an entity identifier, which is a unique identifier associated with a secure platform private key stored on a secure platform associated with the information handling system, and a client nonce value; responsive to receiving from the user the client nonce value and the entity identifier, in which the entity identifier was obtained by the user following authentication to a last resort access keys storage maintained by a provider that was involved in a last resort access initialization process that established an asymmetric key pair comprising the secure platform private key and a secure platform public key, in which an encrypted form of the secure platform public having been encrypted using a public key of the user is stored in the last resort access keys storage, responding with a secure platform nonce value and an authentication challenge code; and responsive to receiving from the user a session code generated by the provider, the authentication challenge code in an encrypted form having been encrypted using the secure platform public key of the user, and the entity identifier: using the session code to authorize usage of secure platform private key corresponding to the entity identifier; using the secure platform private key to decrypt the authentication challenge code in encrypted form; responsive to the decrypted authentication challenge code matching the authentication challenge code, granting the secure session for the user; and responsive to the decrypted authentication challenge code not matching the authentication challenge code, denying the secure session for the user. 2. The computer-implemented method of claim 1 further comprising: responsive to receiving from the user the request to start a secure session: determining whether one or more conditions have been met according to one or more policies that set when the last resort access process is activated for use by the user; responsive to one or more conditions having not been met according to the one or more policies, denying the secure session for the user; and responsive to one or more conditions having been met according to the one or more policies, allowing the last resort access process to proceed. 3. The computer-implemented method of claim 2 wherein: at least one policy of the one or more policies utilizes data obtained related to the information handling system to determine whether one or more conditions have been met to activate the last resort access process. 4. The computer-implemented method of claim 2 wherein: at least one policy of the one or more policies comprises as a condition activation of a physical interface on a specific information handling system. 5. The computer-implemented method of claim 1 wherein the client nonce value is a unique value that is unique to the secure session. 6. The computer-implemented method of claim 1 wherein the user provides to the last resort access keys storage maintained by the provider a device identifier that is associated with the information handling system or with the information handling system and the user when requesting the entity identifier and the client nonce value. 7. The computer-implemented method of claim 1 wherein the session code generated by the provider is generated using an authentication value that was used in forming the asymmetric key pair. 8. The computer-implemented method of claim 1 wherein the last resort access initialization process comprises: responsive to receiving from the user the public key of the user, using the public key, an authentication value, and the secure platform of the information handling system to generate the asymmetric key pair comprising the secure platform private key, which is kept on the secure platform of the information handling system, and the secure platform public key; receiving from the information handling system the secure platform public key and the entity identifier, which is a unique identifier associated with the secure platform private key stored on the secure platform of the information handling system, in which at least the secure platform public key is received in an encrypted form having been encrypted using the public key of the user for encrypting; storing, for use for the last resort access process, the authentication value, the entity identifier, the secure platform public key in encrypted form having been encrypted using the public key of the user, and a device identifier associated with at least the information handling system; and providing to the user the device identifier. 9. The computer-implemented method of claim 8 wherein: the authentication value is unique to the information handling system. 10. The computer-implemented method of claim 8 wherein the secure platform is a trusted platform module (TPM). 11. A computer-implemented method comprising: responsive to receiving from a user a public key of the user, using the public key, an authentication value, and a secure platform of an information handling system to generate an asymmetric key pair comprising a secure platform private key, which is kept on the secure platform of the information handling system, and a secure platform public key; receiving from the information handling system the secure platform public key and an entity identifier, which is a unique identifier associated with the secure platform private key stored on the secure platform of the information handling system, in which at least the secure platform public key is received in an encrypted form having been encrypted using the public key of the user for encrypting; storing, for use for a last resort access process, the authentication value, the entity identifier, the secure platform public key in encrypted form having been encrypted using the public key of the user, and a device identifier associated with at least the information handling system in a last resort access key storage; and providing to the user the device identifier. 12. The computer-implemented method of claim 11 wherein: the authentication value is unique to the information handling system. 13. The computer-implemented method of claim 11 wherein: providing the user access to the secure platform private key securely stored in the secure platform. 14. The computer-implemented method of claim 11 further comprising: responsive to receiving from a user a request to access information in the last resort access key storage, authenticating the user and only continuing in response to the user successfully being authenticated. 15. The computer-implemented method of claim 11 further comprising, as part of a last resort access flow: receiving, from the user, the device identifier and a request to access information related to the device identifier in the last resort access key storage; and returning, to the user, the entity identifier, the secure platform public key in the encrypted form having been encrypted using the public key of the user, and a client nonce value. 16. The computer-implemented method of claim 15 further comprising: receiving, from the user, a secure platform nonce value; generating a session code using the authentication value that was used in forming the asymmetric key pair; and sending, to the user, the session code. 17. An information handling system comprising: one or more processors; a s
Assignees
Inventors
Classifications
involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements (network architectures or network communication protocols for supporting authentication of entities using certificates in a packet data network H04L63/0823) · CPC title
Access rights, e.g. capability lists, access control lists, access tables, access matrices · CPC title
Challenge-response · CPC title
using challenge-response · CPC title
- G06F21/45Primary
Structures or tools for the administration of authentication · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12216756B2 cover?
- Presented herein are systems and methods for enabling and providing safe and secure last resort access to a computing system. Embodiments may leverage trusted platform modules that exists in information handling systems to provide a more convenient and more secure rescue account. In one or more embodiments, the last resort access may be based on federated approval from a vendor/provider and a c…
- Who is the assignee on this patent?
- Dell Products Lp
- What technology area does this patent fall under?
- Primary CPC classification G06F21/45. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Feb 04 2025 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).