公开(公告)号：US20150319150A1

公开(公告)日：2015-11-05

申请号：US14618757

申请日：2015-02-10

Applicant: Intel Corporation

Inventor： Ned M. Smith ,  David Johnston ,  George W. Cox ,  Adi Shaliv

IPC: H04L29/06 ,  H04L9/32 ,  H04L9/08

CPC classification number: H04L63/061 ,  H04L9/0822 ,  H04L9/0866 ,  H04L9/3231 ,  H04L63/0861 ,  H04L2209/127

Abstract: A method and device for securely provisioning trust anchors includes generating a database wrapper key as a function of computing device hardware. The database wrapper key encrypts a key database when it is not in use by a trusted execution environment and may be generated using a Physical Unclonable Function (PUF). A local computing device establishes a secure connection and security protocols with a remote computing device. In establishing the secure connection, the local computing device and remote computing device may exchange and/or authenticate cryptographic keys, including Enhanced Privacy Identification (EPID) keys, and establish a session key and device identifier(s). One or more trust anchors are then provisioned depending on whether unilateral, bilateral, or multilateral trust is established. The local computing device may act as a group or domain controller in establishing multilateral trust. Any of the devices may also require user presence to be verified.

Abstract translation: 用于安全地配置信任锚的方法和设备包括生成作为计算设备硬件的函数的数据库包装密钥。 数据库包装器密钥在密钥数据库不被可信执行环境使用时加密，并且可以使用物理不可克隆功能（PUF）生成密钥数据库。 本地计算设备与远程计算设备建立安全连接和安全协议。 在建立安全连接时，本地计算设备和远程计算设备可以交换和/或验证密码密钥，包括增强型隐私标识（EPID）密钥，并建立会话密钥和设备标识符。 根据单方面，双边或多边信托是否建立了一个或多个信托基金。 本地计算设备可以充当组或域控制器来建立多边信任。 任何设备也可能要求验证用户存在。