WO2011139135A1 - System and method for issuing endorsement key credential in trusted computing environment using local certificate authority - Google Patents

System and method for issuing endorsement key credential in trusted computing environment using local certificate authority Download PDF

Info

Publication number
WO2011139135A1
WO2011139135A1 PCT/MY2010/000242 MY2010000242W WO2011139135A1 WO 2011139135 A1 WO2011139135 A1 WO 2011139135A1 MY 2010000242 W MY2010000242 W MY 2010000242W WO 2011139135 A1 WO2011139135 A1 WO 2011139135A1
Authority
WO
WIPO (PCT)
Prior art keywords
local
certificate
vtpm
pca
party
Prior art date
Application number
PCT/MY2010/000242
Other languages
French (fr)
Inventor
Norazah Abd Aziz
Lucyantie Mazalan
Mohd Azuddin Parman
Putri Shahnim Khalid
Original Assignee
Mimos Berhad
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mimos Berhad filed Critical Mimos Berhad
Publication of WO2011139135A1 publication Critical patent/WO2011139135A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Definitions

  • the present invention relates to trusted computing environment.
  • the invention relates to a system and method for issuing endorsement key (E ) credential in trusted computing environment having a local certificate authority.
  • E endorsement key
  • CA certificate authority or certification authority
  • Many CAs are available for issuing digital certificates. Some are commercial that charge for such services, while some offering such service to the public at no cost. Some institutions, governments and etc. may further adapt their own CAs for a trusted environment.
  • CA issues digital certificates that contain a public key and the identity of the owner. It requires a matching private key that is not available publicly, but kept secret with the end user to generate the key pair. The certificate is also an attestation from the CA that the public key contained in the certificate belongs to a particular person, organization, server or other entity noted in the certificate.
  • CA's obligation in such schemes is to verify an applicant's credentials, so that users and relying parties can trust the information in the CA's certificates.
  • CAs use a variety of standards and tests he can also verify that a certain public key does indeed belong to whoever identified in the certificate.
  • TPM trusted platform module
  • a system (100) for issuing endorsement key (EK) certificate comprises a trusted platform system (1 10) requesting for the EK certificate, the trusted platform system (1 10) having a virtual trusted platform module (vTPM) instance (122) and a local certification authority (CA) (124) managed under a hypervisor (1 12) of the trusted platform system (1 10); a third party privacy certification authority (PCA) (130) operationally connecting to the trusted platform system (1 10) through a secure channel (135), wherein the third party PCA (130) operationally issuing a CA certificate to valid local CA.
  • the local CA (124) requests a CA certificate from the third party PCA (130), and upon verified to be a valid local CA, the local CA signs and issues the EK certificate to the vTPM.
  • the local CA (124) issues the EK certificate to the vTPM instance (122) upon verifying identity of the vTPM instance (122) through a certification request that comprises a vTPM ID, a vTP EK public key and a vTPM Platform Certificate Information.
  • the system may further comprise a secure storage (132, 140) resides externally to the trusted platform system (1 10) and communicates with the trusted platform system (110) through a secure channel (135, 145), wherein the secure storage (132, 140) stores certificates and data related to the vTPM.
  • the system may further comprise a trusted platform module at a hardware layer.
  • the method comprises registering the local CA with the third party PCA to be a valid EK certificate issuer; signing issuing a local CA certificate from the third party PCA (130) to the local CA (124); receiving a EK certification request from the vTPM (122) to the local CA (124); and signing and issuing a EK certificate from tlie local CA (124) to the vTPM (122).
  • registering the local CA (123) comprises generating a local CA key pair having a local CA private key and a local CA public key; registering the local CA with the third Party PCA (130) by sending local CA certificate request to the third party PCA (130), tlie local CA certificate request comprises a local CA ID and tlie local CA public key; verifying existence of the local CA (122) from a local CA register resided at tlie third party PCA (130); and verifying validity of the local CA (124).
  • third Party PCA (130) signs the local CA public key thus creating a local CA certificate.
  • issuing the EK certificate may comprise generating a endorsement (EK) key pair having a EK private key and a EK public key by the vTPM Instance (122); generating a EK certificate request comprises a vTPM ID, a EK public key and a vTPM Instance platform certificate containing vTPM Instance platform information by the vTPM Instance (122); sending the EK certificate request to local CA (124); signing the EK certificate request with a local CA private key to create an EK certificate, wherein the EK certificate is created based on parameters of the EK certificate request; sending data to the third party PCA (130) for registering vTPM Instance platform, wherein the data include the EK certificate and a vTPM ID encrypted using a vTPM instance's EK private key; and storing the registration data of EK certificate and an enciypted vTPM ID in a secure storage (132) of the third party PCA (130)
  • the method further comprises validating
  • the validation may further comprises sending an attestation identity key (AIK) certificate request comprises the EK certificate and an AIK key from the vTPM instance (122) to the third party PCA (130); verifying existence of the EK certificate through the secure storage (132); decrypting the encrypted data stored at the secure storage (132) using the vTPM Instance public key to obtain the vTPM ID of the vTPM Instance; matching the vTMP instance (122) with the vTPMID to verify validity of the vTPM instance.
  • AIK attestation identity key
  • FIG. 1 illustrates a block diagram of a system according to one embodiment of the present invention
  • FIG. 2 is a flowchart illustrating a method for handling creation of EK credential in accordance with one embodiment of the present invention
  • FIG. 3 is a flow chart illustrating a process of generating Local CA certificate from the third party PCA of the system of FIG. 1 in accordance with one embodiment of the invention
  • FIG. 4 is a flow chart illustrating a process of generating vTPM
  • FIG. 5 is a flow chart illustrating a process for validating an EK certificate during attestation identity credential request in accordance with one embodiment of the present invention.
  • the present invention aims to provide a certificate authority (CA) that is made locally or natively in the same system, or more particularly, same platform and hypervisor layer as a virtual trusted platform module (vTPM).
  • the local CA can be an endorsement key (EK) certificate provider or issuer to the vTPM instance signing the certificate after verifying the vTPM Instance identity (ID) through a certificate request and an EK public key.
  • EK endorsement key
  • the system provides a platform with vTPM, it can be installed on any platform and is not tight to a manufacturer of the trusted platform module (TPM).
  • the present invention also provides a method for generating an
  • EK certificate of a vTPM that involves an establishment of a local CA own ID and verification from a third party PCA.
  • Local CA provides functionality intended to facilitate the vTPM instance by generating and signing EK certificate.
  • the functionality requires the vTPM instance to request EK certificate from the local CA by providing the necessary vTPM instance EK public key, vTPM ID and vTPM Platform Certificate containing the platform information.
  • the local CA signs the certificate request using local CA private key and once the certificate is successfully generated, The local CA returns the EK certificate to the vTPM Instance and keeps it in a secure storage.
  • the Local CA as a local trusted credential issuer needs to establish its own identity with a generation of Local CA certificate where the Local CA generates its Local CA key pair, obtaining the Local CA public key and send it together with the Local CA ID to Third Party PCA. Third Parry PCA will then sign the certificate request with its own private key and return the successfully generated Local CA certificate to the Local CA for future Local CA verification. All of these processes involve an Identity Manager that functions as a service to handle all request and respond communication between the vTPM Instance and Local CA components to other components outside the virtual hypervisor layer. In addition, all other communications are handled by a secure channel communication.
  • FIG. 1 illustrates a block diagram of a system 100 according to one embodiment of the present invention.
  • the system 100 comprises a trusted platform system 110, a third party privacy certification authority (PCA) 130 and a secure storage 140.
  • the third party PCA 130 may itself has a secure storage 132 therein. Both secure storage 132 and 140 are catered for storing certificates and data, such as keys, and device IDs.
  • the trusted machine 110 is connected to the third party PCA 130 and the secure storage 140 via respective secure channel 135 and 145.
  • the trusted machine 110 further comprises a host layer 112, a virtual hypervisor layer 114, and a host hardware layer 116 deployed thereon.
  • the host layer 112 is adapted for handling the virtual computing environment.
  • the host layer 112 further comprises an application 118 and an identity manager 120.
  • the virtual hypervisor layer 114 is provided for managing virtual platforms of the trusted platform system 110.
  • the virtual hypervisor layer 114 comprises a vTPM instance 122 and a local CA 124.
  • the vTPM instance 122 is a software based TPM that establishes the trusted environment through an endorsement key (EK) certificate.
  • the local CA 124 on the other hand is provided for issuing the EK certificate.
  • the host hardware layer 116 comprises a TPM 126.
  • the TPM 126 offers facilities allowing the system to work under a trusted environment.
  • the TPM 126 operationally ensures and maintains the trusted platform system 110 operates under the trusted environment. Other functions and structures of the TPM 126 are commonly known in the art and it would not be described herewith in details.
  • the third party PC A 130 and the secure storage 140 communicate with the trusted platform system 1 10 through the secure channels (135, 145). These communications is carried out through the identity manager 120.
  • the storage 132 of the third party PCA 130 and the secure storage 140 are responsible for storing certificates, the associated keys, certificate information such as expiry date, name, organization, etc.
  • the trusted platform system 110 also uses the identity manager 120 to manage the TPM 126 of the host hardware layer 116. Further, the identity manager 120 also communicates with the third party PCA 130 and the secure storage 140 which are resided externally to the trusted platform system 110 the respective secure channel 135, 145.
  • the trusted platform system 110 executes the local CA
  • the local CA 124 as it is loaded, and generates a request for local CA certificate.
  • the local CA 124 then communicates with the third party PCA 130 via the secure channel 135 for instigation, registration and generation of the Local CA Certificate.
  • the CA 124 is facilitated locally at the same platform and layer (i.e. the hypervisor layer 114) as the vTPM instance 122, thus, a local or native CA.
  • the local CA 124 issues the EK certificate to the vTPM instance 122 whereby the Local CA signs the certificate after verifying identity of the vTPM instance 122 through a certificate request that containing the vTPM ID, vTPM EK public key as well as vTPM Platform Certificate Information.
  • the Local CA 124 Prior to the EK certification, the Local CA 124 have to establish its own identity by first generating a local CA key pair and request for a local CA certificate from the third party PCA 130. The local CA certificate will then returned to the Local CA 124 certifying that it is a valid local EK certificate issuer to the vTPM Instance 122.
  • FIG. 2 is a flowchart illustrating a method for handling creation of EK credential in accordance with one embodiment of the present invention, which will be explained in conjunction with the system 100 of FIG. 1.
  • the method comprises executing the vTPM instance 122 and the local CA 124 at step 202; creating a local CA key pair by the local CA 124 and sending the public key at step 202; creating endorsement key pair by the vTPM instance 122 at step 206; generating certificate signing request (CSR) bundle at step 208; sending the CSR or local CA at step 210; generating EK certificate based on CSR parameters at step 212; sending EK certificate from local CA 124 to vTPM instance 122 at step 214; and storing EK certificate in secure storage via identity at step 216.
  • CSR certificate signing request
  • the trusted platform system 110 initiating the trusted environment by executing the vTPM instance 122 and the local CA 124.
  • the local CA 124 creates a local CA key pair comprises a private key and a public key.
  • the public key is then sent to the third party PCA 130 via the identity manager 120 requesting for a local CA certificate.
  • the public key is sent together with an ID of the local CA 124 as part of the local CA registration process.
  • the vTPM instance When the vTPM instance is instantiated, it creates an EK at the step 206. Following that, at the step 208, a CSR bundle is generated.
  • the CSR bundle includes a vTMP ID, a vTPM EK public key, and vTPM instance platform certificate.
  • the vTPM instance 122 sends the CSR bundle of the EK certificate to the local CA 124 via the identify manager 210.
  • the local CA Based on the given parameters, the local CA generates a unique EK certificate at the step 212.
  • the EK certificate is sent to the vTPM 122 via the identity manager 120 at the step 214 and the EK certificate is further sent to the secure storage 132 or 140 via the identity manager 120 for storage through secured channel 135 or 145. As mentioned, these communications and transmissions are carried out via the identity manager 120 as a centralized channel.
  • FIG. 3 is a flow chart illustrating a process of generating Local CA certificate from the third party PCA 130 of the system 100 in accordance with one embodiment of the invention.
  • the local CA 124 must be verified to be a trusted EK credential issuer registered with the third party PCA 130 in order to create the EK certificate locally.
  • the process comprises generating a local key pair at stepp 302; registering the local CA 124 with the third paity PCA 130 through sending request bundle at step 304; verifying existence of the local CA 124 based on a list of local CA entry at step 305; verifying validity of the local CA 124 at step 308; signing the local CA public key to create a local CA certificate at step 312; and returning the local CA certificate to the local CA 124 at step 314.
  • the local CA 124 generates a key pair comprises a CA private key and a CA public key.
  • the local CA 124 registers itself with the third party PCA at the step 304.
  • the registration is done through a request bundle comprises local CA ID and the local CA public key and the request bundle is sent through the identity manager 120 via the secure channel 135.
  • the local CA ID may comprise a random number generated by a random number generator (RNG), organization name and registration number, etc.
  • RNG random number generator
  • the third party PCA 130 verifies the existence of the local CA.
  • the third party PCA 130 maintains a list of registered local CA entries at the secure storage 132. The list also provides the type of the trusted platforms adapted by the local CA 124.
  • Each local CA 124 is identified based on a local CA ID.
  • the third party PCA 130 further verifies the validity of the local CA ID.
  • the Local CA ID is an unique identity that is generated once at the time of local CA installation.
  • the CA public key is also generated once for the signing process.
  • FIG. 4 is a flow chart illustrating a process of generating vTPM
  • the process comprises receiving an EK certificate request bundle form vTPM instance 122 by the local CA 124 at step 402; verifying signature on the request with vTPM EK public key 404, singing certificate request with the local CA private key at step 408; returning the EK certificate to vTPM instance at step 410; sending registration data to third part PCA for vTPM registration at step 412; and storing the registration data at the secure storage 132 of the third party PCA 130 at step 414.
  • the local CA 124 receives an EK certificate request bundle from the vTPM instance 122 to generate an EK certificate.
  • the vTPM instance 122 generates a unique EK key pair comprises a EK private key and EK public key.
  • the EK certificate request bundle comprises a vTPM ID, the EK public key, a vTPM instance's digital signature, vTPM platform information under a vTPM platform certificate mode.
  • the local CA 124 receives request bundles from the vTPM instance through the Identity Manager 120 to request for EK certificate.
  • the local CA 124 verifies the vTPM instance's signature bundled on the request bundle with vTPM EK public key.
  • the local CA 124 signs the EK certificate request at the step 408.
  • the EK certificate request is signed with the local CA private key to create an EK certificate for the vTPM instance 122 based on the parameters (i.e. vTPM ID and vTPM platform information) contained in the request bundle.
  • the local CA 124 returns the EK certificate to vTPM instance 122.
  • the vTPM instance may send data to the third party PCA 130 for registration therewith at step 412.
  • the data include EK certificate and encrypted vTPM ID.
  • the vTPM ID may be encrypted using the vTPM private key.
  • the third party PCA 130 keeps the data in the secure storage 132 for future vTPM Instance platform attestation process.
  • FIG. 5 is a flow chart illustrating a process for validating an EK certificate during attestation identity credential request in accordance with one embodiment of the present invention.
  • the process comprises sending EK certificate and an attestation identity key (AIK) to third party PCA for AIK certificate request at step 502; verifying existence of EK certificate against the secure storage 132 of the third party PCA 130 at step 504; decrypting data stored on the secure storage 132 with vTPM public key to obtain vTPM ID of the vTPM instance 122 at step 508, and determining whether the vTPM is a valid platform and whether the vTPM ID matched with that in the EK certificate at step 510.
  • the vTPM Instance 122 sends the EK certificate and the
  • the third party PCA 130 checks the existence of the EK certificate from the secure storage 132. If the EK certificate exists, at step 506, the third party PCA 130 decrypts the encrypted data stored on the secure storage 132. The decryption is carried out using the vTPM Instance's EK public key to obtain vTPM ID of the vTPM Instance 122 at the step 508. With the vTPM ID, the third parly PCA determines whether the vTPM instance has a valid platform and whether the vTPM ID matches the one in the EK certificate 510.

Abstract

The present invention provides a system (100) for issuing endorsement key (EK) certificate. The system comprises a trusted platform system (110) requesting for the EK certificate, the trusted platform system (1 10) having a virtual trusted platform module (vTPM) instance (122) and a local certification authority (CA) (124) managed under a hypervisor (1 12) of the trusted platform system (110); a third party privacy certification authority (PCA) (130) operationally connecting to the trusted platform system (110) through a secure channel (135), wherein the third party PCA (130) operationally issuing a CA certificate to valid local CA. Operationally, the local CA (124) requests a CA certificate from the third party PCA (130), and upon verified to be a valid local CA, the local CA signs and issues the EK certificate to the vTPM. A method of providing a trusted computing environment is also provided.

Description

SYSTE AND METHOD FOR ISSUING ENDORSEMENT KEY CREDENTIAL IN TRUSTED COMPUTING ENVIRONMENT USING LOCAL CERTIFICATE AUTHORITY
Field of the Invention [0001] The present invention relates to trusted computing environment. In particular, the invention relates to a system and method for issuing endorsement key (E ) credential in trusted computing environment having a local certificate authority.
Background
[0002] In cryptography, a certificate authority or certification authority (CA) issues digital certificates for allowing digital communications/transactions to be carried out under trusted environment. Many CAs are available for issuing digital certificates. Some are commercial that charge for such services, while some offering such service to the public at no cost. Some institutions, governments and etc. may further adapt their own CAs for a trusted environment. [0003] CA issues digital certificates that contain a public key and the identity of the owner. It requires a matching private key that is not available publicly, but kept secret with the end user to generate the key pair. The certificate is also an attestation from the CA that the public key contained in the certificate belongs to a particular person, organization, server or other entity noted in the certificate. A CA's obligation in such schemes is to verify an applicant's credentials, so that users and relying parties can trust the information in the CA's certificates. CAs use a variety of standards and tests he can also verify that a certain public key does indeed belong to whoever identified in the certificate.
[0004] Existing implementation involves a platform manufacturer/manufacturer of trusted platform module (TPM) to produce an EK certificate to a TPM platform system. However, this method is not suitable for a virtual TPM environment whereby a local certificate authority is needed to produce EK certificate for a virtual TPM.
[0005] There exist possibilities of forgery of certificate authority if there is no proper method in handling the certification of the Local CA as a trusted entity.
Summary [0006] In one aspect of the present invention, there is provided a system (100) for issuing endorsement key (EK) certificate. The system comprises a trusted platform system (1 10) requesting for the EK certificate, the trusted platform system (1 10) having a virtual trusted platform module (vTPM) instance (122) and a local certification authority (CA) (124) managed under a hypervisor (1 12) of the trusted platform system (1 10); a third party privacy certification authority (PCA) (130) operationally connecting to the trusted platform system (1 10) through a secure channel (135), wherein the third party PCA (130) operationally issuing a CA certificate to valid local CA. Operationally, the local CA (124) requests a CA certificate from the third party PCA (130), and upon verified to be a valid local CA, the local CA signs and issues the EK certificate to the vTPM.
[0007] In one embodiment, the local CA (124) issues the EK certificate to the vTPM instance (122) upon verifying identity of the vTPM instance (122) through a certification request that comprises a vTPM ID, a vTP EK public key and a vTPM Platform Certificate Information.
[0008] In another embodiment, the system may further comprise a secure storage (132, 140) resides externally to the trusted platform system (1 10) and communicates with the trusted platform system (110) through a secure channel (135, 145), wherein the secure storage (132, 140) stores certificates and data related to the vTPM. The system may further comprise a trusted platform module at a hardware layer.
[0009] In another aspect of the present invention, there is also provided a method of providing a trusted computing environment for a trusted platform system (1 10) connecting to a third party PCA (130) via a secured channel (135), wherein tlie trusted platform having a virtual TPM (122) and a local CA (124). The method comprises registering the local CA with the third party PCA to be a valid EK certificate issuer; signing issuing a local CA certificate from the third party PCA (130) to the local CA (124); receiving a EK certification request from the vTPM (122) to the local CA (124); and signing and issuing a EK certificate from tlie local CA (124) to the vTPM (122).
[0010] In one embodiment, registering the local CA (123) comprises generating a local CA key pair having a local CA private key and a local CA public key; registering the local CA with the third Party PCA (130) by sending local CA certificate request to the third party PCA (130), tlie local CA certificate request comprises a local CA ID and tlie local CA public key; verifying existence of the local CA (122) from a local CA register resided at tlie third party PCA (130); and verifying validity of the local CA (124). When the local CA (124) is verified to be exist and valid through the third party PCA, third Party PCA (130) signs the local CA public key thus creating a local CA certificate.
[0011] In a further embodiment, issuing the EK certificate may comprise generating a endorsement (EK) key pair having a EK private key and a EK public key by the vTPM Instance (122); generating a EK certificate request comprises a vTPM ID, a EK public key and a vTPM Instance platform certificate containing vTPM Instance platform information by the vTPM Instance (122); sending the EK certificate request to local CA (124); signing the EK certificate request with a local CA private key to create an EK certificate, wherein the EK certificate is created based on parameters of the EK certificate request; sending data to the third party PCA (130) for registering vTPM Instance platform, wherein the data include the EK certificate and a vTPM ID encrypted using a vTPM instance's EK private key; and storing the registration data of EK certificate and an enciypted vTPM ID in a secure storage (132) of the third party PCA (130).
[0012] In yet a further embodiment, the method further comprises validating
EK certificate during an attestation identity credential request. The validation may further comprises sending an attestation identity key (AIK) certificate request comprises the EK certificate and an AIK key from the vTPM instance (122) to the third party PCA (130); verifying existence of the EK certificate through the secure storage (132); decrypting the encrypted data stored at the secure storage (132) using the vTPM Instance public key to obtain the vTPM ID of the vTPM Instance; matching the vTMP instance (122) with the vTPMID to verify validity of the vTPM instance. Brief Description of the Drawings
[0013] This invention will be described by way of non-limiting embodiments of the present invention, with reference to the accompanying drawings, in which:
[0014] FIG. 1 illustrates a block diagram of a system according to one embodiment of the present invention;
[0015] FIG. 2 is a flowchart illustrating a method for handling creation of EK credential in accordance with one embodiment of the present invention;
[0016] FIG. 3 is a flow chart illustrating a process of generating Local CA certificate from the third party PCA of the system of FIG. 1 in accordance with one embodiment of the invention;
[0017] FIG. 4 is a flow chart illustrating a process of generating vTPM
Instance EK certificate by local CA in accordance with one embodiment of the present invention: and
[0018] FIG. 5 is a flow chart illustrating a process for validating an EK certificate during attestation identity credential request in accordance with one embodiment of the present invention.
Detailed Description
[0019] In line with the above summary, the following description of a number of specific and alternative embodiments are provided to understand the inventive features of the present invention. It shall be apparent to one skilled in the art, however that this invention may be practiced without such specific details. Some of the details may not be described at length so as not to obscure the invention. For ease of reference, common reference numerals will be used throughout the figures when referring to the same or similar features common to the figures.
[0020] The present invention aims to provide a certificate authority (CA) that is made locally or natively in the same system, or more particularly, same platform and hypervisor layer as a virtual trusted platform module (vTPM). The local CA can be an endorsement key (EK) certificate provider or issuer to the vTPM instance signing the certificate after verifying the vTPM Instance identity (ID) through a certificate request and an EK public key. As the system provides a platform with vTPM, it can be installed on any platform and is not tight to a manufacturer of the trusted platform module (TPM).
[0021] Further, the present invention also provides a method for generating an
EK certificate of a vTPM that involves an establishment of a local CA own ID and verification from a third party PCA. Local CA provides functionality intended to facilitate the vTPM instance by generating and signing EK certificate. The functionality requires the vTPM instance to request EK certificate from the local CA by providing the necessary vTPM instance EK public key, vTPM ID and vTPM Platform Certificate containing the platform information. The local CA signs the certificate request using local CA private key and once the certificate is successfully generated, The local CA returns the EK certificate to the vTPM Instance and keeps it in a secure storage.
[0022] Prior to this, the Local CA as a local trusted credential issuer needs to establish its own identity with a generation of Local CA certificate where the Local CA generates its Local CA key pair, obtaining the Local CA public key and send it together with the Local CA ID to Third Party PCA. Third Parry PCA will then sign the certificate request with its own private key and return the successfully generated Local CA certificate to the Local CA for future Local CA verification. All of these processes involve an Identity Manager that functions as a service to handle all request and respond communication between the vTPM Instance and Local CA components to other components outside the virtual hypervisor layer. In addition, all other communications are handled by a secure channel communication.
[0023] FIG. 1 illustrates a block diagram of a system 100 according to one embodiment of the present invention. The system 100 comprises a trusted platform system 110, a third party privacy certification authority (PCA) 130 and a secure storage 140. The third party PCA 130 may itself has a secure storage 132 therein. Both secure storage 132 and 140 are catered for storing certificates and data, such as keys, and device IDs. The trusted machine 110 is connected to the third party PCA 130 and the secure storage 140 via respective secure channel 135 and 145. The trusted machine 110 further comprises a host layer 112, a virtual hypervisor layer 114, and a host hardware layer 116 deployed thereon. The host layer 112 is adapted for handling the virtual computing environment. A discrete layer may be required if another virtual platform is required for better security. The host layer 112 further comprises an application 118 and an identity manager 120. The virtual hypervisor layer 114 is provided for managing virtual platforms of the trusted platform system 110. The virtual hypervisor layer 114 comprises a vTPM instance 122 and a local CA 124. The vTPM instance 122 is a software based TPM that establishes the trusted environment through an endorsement key (EK) certificate. The local CA 124 on the other hand is provided for issuing the EK certificate. The host hardware layer 116 comprises a TPM 126. The TPM 126 offers facilities allowing the system to work under a trusted environment. The TPM 126 operationally ensures and maintains the trusted platform system 110 operates under the trusted environment. Other functions and structures of the TPM 126 are commonly known in the art and it would not be described herewith in details.
[0024] The third party PC A 130 and the secure storage 140 communicate with the trusted platform system 1 10 through the secure channels (135, 145). These communications is carried out through the identity manager 120. The storage 132 of the third party PCA 130 and the secure storage 140 are responsible for storing certificates, the associated keys, certificate information such as expiry date, name, organization, etc.
[0025] Still referring to FIG. 1, all communications between the vTPM
Instance 122 and the local CA 124 with other components beyond the virtual hypervisor layer 114 are managed through the identity manager 120 as a service manager. Similarly, The trusted platform system 110 also uses the identity manager 120 to manage the TPM 126 of the host hardware layer 116. Further, the identity manager 120 also communicates with the third party PCA 130 and the secure storage 140 which are resided externally to the trusted platform system 110 the respective secure channel 135, 145.
[0026] Operationally, the trusted platform system 110 executes the local CA
124 as it is loaded, and generates a request for local CA certificate. The local CA 124 then communicates with the third party PCA 130 via the secure channel 135 for instigation, registration and generation of the Local CA Certificate.
[0027] In the present embodiment, the CA 124 is facilitated locally at the same platform and layer (i.e. the hypervisor layer 114) as the vTPM instance 122, thus, a local or native CA. The local CA 124 issues the EK certificate to the vTPM instance 122 whereby the Local CA signs the certificate after verifying identity of the vTPM instance 122 through a certificate request that containing the vTPM ID, vTPM EK public key as well as vTPM Platform Certificate Information. Prior to the EK certification, the Local CA 124 have to establish its own identity by first generating a local CA key pair and request for a local CA certificate from the third party PCA 130. The local CA certificate will then returned to the Local CA 124 certifying that it is a valid local EK certificate issuer to the vTPM Instance 122.
[0028] FIG. 2 is a flowchart illustrating a method for handling creation of EK credential in accordance with one embodiment of the present invention, which will be explained in conjunction with the system 100 of FIG. 1. The method comprises executing the vTPM instance 122 and the local CA 124 at step 202; creating a local CA key pair by the local CA 124 and sending the public key at step 202; creating endorsement key pair by the vTPM instance 122 at step 206; generating certificate signing request (CSR) bundle at step 208; sending the CSR or local CA at step 210; generating EK certificate based on CSR parameters at step 212; sending EK certificate from local CA 124 to vTPM instance 122 at step 214; and storing EK certificate in secure storage via identity at step 216. [0029] At the step 202, the trusted platform system 110 initiating the trusted environment by executing the vTPM instance 122 and the local CA 124. At the step 204, the local CA 124 creates a local CA key pair comprises a private key and a public key. The public key is then sent to the third party PCA 130 via the identity manager 120 requesting for a local CA certificate. The public key is sent together with an ID of the local CA 124 as part of the local CA registration process. When the vTPM instance is instantiated, it creates an EK at the step 206. Following that, at the step 208, a CSR bundle is generated. The CSR bundle includes a vTMP ID, a vTPM EK public key, and vTPM instance platform certificate. Then, at the step 210, the vTPM instance 122 sends the CSR bundle of the EK certificate to the local CA 124 via the identify manager 210. Based on the given parameters, the local CA generates a unique EK certificate at the step 212. The EK certificate is sent to the vTPM 122 via the identity manager 120 at the step 214 and the EK certificate is further sent to the secure storage 132 or 140 via the identity manager 120 for storage through secured channel 135 or 145. As mentioned, these communications and transmissions are carried out via the identity manager 120 as a centralized channel.
[0030] FIG. 3 is a flow chart illustrating a process of generating Local CA certificate from the third party PCA 130 of the system 100 in accordance with one embodiment of the invention. In this process, the local CA 124 must be verified to be a trusted EK credential issuer registered with the third party PCA 130 in order to create the EK certificate locally. The process comprises generating a local key pair at stepp 302; registering the local CA 124 with the third paity PCA 130 through sending request bundle at step 304; verifying existence of the local CA 124 based on a list of local CA entry at step 305; verifying validity of the local CA 124 at step 308; signing the local CA public key to create a local CA certificate at step 312; and returning the local CA certificate to the local CA 124 at step 314.
[0031] At the step 302, the local CA 124 generates a key pair comprises a CA private key and a CA public key. The local CA 124 then registers itself with the third party PCA at the step 304. The registration is done through a request bundle comprises local CA ID and the local CA public key and the request bundle is sent through the identity manager 120 via the secure channel 135. The local CA ID may comprise a random number generated by a random number generator (RNG), organization name and registration number, etc. At the step 305, the third party PCA 130 verifies the existence of the local CA. The third party PCA 130 maintains a list of registered local CA entries at the secure storage 132. The list also provides the type of the trusted platforms adapted by the local CA 124. Each local CA 124 is identified based on a local CA ID. When the local CA 124 is identified to be present in the list at step 306, the third party PCA 130 further verifies the validity of the local CA ID. The Local CA ID is an unique identity that is generated once at the time of local CA installation. Similarly, the CA public key is also generated once for the signing process. These local CA ID and CA public key are stored at the secured storage 132 or 145.
[0032] When the local CA 124 is identified as valid CA at step 310, the third party PCA 130 signs the local CA public key to create a local CA certificate at the step 312. The local CA certificate is sent to the local CA 124 at the step 314. When either of the verification 306 or 310 fails, the entire certification process shall cease to proceed further. Similarly, the identity manager 120 is used for all communications between the third party PCA 130 and the local CA 124. [0033] FIG. 4 is a flow chart illustrating a process of generating vTPM
Instance EK certificate by local CA 124 in accordance with one embodiment of the present invention. The process comprises receiving an EK certificate request bundle form vTPM instance 122 by the local CA 124 at step 402; verifying signature on the request with vTPM EK public key 404, singing certificate request with the local CA private key at step 408; returning the EK certificate to vTPM instance at step 410; sending registration data to third part PCA for vTPM registration at step 412; and storing the registration data at the secure storage 132 of the third party PCA 130 at step 414. [003 ] At the step 402, the local CA 124 receives an EK certificate request bundle from the vTPM instance 122 to generate an EK certificate. To enable the EK certificate generation, the vTPM instance 122 generates a unique EK key pair comprises a EK private key and EK public key. The EK certificate request bundle comprises a vTPM ID, the EK public key, a vTPM instance's digital signature, vTPM platform information under a vTPM platform certificate mode. At the step 404, the local CA 124 receives request bundles from the vTPM instance through the Identity Manager 120 to request for EK certificate. The local CA 124 verifies the vTPM instance's signature bundled on the request bundle with vTPM EK public key. When the vTPM instance's signature is verified to be valid at step 406, the local CA 124 signs the EK certificate request at the step 408. The EK certificate request is signed with the local CA private key to create an EK certificate for the vTPM instance 122 based on the parameters (i.e. vTPM ID and vTPM platform information) contained in the request bundle. At the step 410, the local CA 124 returns the EK certificate to vTPM instance 122. Accordingly, the vTPM instance may send data to the third party PCA 130 for registration therewith at step 412. The data include EK certificate and encrypted vTPM ID. The vTPM ID may be encrypted using the vTPM private key. At the step 414, the third party PCA 130 keeps the data in the secure storage 132 for future vTPM Instance platform attestation process. Once again, all communications between the vTPM instance 122 and the local CA 124 as well as with the
[0035] FIG. 5 is a flow chart illustrating a process for validating an EK certificate during attestation identity credential request in accordance with one embodiment of the present invention. The process comprises sending EK certificate and an attestation identity key (AIK) to third party PCA for AIK certificate request at step 502; verifying existence of EK certificate against the secure storage 132 of the third party PCA 130 at step 504; decrypting data stored on the secure storage 132 with vTPM public key to obtain vTPM ID of the vTPM instance 122 at step 508, and determining whether the vTPM is a valid platform and whether the vTPM ID matched with that in the EK certificate at step 510. [0036] At the step 502, the vTPM Instance 122 sends the EK certificate and the
AIK key to the third party PCA 130 for requesting an AIK certificate. At the step 504, the third party PCA 130 checks the existence of the EK certificate from the secure storage 132. If the EK certificate exists, at step 506, the third party PCA 130 decrypts the encrypted data stored on the secure storage 132. The decryption is carried out using the vTPM Instance's EK public key to obtain vTPM ID of the vTPM Instance 122 at the step 508. With the vTPM ID, the third parly PCA determines whether the vTPM instance has a valid platform and whether the vTPM ID matches the one in the EK certificate 510. [0037} While the present invention has been described with reference to particular embodiments, it will be understood that the embodiments are illustrative and that the invention scope is not so limited. Alternative embodiments of the present invention will become appaient to those having ordinary skill in the ait to which the present invention pertains. Such alternate embodiments are considered to be encompassed within the scope of the present invention. Accordingly, the scope of the present invention is defined by the appended claims and is supported by the foregoing description

Claims

Claims
1. A system (100) for issuing endorsement key (EK) certificate, the system comprising: a trusted platform system (110) requesting for the EK certificate, the trusted platform system (110) having a virtual trusted platform module (vTPM) instance (122) and a local certification authority (CA) (124) managed under a hypervisor (112) of the trusted platform system (1 10); and a third party privacy certification authority (PCA) (130) operationally connecting to the trusted platform system (110) through a secure channel (135), wherein the third party PCA (130) operationally issuing a CA certificate to valid local CA, wherein, operationally, the local CA (124) requests a CA certificate from the third party PCA (130), and upon verified to be a valid local CA, the local CA signs and issues the EK certificate to the vTPM.
2. The system (100) according to 1 , wherein the local CA (124) issues the EK certificate to the vTPM instance (122) upon verifying identity of the vTPM instance (122) through a certification request that comprises a vTPM ID, a vTPM EK public key and a vTPM Platform Certificate Information.
3. The system (100) according to claim 1, further comprises a secure storage (132, 140) resides externally to the trusted platform system (1 10) and communicates with the trusted platform system (1 10) tlnough a secure channel (135, 145), wherein the secure storage (132, 140) stores certificates and data related to the vTPM.
4. The system (100) according to claim 1 , further comprises a trusted platform module at a hardware layer.
5. A method of providing a busted computing environment for a trusted platform system (110) connecting to a third party PCA (130) via a secured channel (135), wherein the trusted platform having a virtual TPM (122) and a local CA (124), the method comprising: registering the local CA with the third party PCA to be a valid EK certificate issuer; signing issuing a local CA certificate from the third party PCA (130) to the local CA (124); receiving a EK certification request from the vTPM (122) to the local CA (124); and signing and issuing a EK certificate from the local CA ( 124) to the vTPM ( 122).
6. The method of claim 5, wherein registering the local CA (123) further comprising: generating a local CA key pair having a local CA private key and a local CA public key; registering the local CA with the third Party PCA (130) by sending local CA certificate request to the tliird party PCA (130), the local CA certificate request comprises a local CA ID and the local CA public key; verifying existence of the local CA (122) from a local CA register resided at the third party PCA (130); verifying validity of the local CA (124); and wherein when the local CA (124) is verified to be exist and valid through the third party PCA, third Party PCA (130) signs the local CA public key thus creating a local CA certificate.
7. The method of claim 5, wherein issuing the EK certificate comprising: generating a endorsement (EK) key pair having a EK private key and a EK public key by the vTPM Instance (122); generating a EK certificate request comprises a vTPM ID, a EK public key and a vTPM Instance platform certificate containing vTPM Instance platform information by the vTPM Instance ( 122); sending the EK certificate request to local CA (124); signing the EK certificate request with a local CA private key to create an EK certificate, wherein the EK certificate is created based on paiameters of the EK certificate request; sending data to the third party PCA (130) for registering vTPM Instance platform, wherein the data include the EK certificate and a vTPM ID encrypted using a vTPM instance's EK private key; and storing the registration data of EK certificate and an encrypted vTPM ID in a secure storage ( 132) of the third party PCA (130).
8. The method of claim 7, further comprises validating EK certificate during an attestation identity credential request.
9. The method of claim 8, wherein the validation of EK certificate comprising: sending an attestation identity key (AIK) certificate request comprises the EK certificate and an AIK key from the vTPM instance (122) to the third party PCA (130); verifying existence of the EK certificate through the secure storage (132); decrypting the encrypted data stored at the secure storage (132) using the vTPM Instance public key to obtain the vTPM ID of the vTPM Instance; and matching the vTMP instance (122) with the vTPMID to verify validity of the vTPM instance.
PCT/MY2010/000242 2010-05-07 2010-10-29 System and method for issuing endorsement key credential in trusted computing environment using local certificate authority WO2011139135A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
MYPI2010002125 2010-05-07
MYPI2010002125 MY151315A (en) 2010-05-07 2010-05-07 System and method for issuing endorsement key credential in trusted computing environment using local certificate authority

Publications (1)

Publication Number Publication Date
WO2011139135A1 true WO2011139135A1 (en) 2011-11-10

Family

ID=44903857

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/MY2010/000242 WO2011139135A1 (en) 2010-05-07 2010-10-29 System and method for issuing endorsement key credential in trusted computing environment using local certificate authority

Country Status (2)

Country Link
MY (1) MY151315A (en)
WO (1) WO2011139135A1 (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014197153A1 (en) * 2013-06-07 2014-12-11 Qualcomm Incorporated Apparatus and method for provisioning an endorsement key certificate for a firmware trusted platform module
US9846773B2 (en) 2012-12-20 2017-12-19 Telefonaktiebolaget Lm Ericsson (Publ) Technique for enabling a client to provide a server entity
WO2019013886A1 (en) * 2017-07-13 2019-01-17 Microsoft Technology Licensing, Llc Key attestation statement generation providing device anonymity
US20210243030A1 (en) * 2020-01-30 2021-08-05 Dell Products L.P. Systems And Methods To Cryptographically Verify An Identity Of An Information Handling System
US20210281561A1 (en) * 2020-03-09 2021-09-09 International Business Machines Corporation Certification for connection of virtual communication endpoints
CN114598479A (en) * 2022-03-29 2022-06-07 南京邮电大学 Face recognition privacy protection identity authentication method based on zero-knowledge proof
US11604880B2 (en) 2020-02-25 2023-03-14 Dell Products L.P. Systems and methods to cryptographically verify information handling system configuration
CN117395655A (en) * 2023-12-12 2024-01-12 国网智能电网研究院有限公司 5G MEC trusted certificate chain extension method and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060020781A1 (en) * 2004-06-24 2006-01-26 Scarlata Vincent R Method and apparatus for providing secure virtualization of a trusted platform module
US20070016801A1 (en) * 2005-07-12 2007-01-18 Bade Steven A Method, apparatus, and product for establishing virtual endorsement credentials for dynamically generated endorsement keys in a trusted computing platform
US20090169012A1 (en) * 2007-12-29 2009-07-02 Smith Ned M Virtual tpm key migration using hardware keys

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060020781A1 (en) * 2004-06-24 2006-01-26 Scarlata Vincent R Method and apparatus for providing secure virtualization of a trusted platform module
US20070016801A1 (en) * 2005-07-12 2007-01-18 Bade Steven A Method, apparatus, and product for establishing virtual endorsement credentials for dynamically generated endorsement keys in a trusted computing platform
US20090169012A1 (en) * 2007-12-29 2009-07-02 Smith Ned M Virtual tpm key migration using hardware keys

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9846773B2 (en) 2012-12-20 2017-12-19 Telefonaktiebolaget Lm Ericsson (Publ) Technique for enabling a client to provide a server entity
WO2014197153A1 (en) * 2013-06-07 2014-12-11 Qualcomm Incorporated Apparatus and method for provisioning an endorsement key certificate for a firmware trusted platform module
US9100192B2 (en) 2013-06-07 2015-08-04 Qualcomm Incorporated Apparatus and method for provisioning an endorsement key certificate for a firmware trusted platform module
RU2763516C2 (en) * 2017-07-13 2021-12-30 МАЙКРОСОФТ ТЕКНОЛОДЖИ ЛАЙСЕНСИНГ, ЭлЭлСи Generating key attestation certificate with ensuring anonymity of device
AU2018299716B2 (en) * 2017-07-13 2023-09-21 Microsoft Technology Licensing, Llc Key attestation statement generation providing device anonymity
US10819696B2 (en) 2017-07-13 2020-10-27 Microsoft Technology Licensing, Llc Key attestation statement generation providing device anonymity
WO2019013886A1 (en) * 2017-07-13 2019-01-17 Microsoft Technology Licensing, Llc Key attestation statement generation providing device anonymity
CN110892672B (en) * 2017-07-13 2023-10-20 微软技术许可有限责任公司 Key authentication assertion generation providing device anonymity
CN110892672A (en) * 2017-07-13 2020-03-17 微软技术许可有限责任公司 Key authentication assertion generation to provide device anonymity
IL271812B1 (en) * 2017-07-13 2023-09-01 Microsoft Technology Licensing Llc Key attestation statement generation providing device anonymity
US20210243030A1 (en) * 2020-01-30 2021-08-05 Dell Products L.P. Systems And Methods To Cryptographically Verify An Identity Of An Information Handling System
US11909882B2 (en) * 2020-01-30 2024-02-20 Dell Products L.P. Systems and methods to cryptographically verify an identity of an information handling system
US11604880B2 (en) 2020-02-25 2023-03-14 Dell Products L.P. Systems and methods to cryptographically verify information handling system configuration
US20210281561A1 (en) * 2020-03-09 2021-09-09 International Business Machines Corporation Certification for connection of virtual communication endpoints
CN114598479A (en) * 2022-03-29 2022-06-07 南京邮电大学 Face recognition privacy protection identity authentication method based on zero-knowledge proof
CN117395655A (en) * 2023-12-12 2024-01-12 国网智能电网研究院有限公司 5G MEC trusted certificate chain extension method and system
CN117395655B (en) * 2023-12-12 2024-03-08 国网智能电网研究院有限公司 5G MEC trusted certificate chain extension method and system

Also Published As

Publication number Publication date
MY151315A (en) 2014-05-15

Similar Documents

Publication Publication Date Title
Camenisch et al. Anonymous attestation using the strong diffie hellman assumption revisited
CN109150548B (en) Digital certificate signing and signature checking method and system and digital certificate system
US9350555B2 (en) Method and system for signing and authenticating electronic documents via a signature authority which may act in concert with software controlled by the signer
CN103685138B (en) The authentication method of the Android platform application software that mobile interchange is online and system
US10567370B2 (en) Certificate authority
WO2011139135A1 (en) System and method for issuing endorsement key credential in trusted computing environment using local certificate authority
CN107493291B (en) Identity authentication method and device based on Secure Element (SE)
CN110677376B (en) Authentication method, related device and system and computer readable storage medium
CN106341232B (en) A kind of anonymous entity discrimination method based on password
WO2009028794A2 (en) Method for providing anonymous public key infrastructure and method for providing service using the same
CN108696360A (en) A kind of CA certificate distribution method and system based on CPK keys
US20160323114A1 (en) Temporal key generation and pki gateway
GB2398713A (en) Anonymous access to online services for users registered with a group membership authority
CN106936588A (en) A kind of trustship method, the apparatus and system of hardware controls lock
CN104012036A (en) Combined digital certificate
CN113364597A (en) Privacy information proving method and system based on block chain
US20030110383A1 (en) Methods and apparatus for computationally-efficient generation of secure digital signatures
LU93150B1 (en) Method for providing secure digital signatures
JP5380368B2 (en) IC chip issuing system, IC chip issuing method, and IC chip issuing program
CN116707983A (en) Authorization authentication method and device, access authentication method and device, equipment and medium
KR101371054B1 (en) Method for digital signature and authenticating the same based on asymmetric-key generated by one-time_password and signature password
JP2010028689A (en) Server, method, and program for providing open parameter, apparatus, method, and program for performing encoding process, and apparatus, method, and program for executing signature process
CN115037480A (en) Method, device, equipment and storage medium for equipment authentication and verification
US9281947B2 (en) Security mechanism within a local area network
CN114329610A (en) Block chain privacy identity protection method, device, storage medium and system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10851102

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10851102

Country of ref document: EP

Kind code of ref document: A1