Token binding using trust module protected keys

Assignee

• MICROSOFT TECHNOLOGY LICENSING, LLC · US

Inventors

• Adrian Frei · Seattle, US
• Tarek B. Kamel · Issaquah, US
• Guruprasad B. Aphale · Bothell, US
• Sankara Narayanan Venkataraman · Bengaluru, IN
• Xiaohong Su · Issaquah, US
• Yordan Rouskov · Kirkland, US
• Vijay G. Bharadwaj · Sammamish, US

Key dates

Classification

• Technology area (CPC H)Electricity
• CPC primaryH04L2463/061
• WIPO fieldDigital communication
• WIPO sectorElectrical engineering

Abstract

Binding a security token to a client token binder, such as a trusted platform module, is provided. A bound security token can only be used on the client on which it was obtained. A secret binding key (kbind) is established between the client and an STS. The client derives a key (kmac) from kbind, signs a security token request with kmac, and instructs the STS to bind the requested security token to kbind. The STS validates the request by deriving kmac using a client-provided nonce and kbind to MAC the message and compare the MAC values. If the request is validated, the STS generates a response comprising the requested security token, derives two keys from kbind: one to sign the response and one to encrypt the response, and sends the response to the client. Only a device comprising kbind is enabled to use the bound security token, providing increased security.