WO2016137517A1 - Manufacturer-signed digital certificate for identifying a client system - Google Patents

Manufacturer-signed digital certificate for identifying a client system Download PDF

Info

Publication number
WO2016137517A1
WO2016137517A1 PCT/US2015/018178 US2015018178W WO2016137517A1 WO 2016137517 A1 WO2016137517 A1 WO 2016137517A1 US 2015018178 W US2015018178 W US 2015018178W WO 2016137517 A1 WO2016137517 A1 WO 2016137517A1
Authority
WO
WIPO (PCT)
Prior art keywords
client
digital certificate
manufacturer
client system
enrollment
Prior art date
Application number
PCT/US2015/018178
Other languages
French (fr)
Inventor
Tom LAFFEY
Manny Novoa
Original Assignee
Hewlett Packard Enterprise Development Lp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hewlett Packard Enterprise Development Lp filed Critical Hewlett Packard Enterprise Development Lp
Priority to PCT/US2015/018178 priority Critical patent/WO2016137517A1/en
Publication of WO2016137517A1 publication Critical patent/WO2016137517A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
    • GPHYSICS
    • G09EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
    • G09CCIPHERING OR DECIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
    • G09C1/00Apparatus or methods whereby a given sequence of signs, e.g. an intelligible text, is transformed into an unintelligible sequence of signs by transposing the signs or groups of signs or by replacing them by others according to a predetermined system
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates

Definitions

  • digital certificates which are used to prove ownership of a cryptographic public key, also have uses as a trusted form of digital identification.
  • a particular digital certificate may, for example, serve to identify the origins of an electronic communications (e.g., e-maii signed by the sender's digital certificate), the origins of a piece of software (e.g., software executable or software driver signed using the software developer's digital certificate), or a computing device (e.g., computer system including a digital certificate signed by its manufacturer), such as a laptop, desktop computer, smartphone, tablet, networking device, and the like.
  • a digital certificate includes an owner's identification information (e.g., name, address, etc.) and the digital signature of an entity (e.g., certificate authority, manufacturer, or the like sign the digital certificate) that has verified the accuracy of the information (e.g., owner's identification information) contained in the digital certificate.
  • an owner e.g., individual or organization
  • a third party reviewing the certificate can confirm the validity of the certificate with the entity signing the certificate. Once validated, the third party is intended to base their trust of the certificate on the trustworthiness of the entity signing the certificate.
  • FIG. 1 illustrates an example environment including an example client system in communication with an example server system.
  • FIGs. 2 and 3 illustrate example server systems.
  • FIGs. 4-8 illustrate example client systems.
  • FIGs. 8-10 illustrate example methods performed by an example client system to facilitate generation of a manufacturer-signed digital certificate.
  • FIGs. 1 1 and 12 illustrate example methods performed by an example server system to facilitate generation of a manufacturer-signed digital certificate.
  • a computing device can be processed during its manufacture to include a manufacturer-signed digital certificate associated with the computing device, which can serve as a trusted form of identification for the computing device.
  • the process typically involves generating and installing the manufacturer-signed digital certificate at some point during manufacture of the computing device (e.g., before the computing device is shipped to a retailer or customer), which adds to the manufacture time of the computing device.
  • additional manufacture time may be feasible or acceptable in some instances where the computing device is manufacture in low quantities (e.g., high margin computing devices), the additional manufacture time may have a considerable impact (e.g., in terms of time, cost, process implementation) for manufacturing computing devices at scale.
  • This disclosure describes example techniques for generating a manufacturer-signed digital certificate for a client system after the client system has exited manufacturing, which may then be provided to the client system for installation and use by the client system.
  • Various examples described herein facilitate generation of a manufacturer-signed digital certificate for a client system after the client system has been received by a customer (e.g., at the customer's premises), and may further enable the manufacturer-signed digital certificate to be generated based on (e.g., to include) information relating to the customer, such as the customer's name (e.g., individual's or organization's name), address, and contact information.
  • Some examples described herein permit a manufacturer of a client system to generate a manufacturer-signed digital certificate for the client system using the manufacture's own certificate signature infrastructure (e.g., Public Key Infrastructure [PKI]).
  • PKI Public Key Infrastructure
  • the manufacturer- signed digital certificate can be generated by the manufacturer with an acceptable amount of assurance that the client system is what it purports despite the client system having left the manufacturer's possession.
  • operations are described herein as being performed after the client system has left the manufacturing facility, it will be understood that in some examples those operations can be performed before such an event (e.g., during a late manufacturing stage).
  • Various examples facilitate generation of a manufacturer-signed certificate for a client system by first capturing data relating to a cryptoprocessor of the client system before the client system leaves the manufacture's facility. For instance, the data may be captured while the client system is being manufactured and has at least reached an operational state.
  • the cryptoprocessor of the client system can include one that is separate from the primary processor of the client system. Additionally, in some examples, the cryptoprocessor is one included in a Trusted Platform Module (TPM) of the client system, and the captured data may comprise a TPM-related certificate, such as a TPM Endorsement Key (EK) certificate.
  • TPM Trusted Platform Module
  • the captured data relating to the cryptoprocessor is data not readily visible to a user (e.g., customer) of the client system
  • the captured data is stored on a datastore separate from the client system for future retrieval and use by a server system (e.g., administered by the manufacturer) that can service a requests by the client system for a manufacturer- signed digital certificate.
  • a server system e.g., administered by the manufacturer
  • the client server system may also provide the server system with client certificate enrollment data that the client system generated in connection with its request.
  • the client certificate enrollment data is generated based on the same cryptoprocessor- related data captured before the client system departure from the manufacturer's facility.
  • the server system can compare the client certificate enrollment data to the cryptoprocessor-re!ated data stored on the datastore. Based on the comparison, the server system can confirm that the client system is the device it purports to be and proceed with generation of the manufacturer-signed digital certificate for the client system.
  • data captured or generated prior to a client system enrolling for a manufacturer-signed digital certificate may be regarded as pre-enro!!ment data, while data captured or generated at, near, or after the time of a client system requesting to enroll for a manufacturer-signed digital certificate may be regarded as enrollment data.
  • pre-enrollment software may be loaded onto the client system to cause the client system to generate pre- certificate-enrollment (hereinafter, "pre-enrollment") client identification data capable of identifying the client device in the future when the client system requests generation of a manufacturer-signed digital certificate for itself.
  • pre-enrollment client identification data capable of identifying the client device in the future when the client system requests generation of a manufacturer-signed digital certificate for itself.
  • the client system may store the pre-enrollment client identification data on a manufacturer-accessible datastore to facilitate its future use. Additionally, the pre-enrollment client identification data may be encrypted before storage for future retrieval and use.
  • the pre- enrollment client identification data may comprise a TP EK certificate captured from a TPM of the client system (e.g., by the manufacturer of the TPM).
  • a TPM EK certificate may include the TPM EK public key, the TPM manufacturer's certificate signature, an EK certificate with a serial number, and potentially other data (e.g., part number).
  • the pre-enrollment client identification data may also include device identification information obtained from the client system, which can include one or more of the client system's model number, serial number (e.g., customer visible or otherwise), exterior color, hash (e.g., Secure Hash Algorithm with 256 bit digest [SHA-256]) of the client system's firmware, date of manufacture, and the like.
  • the content within the pre-enroilment client identification data may be formatted according to a standard determined by the manufacturer.
  • the pre-enrollment client identification data may be encrypted before storage.
  • the pre-enrollment client identification data may be encrypted using a client random key
  • the encrypted pre-enrollment client identification data and an encrypted version of the client random key may be combined to produce a pre-enroilment client identification data package, which may be stored on a datastore for future retrieval and use during a subsequent request for a manufacturer-signed digital certificate for the client system.
  • the datastore is separate from the server system and administered by the manufacturer of the client system (e.g., a manufacturer's datastore). Once stored on the datastore, the client system can be considered to be registered with the manufacturer.
  • the client random key may be encrypted using a manufacturer-selected key (e.g., a public key), which may be one exclusively utilized by the manufacturer for encrypting client random keys. Additionally, the encrypted pre-enrollment client identification data and the enciypted version of the client random key may be combined in a manufacturer specific manner (e.g., format).
  • a manufacturer-selected key e.g., a public key
  • the encrypted pre-enrollment client identification data and the enciypted version of the client random key may be combined in a manufacturer specific manner (e.g., format).
  • a request for a manufacturer-signed digital certificate by the client system is permitted to proceed only when the chain of custody of the client system is found to comply with the manufacturer's authorized practices.
  • the chain of custody may be in compliance (and therefore authorized) when the client system is received by a customer directly from the manufacturer or by way of an authorized channel (e.g., authorized retailer or distributor).
  • customer order information is saved or updated to associate the client system with a customer order when the client system is shipped from the manufacturer to a customer, a distributor, or retailer.
  • the customer order information can comprise information regarding the retailer or the distributor customer order.
  • a factory order system generates a pick request in a manufacturer warehouse based on a customer order
  • personnel at the manufacturer warehouse scans the client system (e.g., model number or serial number) in response to the pick request, and customer order information is saved or updated to associate the client system with the customer order.
  • client system e.g., model number or serial number
  • customer order information is saved or updated to associate the client system with the customer order. Once saved or updated, the customer order information can serve to confirm whether chain of custody of the client system complies with the manufacturer's preferences.
  • the client system After the client system is received by a customer (e.g., directly from the manufacturer, through a retailer, or through a distributor), the client system can be powered on and establish a network connection with a server system.
  • the network connection between the client system and the server system may be secure (e.g., Secured Socket Layer [SSL]).
  • SSL Secured Socket Layer
  • the client system may install a device identity installation software received over the network connection.
  • the device identity installation software causes the client system to submit a request to the server system for a manufacturer-signed digital certificate for identifying the client system.
  • the server system can verify chain of custody of the client system before the request for the manufacturer-signed digital certificate can be processed further.
  • the server system may request that the device identity installation software on the client system provide customer order Information associated with the client system.
  • the device identity installation software may do so by receiving, from user at the client system, user-entered customer order information associated with the client system.
  • the device identity installation software may be provided the user- entered customer order information to the server system, which In turn may compare the user-entered customer order Information with the customer order information saved at the time the client system shipped form the manufacturer. Based on the comparison, the server system can verify chain of custody of the client system before the request for the manufacturer-signed digital certificate is further processed by the server system. In this way, the server system can verify that the customer received the client system through a manufacturer-authorized channel, such as directly from the manufacturer or through a manufacturer- authorized distributor or retailer.
  • the server system can request the device identity installation software on the client system prepare and send enrollment client identification data.
  • the server system can request the device identity installation software on the client system to provide (e.g., generate and send) a client key that can eventually be utilized in generation of the manufacturer-signed digital certificate.
  • the device identity installation software may cause the client system to send the enrollment client identification data, the client key, or both to the server system in encrypted form.
  • the enrollment client identification data for the client system is prepared in a manner similar to how the pre-enroliment client identification data was prepared for the client system before the client system was shipped from the manufacturer. Accordingly, to prepare the enrollment client identification data for the client system, the device identity installation software can retrieve device identification information from the client system, and can further retrieve a TPM EK certificate captured from the TPM of the client system. Additionally, the content within the enrollment client identification data may be formatted similar to the pre-enrollment client identification data stored for the client system before shipment from the manufacturer.
  • the device identity installation software Before the device identity installation sends the enrollment client identification data to the server system (e.g., before the TPM EK certificate is retrieved from the client system), the device identity installation software may have a user at the client system confirm the accuracy of the device identification information retrieved from the client system. The device identity installation software may facilitate this by causing the client system to display the retrieved device identification information to the user and the user, in turn, may confirm or deny accuracy of the information displayed.
  • the enrollment client identification data can be sent to the server system to facilitate further processing of the request for the manufacturer-signed digital certificate.
  • the server system can compare the enrollment client identification to the pre-enroliment client identification data to verify that the client system is what if purports to be before a manufacturer-signed digital certificate for the client system is generated. Accordingly, where the comparison indicates that the enrollment client identification data and the pre-enroliment client identification data match, the server system can proceed with generation of the manufacturer-signed digital certificate for the client system, and the server system can generate the manufacturer-signed digital certificate for the client system based on the client key provided by the device identity installation software. Subsequently, the manufacturer-signed digital certificate may be encrypted before it is provide to the client system.
  • the manufacturer-signed digital certificate may be encrypted by a cleartext server random session key (e.g., randomly generated by the server system for this particular session of generating the manufacturer-signed digital certificate), and the cleartext server random session may be encrypted by the TPM EK public key (held within the TPM EK certificate) to produce an encrypted server random session key.
  • the TPM EK certificate is possessed by both the client system (e.g., in the TPM of the client system) and the server system (e.g., via the pre-enroliment client identification data received). Subsequently, both the encrypted manufacturer-signed digital certificate and the encrypted server random session key can be sent to the client system.
  • the client system When the client system receives the encrypted manufacturer-signed digital certificate and the encrypted server random session key, the client system can use the TPM EK private key, held within its copy of the TPM EK certificate to decrypt the encrypted server random session key, and use the resulting cleartext server random session key to decrypt the manufacturer-signed digital certificate.
  • the server system may update its records with information regarding the manufacturer-signed digital certificate (e.g., its serial number, time and date of generation, or time and date sent to the client system).
  • information regarding the manufacturer-signed digital certificate e.g., its serial number, time and date of generation, or time and date sent to the client system.
  • the server system may provide the device identity software with instructions on how the user at the client system can manually address (e.g., reconcile) the issue (e.g., call to technical support).
  • the server system may inspect the enrollment client identification data to validate it is in an expected format. Additionally, where the enrollment client identification data or the client key is received in encrypted form, the server may need to perform one or more decryption processes before either can be utilized in subsequent operations.
  • FIGs. 1 -12 The following provides a detailed description of the examples illustrated by FIGs. 1 -12.
  • FIG. 1 illustrates an example environment 100 including an example client system 102 in communication with an example server system 104.
  • environment 100 includes a client system 102 in communication with a server system 104 over a communications network 106.
  • the client system 102 includes a certificate requesting module 108, a client-data providing module 1 10, and a client communications module 1 12.
  • the server system 104 includes a client-data acquisition module 1 14, an authorization module 1 18, a certificate generation module 1 18, and a server communications module 120.
  • the client system 102 may comprise a desktop, laptop, a hand-held computing device (e.g., personal digital assistants, smartphones, tablets, etc.), a workstation, various network infrastructure devices (e.g., switches, routers and gateways), or another device that includes a processor.
  • the client system 102 comprises a cryptoprocessor, such as a one included by a Trusted Platform Module (TPM) that is part of the client system 102.
  • TPM Trusted Platform Module
  • a cryptoprocessor of the client system 102 may or may not be part of a primary processor (e.g., central processing unit) of the client system 102.
  • the server system 104 may comprise one or more servers, which may be operating on, or implemented, using one or more cloud-based resources, such as a Software-as-a-Service (SaaS), Piatform-as-a-Service (PaaS), or infrastructure-as-a-Service (laaS).
  • SaaS Software-as-a-Service
  • PaaS Piatform-as-a-Service
  • laaS infrastructure-as-a-Service
  • the components or the arrangement of components in the environment 100 may differ from what is depicted in FIG. 1 .
  • the client system 102 or the server system 104 can include more or less components than those depicted in FIG, 1.
  • modules and other components of various examples may comprise, in whole or in part, machine-readable instructions or electronic circuitry.
  • a module may comprise computer-readable instructions executable by a processor to perform one or more functions in accordance with various examples described herein.
  • a module may comprise electronic circuitry to perform one or more functions in accordance with various examples described herein.
  • the elements of a module may be combined in a single package, maintained in several packages, or maintained separately.
  • the communications network 106 permits data to be communicated between the client system 102 and the server system 104 in accordance with various examples described herein.
  • the communications network 106 may comprise one or more local or wide-area communications networks, such as the Internet, WiFi networks, cellular networks, private networks, public networks, and the like.
  • the certificate requesting module 108 may facilitate the client system 102 requesting, from the server system 104, a manufacturer-signed digital certificate for identifying the client system, in some examples, the certificate requesting module 108 sends a request for the manufacturer-signed digital certificate to the server system 104 over the communications network 106, and the request may identify the client system 102 to the server system 104.
  • the client-data providing module 1 10 may facilitate the client system 102 providing the server system 104 with client data relating to the client system 102. For instance, the client-data providing module 1 10 may provide the server system 104 with the client data by preparing the client data and sending the client data to the server system 104 over the communications network 106.
  • the client data comprises enrollment client identification data, and may further comprise a client key that the server system 104 may utilized in generation of the manufacturer-signed digital certificate requested.
  • enrollment client identification data can include client identification data captured at the client system 102 in association with the client system 102 requests a manufacturer-signed digital certificate from the server system 104.
  • the enrollment client identification data may be client identification data captured at or near the time the request for the manufacturer- signed digital certificate is sent to the server system 104.
  • the client system 102 prepares and sends the client data (e.g., the enrollment client identification data, the client key, or both) only after instructed to do so by the server system 104, which may provide the Instruction in response to the request sent by the client system 102 (e.g., after the server system 104 has validated the request from the client system 102).
  • the client data e.g., the enrollment client identification data, the client key, or both
  • the server system 104 may provide the Instruction in response to the request sent by the client system 102 (e.g., after the server system 104 has validated the request from the client system 102).
  • the enrollment client identification data comprises a cryptoprocessor-associated digital certificate associated with a cryptoprocessor of the client system 102, which as noted may be obtained from the client system 102 at or near the time the client system 102 requests the manufacturer-signed digital certificate from the server system 104.
  • the client system 102 may include a Trusted Platform Module (TPM) and the cryptoprocessor-associated digital certificate is a TPM Endorsement Key (EK) certificate obtained from the TPM of the client system 102.
  • TPM Trusted Platform Module
  • EK TPM Endorsement Key
  • the enrollment client identification data may further comprise device identification information obtained from the client system 102 at or near the time the client system 102 requests the manufacturer-signed digital certificate from the server system 104.
  • device identification information can include, without limitation, include one or more of the model number of the client system 102, serial number (e.g., customer visible or otherwise) of the client system 102, the exterior color of the client system 102, and a hash (e.g., SHA-256) of firmware on the client system 102, and the data of manufacture of the client system 102.
  • the client-data providing module 1 10 may encrypt the client data using a client random key.
  • the client-data providing module 1 10 may, for instance, encrypt a cieartext version of the enrollment client identification data by a cieartext client random key to produce an encrypted enrollment client identification data, encrypt the cieartext client random key to produce an encrypted client random key that is decryptable by the server system 104 (e.g., using a shared manufacturer's key), package the encrypted enrollment client identification data and the encrypted client random key into an enrollment data package, and send the enrollment data package to the server system 104.
  • the client communications module 1 12 may facilitate communication between the client system 102 and the server system 104 over the communications network 106. For instance, the client communications module 1 12 may facilitate the client system 102 sending client data to the server system 104 over the communications network 108 to facilitate fulfillment of a request for a manufacturer-signed digital certificate for the client system 102. The client communications module 1 12 may further facilitate the client system 102 receiving from the server system 104 the manufacturer-signed digital certificate over the communications network 108 after the server system 104 has generated the manufacturer-signed digital certificate.
  • the client-data acquisition module 1 14 may facilitate obtaining, from the client system 102, a client key and enrollment client identification data associated with the client system 102.
  • the server system 104 may attempt to obtain a client key and enrollment client identification data from the client system 102 after the client system 102 submits a request for a manufacturer-signed digital certificate to the server system 104 (e.g., over the communications network 106.
  • the client key and the enrollment client identification data may be provided by the client system 102 to the server system 104 as part of the request for the manufacturer-signed digital certificate or subsequent to the request being received by the server system 104.
  • the client system 102 requests the manufacturer-signed digital certificate from the server system 104, in response the server system 104 requests the client key and the enrollment client identification data from the client system 102, and the client system 102 in turn sends the client key and the enrollment client identification data.
  • the enrollment client identification data may be encrypted by the client system 102 before it is sent to the server system 104 and sent within an enrollment data package describe herein.
  • the authorization module 1 16 may facilitate determining whether the client system 102 is authorized to receive a manufacturer-signed digital certificate from the server system 104, and do so by determining whether the enrollment client identification data received from the client system 102 matches pre- enrollment client identification data associated with the client system 102.
  • the server system 104 may obtain the pre-enrollment client identification data from a datastore remote from the client system 102, and the datastore may be one that is part of the server system 104.
  • the pre-enrollment client identification data is prepared, and then stored on the datastore, by the client system 102 before the client system 102 ships from the manufacturer facility to a customer, a distributor, or a retailer.
  • the pre-enrollment client identification data may be prepared by the client system 102 in a manner similar to the way the client system 102 prepares the enrollment client identification data (e.g., at or after the client system 102 requests the manufacturer-signed digital certificate).
  • the pre-enrollment client identification data generated, stored, and associated with the client system 102 is intended to have the same data content as the enrollment client identification data generated by the client system 102 (e.g., the client-data providing module 1 10).
  • the server system 104 determines that the enrollment client identification data matches the pre-enrollment client identification data, the server system 104 can regard the identify of the client system 102 as verified and, therefore, regard the client system 102 as authorized to receive a manufacturer-signed digital certificate.
  • the certificate generation module 1 18 may facilitate generation of a manufacturer-signed digital certificate for the client system 102, based on a client key provided by the client system 102, and to do so if the client system 102 is determined (e.g., by the authorization module 1 16) to be authorized to receive the manufacturer-signed digital certificate.
  • the manufacturer-signed digital certificate may be encrypted using a cieartext server random session key
  • the cieartext server random session key may be encrypted to produce an encrypted server random session key (e.g., using the TP EK certificate of the client system 102)
  • the encrypted manufacturer- signed digital certificate and encrypted server random session key may be sent to the client system 102.
  • the certificate generation module 1 18 may update or store information regarding the manufacturer-signed digital certificate generated for the client system 102, such as the manufacturer-signed digital certificate's serial number, time and date of generation, or time and date sent to the client system.
  • the server communications module 120 may facilitate communication between the server system 104 and the client system 102 over the communications network 106.
  • the server communications module 120 may facilitate the server system 104 receiving client data, such as enrollment client identification data and a client key, from the client system 102 over the communications network 106.
  • client data such as enrollment client identification data and a client key
  • the server communications module 120 can send the client system 102 a manufacturer-signed digital certificate, generated by the server system 104, over the communications network 106.
  • FIG. 2 illustrates an example server system 200.
  • the server system 200 includes a request receiving module 202, a client-data acquisition module 204, a decryption module 206, an authorization module 208, a certificate generation module 210, an encryption module 212, and a server communications module 214.
  • the server system 200 may comprise one or more servers, which may be operating on, or implemented, using one or more cloud-based resources, such as a System-as-a-Service (SaaS), Platf rm-as-a-Service (PaaS), or infrastructure-as-a-Service (laaS).
  • the components or the arrangement of components in the server system 200 may differ from what is depicted in FIG. 2.
  • the request receiving module 202 may facilitate receiving a request for a manufacturer-signed digital certificate from a client system.
  • the client-data acquisition module 204 may be similar to the client-data acquisition module 1 14 of the client system 102 described with respect to FIG. 1 .
  • the decryption module 206 may facilitate the decryption of encrypted client data obtained from the client system by the client-data acquisition module 204, including encrypted enrollment client identification data.
  • the authorization module 208 may be similar to the authorization module 1 18 of the client system 102 described with respect to FIG. 1
  • the certificate generation module 210 may be similar to the certificate generation module 1 18 of the client system 102 described with respect to FIG. 1 .
  • the encryption module 212 may facilitate encrypting the manufacturer-signed digital certificate generated by the certificate generation module 210 before the manufacturer-signed digital certificate is sent to the client system.
  • the server communications module 214 may be similar to the server communications module 120 of the client system 102 described with respect to FIG. 1.
  • FIG. 3 illustrates an example server system 300.
  • the server system 300 includes a computer-readable medium 302, a processor 304, and a communications interface 306.
  • the components or the arrangement of components of the server system 300 may differ from what is depicted in FIG. 3.
  • the server system 300 can include more or less components than those depicted in FIG. 3.
  • the computer-readable medium 302 may be any electronic, magnetic, optical, or other physical storage device that stores executable instructions.
  • the computer-readable medium 302 may be a Random Access Memory (RAM), an Electrically-Erasable Programmable Read-Only Memory (EEPROM), a storage drive, an optical disc, or the like.
  • RAM Random Access Memory
  • EEPROM Electrically-Erasable Programmable Read-Only Memory
  • the computer-readable medium 302 can be encoded to store executable instructions that cause the processor 304 to perform operations in accordance with various examples described herein.
  • the computer-readable medium 302 is non-transitory. As shown in FIG.
  • the computer-readable medium 302 includes receiving manufacturer-signed digital certificate request instructions 308, obtaining enrollment client identification data and client key instructions 310, decryption encrypted client random key instructions 312, decryption encrypted enrollment client identification data instructions 314, determining authorization to receive manufacturer-signed digital certificate instructions 316, generating manufacturer- signed digital certificate instructions 318, and sending manufacturer-signed digital certificate instructions 320.
  • the processor 304 may be one or more centra! processing units (CPUs), microprocessors, or other hardware devices suitable for retrieval and execution of one or more instructions stored in the computer-readable medium 302.
  • the processor 304 may fetch, decode, and execute the instructions 308, 310, 312, 314, 316, 318, and 320 to enable the server system 300 to perform operations in accordance with various examples described herein.
  • the processor 304 includes one or more electronic circuits comprising a number of electronic components for performing the functionality of one or more of the instructions 308, 310, 312, 314, 318, 318, and 320.
  • the communications interface 306 may facilitate communication between the server system 300 and a remote network entity, such as the server system 104. Instructions 308, 310, 312, 314, 316, 318, and 320 can cause the processor 304 to send or receive network traffic through the communications interface 306.
  • the receiving manufacturer-signed digital certificate request instructions 308 may cause the processor 304 to receive a request for a manufacturer-signed digital certificate from a client system.
  • the obtaining enrollment client identification data and client key instructions 310 may cause the processor 304 to obtain from the client system client key and enrollment client identification data associated with the client system.
  • the enrollment client identification data may be obtained from the client system as an enrollment data package comprising encrypted enrollment client identification data and encrypted client random key.
  • the decryption encrypted client random key instructions 312 may cause the processor 304 to decrypt the encrypted random key to produce a cieartext client random key.
  • the decryption encrypted enrollment client identification data instructions 314 may cause the processor 304 to decrypt the encrypted enrollment client identification data, using the cieartext client random key, to produce the enrollment client identification data in cieartext.
  • the determining authorization to receive manufacturer-signed digital certificate instructions 316 may cause the processor 304 to determine whether the client system is authorized to receive a manufacturer-signed digital certificate, and may do so by determining whether the enrollment client identification data matches pre-enro!iment client identification data associated with the client system.
  • the pre-enroliment client identification data may be obtained from a datastore to which the client system stored the pre-enrol!ment client identification data before leaving the manufacture's facility.
  • the generating manufacturer-signed digital certificate instructions 318 may cause the processor 304 to generate the manufacturer-signed digital certificate if the client system is determined to be authorized by the processor 304 to receive the manufacturer- signed digital certificate.
  • the sending manufacturer-signed digital certificate instructions 320 may cause the processor 304 to send the manufacturer-signed digital certificate, generated by the processor 304, to the client system.
  • FIG. 4 illustrates an example client system 400.
  • the client system 400 includes a computer-readable medium 402, a processor 404, and a communications interface 408.
  • the components or the arrangement of components of the client system 400 may differ from what is depicted in FIG. 4.
  • the client system 400 can include more or less components than those depicted in FIG. 4.
  • the computer-readable medium 402 may be similar to the computer- readable medium 302 described with respect to FIG. 3. Accordingly, the computer-readable medium 402 can be encoded to store executable instructions that cause the processor 404 to perform operations in accordance with various examples described herein. In various examples, the computer-readable medium 402 is non-transitory. As shown in FIG. 4, the computer-readable medium 402 includes requesting manufacturer-signed digital certificate instructions 408, sending enrollment client identification data and client key instructions 410, and receiving manufacturer-signed digital certificate instructions 412.
  • the processor 404 may be similar to the processor 304 described with respect to FIG. 3. Accordingly, the processor 404 may fetch, decode, and execute the instructions 408, 410, and 412 to enable the client system 400 to perform operations in accordance with various examples described herein. Additionally, the processor 404 may include one or more electronic circuits comprising a number of electronic components for performing the functionality of one or more of the instructions 408, 410, and 412. [0051]
  • the communications interface 406 may facilitate communication between the client system 400 and a remote network entity, such as the server system 104. Instructions 408, 410, and 412 can cause the processor 404 to send or receive network traffic through the communications interface 406.
  • the requesting manufacturer-signed digital certificate instructions 408 may cause the processor 404 to send a request for a manufacturer-signed digital certificate to a server system.
  • the sending enrollment client identification data and client key instructions 410 may cause the processor 404 to send enrollment client identification data and a client key to the server system.
  • the receiving manufacturer-signed digital certificate instructions 412 may cause the processor 404 to receive the manufacturer-signed digital certificate from the server system in response to sending the enrollment client identification data and the client key to the server system. Once received, the manufacturer-signed digital certificate may be installed at the client system 400 for identification purposes.
  • FIG. 5 illustrates an example client system 500.
  • the client system 500 includes a computer-readable medium 502, a processor 504, and a communications interface 506.
  • the components or the arrangement of components of the client system 500 may differ from what is depicted in FIG. 5.
  • the client system 500 can include more or less components than those depicted in FIG. 5.
  • the computer-readable medium 502 may be similar to the computer- readable medium 302 described with respect to FIG. 3. Accordingly, the computer-readable medium 502 can be encoded to store executable instructions that cause the processor 504 to perform operations in accordance with various examples described herein. In various examples, the computer-readable medium 502 is non-transitory. As shown in FIG. 5, the computer-readable medium 502 includes requesting manufacturer-signed digital certificate instructions 508, receiving user confirmation of device identification information instructions 510, sending enrollment client identification data and client key instructions 512, and receiving manufacturer-signed digital certificate instructions 514.
  • the processor 504 may be similar to the processor 304 described with respect to FIG. 3. Accordingly, the processor 504 may fetch, decode, and execute the instructions 508, 510, 512, and 514 to enable the client system 500 to perform operations in accordance with various examples described herein. Additionally, the processor 504 may include one or more eiecironic circuits comprising a number of electronic components for performing the functionality of one or more of the instructions 508, 510, 512, and 514.
  • the communications interface 508 may facilitate communication between the client system 500 and a remote network entity, such as the server system 104. Instructions 508, 510, 512, and 514 can cause the processor 504 to send or receive network traffic through the communications interface 508.
  • the requesting manufacturer-signed digital certificate instructions 508 may cause the processor 504 to send a request for a manufacturer-signed digital certificate to a server system.
  • the receiving user confirmation of device identification information instructions 510 may cause the processor 504 to receive a user confirmation indicating whether device identification information obtained from the client system 500 is accurate.
  • the processor 504 may obtain device identification information from the client system 500, display the obtained device identification information to a user at the client system 500, and solicit a user entry (e.g., via a keyboard or a mouse) from the user that indicates whether the obtained device identification information.
  • the sending enrollment client identification data and client key instructions 512 may cause the processor 504 to send to the server system a client key and enrollment client identification data, including device identification information associated with the client system 500, if the user entry indicates that the device identification information is accurate.
  • the receiving manufacturer-signed digital certificate instructions 514 may cause the processor 504 to receive the manufacturer-signed digital certificate from the server system in response to sending the enrollment client identification data and the client key to the server system.
  • FIG. 6 illustrates an example client system 600.
  • the client system 800 includes a computer-readable medium 602, a processor 604, and a communications interface 608.
  • the components or the arrangement of components of the client system 600 may differ from what is depicted in FIG. 6.
  • the client system 800 can include more or less components than those depicted in FIG. 8.
  • the computer-readable medium 602 may be similar to the computer- readable medium 302 described with respect to FIG. 3. Accordingly, the computer-readable medium 602 can be encoded to store executable instructions that cause the processor 604 to perform operations in accordance with various examples described herein. In various examples, the computer-readable medium 602 is non-transitory. As shown in FIG. 6, the computer-readable medium 602 includes requesting manufacturer-signed digital certificate instructions 608, obtaining customer order information instructions 610, sending customer order information instructions 612, receiving request for enrollment client identification data and client key instructions 614, sending enrollment client identification data and client key instructions 816, and receiving manufacturer-signed digital certificate instructions 618.
  • the processor 604 may be similar to the processor 304 described with respect to FIG. 3. Accordingly, the processor 804 may fetch, decode, and execute the instructions 608, 610, 812, 614, 616, and 618 to enable the client system 600 to perform operations in accordance with various examples described herein. Additionally, the processor 604 may include one or more electronic circuits comprising a number of electronic components for performing the functionality of one or more of the instructions 608, 610, 612, 614, 616, and 818.
  • the communications interface 606 may facilitate communication between the client system 600 and a remote network entity, such as the server system 104.
  • Instructions 808, 810, 812, 814, 816, and 618 can cause the processor 604 to send or receive network traffic through the communications interface 806.
  • the requesting manufacturer-signed digital certificate instructions 808 may cause the processor 604 to send a request for a manufacturer-signed digital certificate to a server system.
  • the obtaining customer order information instructions 810 may cause the processor 804 to obtain from the client system 600 customer order information associated with the client system 600.
  • Obtaining from the client system 600 may comprise the processor 604 soliciting customer order information from a user at the client system (e.g., through user entry).
  • the sending customer order information instructions 612 may cause the processor 604 to send the customer order information to the server system for verification,
  • the server system utilizes the customer order information provided by the client system to verify that the chain of custody of the client system 600 is in accordance with manufacturer's authorized practices.
  • the receiving request for enrollment client identification data and client key instructions 614 may cause the processor 604 to receive, from the server system, a request for enrollment client identification data and a client key.
  • the server system may send the request to the client system in response to verifying the customer order information.
  • the sending enrollment client identification data and client key instructions 616 may cause the processor 604 to send to the server system a client key and enrollment client identification data, which may include device identification information associated with the client system 600.
  • the receiving manufacturer-signed digital certificate instructions 618 may cause the processor 604 to receive the manufacturer-signed digital certificate from the server system in response to sending the enrollment client identification data and the client key to the server system.
  • FIG. 7 illustrates an example method 700 performed by an example client system to facilitate generation of a manufacturer-signed digital certificate.
  • execution of the method 700 is described below with reference to the client system 102 of FIG. 1 , execution of the method 700 by other suitable systems or devices may be possible.
  • the method 700 may be implemented in the form of executable instructions stored on a computer-readable medium or in the form of electronic circuitry.
  • the method 700 is performed by the client system 102 before the client system 102 leaves (e.g., ships from) a manufacturers facility.
  • the method 700 begins at block 702, with the client system 102 generating encrypted pre-enrollment client identification data using a client random key.
  • the client random key may be randomly generated at the client system 102 using a random or pseudorandom number generation algorithm.
  • the method 700 continues with the client system 102 encrypting the cleartext client random key, generated at block 702, to produce an encrypted client random key.
  • the method 700 continues with the client system 102 combining the encrypted pre-enro!Iment client identification data with the encrypted client random key produced at block 704, thereby producing a pre- enroliment data package associated with the client system 102.
  • FIG. 8 illustrates an example method 800 performed by an example client system to facilitate generation of a manufacturer-signed digital certificate.
  • execution of the method 800 is described below with reference to the client system 102 of FIG. 1 , execution of the method 800 by other suitable systems or devices may be possible.
  • the method 800 may be implemented in the form of executable instructions stored on a computer-readable medium or in the form of electronic circuitry.
  • the method 800 is performed by the client system 102 before the client system 102 leaves (e.g., ships from) a manufacturers facility.
  • the method 800 begins at block 802, which may be similar to block 702 of the method 700 described with respect to FIG. 7. Likewise, blocks 804 and 806 may be respectively similar to blocks 704 and 704 of the method 700 described with respect to FIG. 7.
  • the method 800 continues with the client system 102 storing the pre-enrollment client identification data package, produced at block 808, on a remote datastore and associate the pre- enrollment data package with the client system 102.
  • FIG. 9 illustrates an example method 900 performed by an example client system to facilitate generation of a manufacturer-signed digital certificate.
  • execution of the method 900 is described below with reference to the client system 400 of FIG. 4, execution of the method 900 by other suitable systems or devices may be possible.
  • the method 900 may be implemented in the form of executable instructions stored on a computer-readable medium or in the form of electronic circuitry.
  • the method 900 is performed by the client system 400 after the client system 400 leaves (e.g., ships from) a manufacturer's facility.
  • the method 900 may be performed by the client system 400 after the client system 400 is at the customers premises.
  • the method 900 begins at block 902, with the client system 400 requesting, from a server system (e.g., the server system 300), a manufacturer-signed digital certificate for identifying the client system 400.
  • the method 900 continues with the client system 400 sending to the server system a client key and enrollment client identification data that includes a cryptoprocessor-associated digital certificate associated with a cryptoprocessor of the client system 400.
  • the cryptoprocessor of the client system 400 may or may not be separate from the processor 404 of the client system 400.
  • the enrollment client identification data may also comprise device identification information associated with the client system, which may be utilized by the server system in generation of the manufacturer-signed digital certificate for the client system 400.
  • the method 900 continues with the client system 400 receiving from the server system the manufacturer-signed digital certificate requested at block 902.
  • FIG. 10 illustrates an example method 1000 performed b an example client system to facilitate generation of a manufacturer-signed digital certificate.
  • execution of the method 1000 is described below with reference to the client system 500 of FIG. 5, execution of the method 1000 by other suitable systems or devices may be possible.
  • the method 1000 may be implemented in the form of executable instructions stored on a computer-readable medium or in the form of electronic circuitry.
  • the method 1000 is performed by the client system 500 after the client system 500 leaves (e.g., ships from) a manufacturers facility.
  • the method 1000 may be performed by the client system 500 after the client system 500 is at the customer's premises.
  • the method 1000 begins at block 1002, with the client system 500 requesting, from a server system (e.g., the server system 300), a manufacturer-signed digital certificate for identifying the client system 500.
  • the method 1000 continues with the client system 500 determining, based on user confirmation, whether device identification information associated from the client system 500 is accurate.
  • the device identification information may be included in enrollment client identification data that may eventually be sent to the server system, if the device identification information is determined to be accurate at block 1004, the method 1000 proceeds to block 1006. in the event that the device identification information is determined to be inaccurate, a user at the client system 500 may be provided with instructions on manually reconciling the issue.
  • the method 1000 continues with the client system 500 sending to the server system a client key and enrollment client identification data, where the enrollment client identification data includes a cryptoprocessor- associated digital certificate associated with a cryptoprocessor of the client system 500 and includes device identification information associated with the client system 500.
  • the cryptoprocessor of the client system 500 may or may not be separate from the processor 504 of the client system 500.
  • the method 1000 continues with the client system 500 receiving from the server system the manufacturer-signed digital certificate requested at block 1002.
  • FIG. 1 1 illustrates an example method 1 100 performed by an example server system to facilitate generation of a manufacturer-signed digital certificate.
  • execution of the method 1 100 is described below with reference to the server system 104 of FIG. 1 , execution of the method 1 100 by other suitable systems or devices may be possible.
  • the method 1 100 may be implemented in the form of executable instructions stored on a computer-readable medium or in the form of electronic circuitry.
  • the method 1 100 is performed by the server system 104 after a client system requests a manufacturer-signed digital certificate.
  • the method 1 100 begins at block 1 102, with the server system 104 obtaining from a client system (e.g., the client system 102) client data.
  • client data may be obtained from the client system, and may be provided by the client system as part of its request for a manufacturer- signed digital certificate.
  • the server system 104 obtains the client data after the server system requests the client data from the client system.
  • the client data may include enrollment client identification data and a client key, and the client data may be encrypted before being provided to the server system 104.
  • the method 1 100 continues with the server system 104 determining authorization of the client system to receive a manufacturer-signed digital certificate based on the enrollment client identification data included in the client data obtained at block 1 102.
  • the method 1 100 continues with the server system 104 generating the manufacturer-signed digital certificate based on the client data obtained at block 1 102.
  • FIG. 12 illustrates an example method 1200 performed by an example server system to facilitate generation of a manufacturer-signed digital certificate.
  • execution of the method 1200 is described below with reference to the server system 200 of FIG. 2, execution of the method 1200 by other suitable systems or devices may be possible.
  • the method 1200 may be implemented in the form of executable instructions stored on a computer-readable medium or in the form of electronic circuitry.
  • the method 1200 is performed by the server system 200 after a client system requests a manufacturer-signed digital certificate.
  • the method 1200 begins at block 1202, with the server system 200 receiving a request from a client system (e.g., the client system 102) for a manufacturer-signed digital certificate.
  • the method 1200 continues with the server system 200 obtaining from the client system client data.
  • the method 1200 continues with the server system 200 decrypting encrypted enrollment client identification data included in the client data obtained at block 1204.
  • the method 1200 continues with the server system 200 determining, based on the enrollment client identification data received produced at block 1208, whether the client system is authorized to receive a manufacturer-signed digital certificate. If the client system is determined to be authorized to receive the manufacturer-signed digital certificate, the method continues to block 1210.
  • the method 1200 continues with the server system 200 generating a cieartext manufacturer-signed digital certificate based on the client data obtained at block 1204.
  • the method 1200 continues with the server system 200 encrypting the manufacturer-signed digital certificate generated at block 1210.
  • the method 1200 continues with the server system 200 sending the encrypted manufacturer-signed digital certificate, generated at block 1212, to the client system,

Abstract

Some examples provide a server system a client-data acquisition module, an authorization module, and a certificate generation module. The client-data acquisition module obtains from a client system a client key and enrollment client identification data associated with the client system. The authorization module to determine, based on the enrollment client identification data, whether the client system is authorized to receive a manufacturer-signed digital certificate for identifying the client system. The certificate generation module to generate the manufacturer-signed digital certificate based on the client key if the client system is determined to be authorized to receive the manufacturer-signed digital certificate.

Description

MANUFACTURER-SIGNED DIGITAL CERTIF!CATE FOR !DE TfFYI G
A CLIENT SYSTEM
BACKGROU D
[0001] in computing, digital certificates, which are used to prove ownership of a cryptographic public key, also have uses as a trusted form of digital identification. A particular digital certificate may, for example, serve to identify the origins of an electronic communications (e.g., e-maii signed by the sender's digital certificate), the origins of a piece of software (e.g., software executable or software driver signed using the software developer's digital certificate), or a computing device (e.g., computer system including a digital certificate signed by its manufacturer), such as a laptop, desktop computer, smartphone, tablet, networking device, and the like. Generally, a digital certificate includes an owner's identification information (e.g., name, address, etc.) and the digital signature of an entity (e.g., certificate authority, manufacturer, or the like sign the digital certificate) that has verified the accuracy of the information (e.g., owner's identification information) contained in the digital certificate. After a particular digital certificate is issued to an owner (e.g., individual or organization), a third party reviewing the certificate can confirm the validity of the certificate with the entity signing the certificate. Once validated, the third party is intended to base their trust of the certificate on the trustworthiness of the entity signing the certificate.
BRSEF DESCRIPTION OF THE DRAWINGS
[0002] Certain examples are described in the following detailed description in reference to the following drawings.
[0003] FIG. 1 illustrates an example environment including an example client system in communication with an example server system.
[0004] FIGs. 2 and 3 illustrate example server systems.
[0005] FIGs. 4-8 illustrate example client systems.
[0006] FIGs. 8-10 illustrate example methods performed by an example client system to facilitate generation of a manufacturer-signed digital certificate. [0007] FIGs. 1 1 and 12 illustrate example methods performed by an example server system to facilitate generation of a manufacturer-signed digital certificate.
DETAILED DESCRIPTION
[0008] Traditionally, a computing device can be processed during its manufacture to include a manufacturer-signed digital certificate associated with the computing device, which can serve as a trusted form of identification for the computing device. The process typically involves generating and installing the manufacturer-signed digital certificate at some point during manufacture of the computing device (e.g., before the computing device is shipped to a retailer or customer), which adds to the manufacture time of the computing device. Though additional manufacture time may be feasible or acceptable in some instances where the computing device is manufacture in low quantities (e.g., high margin computing devices), the additional manufacture time may have a considerable impact (e.g., in terms of time, cost, process implementation) for manufacturing computing devices at scale.
[0009] Additionally, information regarding the customer (e.g., end user) receiving the computing device would need to be known before the computing device exits its manufacturing process in order to traditionally generate the manufacturer-signed digital certificate based on (e.g., to include) such customer information and then install the manufacturer-signed digital certificate on the computing device. As a result, traditional processes for generating and installing manufacturer-signed digital certificates based on customer information are not applicable to those computing devices exiting manufacturing without an assigned customer (e.g., those manufactured and shipped to retailers who will eventually sell them to customers).
[0010] This disclosure describes example techniques for generating a manufacturer-signed digital certificate for a client system after the client system has exited manufacturing, which may then be provided to the client system for installation and use by the client system. Various examples described herein facilitate generation of a manufacturer-signed digital certificate for a client system after the client system has been received by a customer (e.g., at the customer's premises), and may further enable the manufacturer-signed digital certificate to be generated based on (e.g., to include) information relating to the customer, such as the customer's name (e.g., individual's or organization's name), address, and contact information. Some examples described herein permit a manufacturer of a client system to generate a manufacturer-signed digital certificate for the client system using the manufacture's own certificate signature infrastructure (e.g., Public Key Infrastructure [PKI]). With some examples, the manufacturer- signed digital certificate can be generated by the manufacturer with an acceptable amount of assurance that the client system is what it purports despite the client system having left the manufacturer's possession. Though various operations are described herein as being performed after the client system has left the manufacturing facility, it will be understood that in some examples those operations can be performed before such an event (e.g., during a late manufacturing stage).
[0011] Various examples facilitate generation of a manufacturer-signed certificate for a client system by first capturing data relating to a cryptoprocessor of the client system before the client system leaves the manufacture's facility. For instance, the data may be captured while the client system is being manufactured and has at least reached an operational state. The cryptoprocessor of the client system can include one that is separate from the primary processor of the client system. Additionally, in some examples, the cryptoprocessor is one included in a Trusted Platform Module (TPM) of the client system, and the captured data may comprise a TPM-related certificate, such as a TPM Endorsement Key (EK) certificate. For some examples, the captured data relating to the cryptoprocessor is data not readily visible to a user (e.g., customer) of the client system, in certain examples, the captured data is stored on a datastore separate from the client system for future retrieval and use by a server system (e.g., administered by the manufacturer) that can service a requests by the client system for a manufacturer- signed digital certificate. Eventually, when the server system receives a request from the client system for a manufacturer-signed digital certificate (e.g., after the client system is at a customer premises), the client server system may also provide the server system with client certificate enrollment data that the client system generated in connection with its request. In various examples, the client certificate enrollment data is generated based on the same cryptoprocessor- related data captured before the client system departure from the manufacturer's facility. Once the client certificate enrollment data is provided, the server system can compare the client certificate enrollment data to the cryptoprocessor-re!ated data stored on the datastore. Based on the comparison, the server system can confirm that the client system is the device it purports to be and proceed with generation of the manufacturer-signed digital certificate for the client system.
[0012] Hereinafter, data captured or generated prior to a client system enrolling for a manufacturer-signed digital certificate may be regarded as pre-enro!!ment data, while data captured or generated at, near, or after the time of a client system requesting to enroll for a manufacturer-signed digital certificate may be regarded as enrollment data.
[0013] For illustrative purposes, the following describes particular examples of generating a manufacturer-signed digital certificate for a client system. After the client system reaches an operational state during its manufacture, software may be loaded onto the client system to cause the client system to generate pre- certificate-enrollment (hereinafter, "pre-enrollment") client identification data capable of identifying the client device in the future when the client system requests generation of a manufacturer-signed digital certificate for itself. Once generated, the client system may store the pre-enrollment client identification data on a manufacturer-accessible datastore to facilitate its future use. Additionally, the pre-enrollment client identification data may be encrypted before storage for future retrieval and use. Depending on the example, the pre- enrollment client identification data may comprise a TP EK certificate captured from a TPM of the client system (e.g., by the manufacturer of the TPM). A TPM EK certificate may include the TPM EK public key, the TPM manufacturer's certificate signature, an EK certificate with a serial number, and potentially other data (e.g., part number). The pre-enrollment client identification data may also include device identification information obtained from the client system, which can include one or more of the client system's model number, serial number (e.g., customer visible or otherwise), exterior color, hash (e.g., Secure Hash Algorithm with 256 bit digest [SHA-256]) of the client system's firmware, date of manufacture, and the like. The content within the pre-enroilment client identification data may be formatted according to a standard determined by the manufacturer.
[0014] As noted, before storage the pre-enrollment client identification data may be encrypted. In particuiar, the pre-enrollment client identification data may be encrypted using a client random key, the encrypted pre-enrollment client identification data and an encrypted version of the client random key may be combined to produce a pre-enroilment client identification data package, which may be stored on a datastore for future retrieval and use during a subsequent request for a manufacturer-signed digital certificate for the client system. For some examples, the datastore is separate from the server system and administered by the manufacturer of the client system (e.g., a manufacturer's datastore). Once stored on the datastore, the client system can be considered to be registered with the manufacturer. The client random key may be encrypted using a manufacturer-selected key (e.g., a public key), which may be one exclusively utilized by the manufacturer for encrypting client random keys. Additionally, the encrypted pre-enrollment client identification data and the enciypted version of the client random key may be combined in a manufacturer specific manner (e.g., format).
[0015] For some examples, a request for a manufacturer-signed digital certificate by the client system is permitted to proceed only when the chain of custody of the client system is found to comply with the manufacturer's authorized practices. The chain of custody may be in compliance (and therefore authorized) when the client system is received by a customer directly from the manufacturer or by way of an authorized channel (e.g., authorized retailer or distributor). To ensure compliant chain of custody for the client system, in some examples, customer order information is saved or updated to associate the client system with a customer order when the client system is shipped from the manufacturer to a customer, a distributor, or retailer. In the event that the client system is shipped from the manufacturer to a retailer or a distributor, the customer order information can comprise information regarding the retailer or the distributor customer order. For some examples, a factory order system generates a pick request in a manufacturer warehouse based on a customer order, personnel at the manufacturer warehouse scans the client system (e.g., model number or serial number) in response to the pick request, and customer order information is saved or updated to associate the client system with the customer order. Once saved or updated, the customer order information can serve to confirm whether chain of custody of the client system complies with the manufacturer's preferences.
[0016] After the client system is received by a customer (e.g., directly from the manufacturer, through a retailer, or through a distributor), the client system can be powered on and establish a network connection with a server system. The network connection between the client system and the server system may be secure (e.g., Secured Socket Layer [SSL]). The client system may install a device identity installation software received over the network connection. The device identity installation software causes the client system to submit a request to the server system for a manufacturer-signed digital certificate for identifying the client system.
[0017] in response to the request, the server system can verify chain of custody of the client system before the request for the manufacturer-signed digital certificate can be processed further. To verify the chain of custody, the server system may request that the device identity installation software on the client system provide customer order Information associated with the client system. The device identity installation software may do so by receiving, from user at the client system, user-entered customer order information associated with the client system. The device identity installation software may be provided the user- entered customer order information to the server system, which In turn may compare the user-entered customer order Information with the customer order information saved at the time the client system shipped form the manufacturer. Based on the comparison, the server system can verify chain of custody of the client system before the request for the manufacturer-signed digital certificate is further processed by the server system. In this way, the server system can verify that the customer received the client system through a manufacturer-authorized channel, such as directly from the manufacturer or through a manufacturer- authorized distributor or retailer.
[0018] To process the request for the manufacturer-signed digital certificate, the server system can request the device identity installation software on the client system prepare and send enrollment client identification data. The server system can request the device identity installation software on the client system to provide (e.g., generate and send) a client key that can eventually be utilized in generation of the manufacturer-signed digital certificate. The device identity installation software may cause the client system to send the enrollment client identification data, the client key, or both to the server system in encrypted form.
[0019] For certain examples, the enrollment client identification data for the client system is prepared in a manner similar to how the pre-enroliment client identification data was prepared for the client system before the client system was shipped from the manufacturer. Accordingly, to prepare the enrollment client identification data for the client system, the device identity installation software can retrieve device identification information from the client system, and can further retrieve a TPM EK certificate captured from the TPM of the client system. Additionally, the content within the enrollment client identification data may be formatted similar to the pre-enrollment client identification data stored for the client system before shipment from the manufacturer. Before the device identity installation sends the enrollment client identification data to the server system (e.g., before the TPM EK certificate is retrieved from the client system), the device identity installation software may have a user at the client system confirm the accuracy of the device identification information retrieved from the client system. The device identity installation software may facilitate this by causing the client system to display the retrieved device identification information to the user and the user, in turn, may confirm or deny accuracy of the information displayed. Once prepared, the enrollment client identification data can be sent to the server system to facilitate further processing of the request for the manufacturer-signed digital certificate.
[0020] By preparing the enrollment client identification data in a manner similar to how the pre-enrollment client identification data associated with the client system was prepared, the server system can compare the enrollment client identification to the pre-enroliment client identification data to verify that the client system is what if purports to be before a manufacturer-signed digital certificate for the client system is generated. Accordingly, where the comparison indicates that the enrollment client identification data and the pre-enroliment client identification data match, the server system can proceed with generation of the manufacturer-signed digital certificate for the client system, and the server system can generate the manufacturer-signed digital certificate for the client system based on the client key provided by the device identity installation software. Subsequently, the manufacturer-signed digital certificate may be encrypted before it is provide to the client system. The manufacturer-signed digital certificate may be encrypted by a cleartext server random session key (e.g., randomly generated by the server system for this particular session of generating the manufacturer-signed digital certificate), and the cleartext server random session may be encrypted by the TPM EK public key (held within the TPM EK certificate) to produce an encrypted server random session key. As described herein, for some examples, the TPM EK certificate is possessed by both the client system (e.g., in the TPM of the client system) and the server system (e.g., via the pre-enroliment client identification data received). Subsequently, both the encrypted manufacturer-signed digital certificate and the encrypted server random session key can be sent to the client system. When the client system receives the encrypted manufacturer-signed digital certificate and the encrypted server random session key, the client system can use the TPM EK private key, held within its copy of the TPM EK certificate to decrypt the encrypted server random session key, and use the resulting cleartext server random session key to decrypt the manufacturer-signed digital certificate.
[0021] Before or after the manufacturer-signed digital certificate is sent to the client system, the server system may update its records with information regarding the manufacturer-signed digital certificate (e.g., its serial number, time and date of generation, or time and date sent to the client system).
[0022] in the event that the comparison indicates a mismatch, the server system may provide the device identity software with instructions on how the user at the client system can manually address (e.g., reconcile) the issue (e.g., call to technical support). In advance of the comparison, the server system may inspect the enrollment client identification data to validate it is in an expected format. Additionally, where the enrollment client identification data or the client key is received in encrypted form, the server may need to perform one or more decryption processes before either can be utilized in subsequent operations.
[0023] The following provides a detailed description of the examples illustrated by FIGs. 1 -12.
[0024] FIG. 1 illustrates an example environment 100 including an example client system 102 in communication with an example server system 104. in particular, environment 100 includes a client system 102 in communication with a server system 104 over a communications network 106. As shown, the client system 102 includes a certificate requesting module 108, a client-data providing module 1 10, and a client communications module 1 12. As also shown, the server system 104 includes a client-data acquisition module 1 14, an authorization module 1 18, a certificate generation module 1 18, and a server communications module 120.
[0025] Depending on the example, the client system 102 may comprise a desktop, laptop, a hand-held computing device (e.g., personal digital assistants, smartphones, tablets, etc.), a workstation, various network infrastructure devices (e.g., switches, routers and gateways), or another device that includes a processor. According to various examples, the client system 102 comprises a cryptoprocessor, such as a one included by a Trusted Platform Module (TPM) that is part of the client system 102. Depending on the example, a cryptoprocessor of the client system 102 may or may not be part of a primary processor (e.g., central processing unit) of the client system 102.
[0026] The server system 104 may comprise one or more servers, which may be operating on, or implemented, using one or more cloud-based resources, such as a Software-as-a-Service (SaaS), Piatform-as-a-Service (PaaS), or infrastructure-as-a-Service (laaS). In various examples, the components or the arrangement of components in the environment 100 may differ from what is depicted in FIG. 1 . For instance, the client system 102 or the server system 104 can include more or less components than those depicted in FIG, 1.
[0027] As used herein, modules and other components of various examples may comprise, in whole or in part, machine-readable instructions or electronic circuitry. For instance, a module may comprise computer-readable instructions executable by a processor to perform one or more functions in accordance with various examples described herein. Likewise, in another instance, a module may comprise electronic circuitry to perform one or more functions in accordance with various examples described herein. The elements of a module may be combined in a single package, maintained in several packages, or maintained separately.
[0028] The communications network 106 permits data to be communicated between the client system 102 and the server system 104 in accordance with various examples described herein. In some examples, the communications network 106 may comprise one or more local or wide-area communications networks, such as the Internet, WiFi networks, cellular networks, private networks, public networks, and the like.
[0029] With reference to the client system 102, the certificate requesting module 108 may facilitate the client system 102 requesting, from the server system 104, a manufacturer-signed digital certificate for identifying the client system, in some examples, the certificate requesting module 108 sends a request for the manufacturer-signed digital certificate to the server system 104 over the communications network 106, and the request may identify the client system 102 to the server system 104.
[0030] The client-data providing module 1 10 may facilitate the client system 102 providing the server system 104 with client data relating to the client system 102. For instance, the client-data providing module 1 10 may provide the server system 104 with the client data by preparing the client data and sending the client data to the server system 104 over the communications network 106.
[Θ031] in some examples, the client data comprises enrollment client identification data, and may further comprise a client key that the server system 104 may utilized in generation of the manufacturer-signed digital certificate requested. As used herein, enrollment client identification data can include client identification data captured at the client system 102 in association with the client system 102 requests a manufacturer-signed digital certificate from the server system 104. For instance, the enrollment client identification data may be client identification data captured at or near the time the request for the manufacturer- signed digital certificate is sent to the server system 104. For certain examples, the client system 102 prepares and sends the client data (e.g., the enrollment client identification data, the client key, or both) only after instructed to do so by the server system 104, which may provide the Instruction in response to the request sent by the client system 102 (e.g., after the server system 104 has validated the request from the client system 102).
[0032] in some examples, the enrollment client identification data comprises a cryptoprocessor-associated digital certificate associated with a cryptoprocessor of the client system 102, which as noted may be obtained from the client system 102 at or near the time the client system 102 requests the manufacturer-signed digital certificate from the server system 104. in some instances, the client system 102 may include a Trusted Platform Module (TPM) and the cryptoprocessor-associated digital certificate is a TPM Endorsement Key (EK) certificate obtained from the TPM of the client system 102.
[0033] The enrollment client identification data may further comprise device identification information obtained from the client system 102 at or near the time the client system 102 requests the manufacturer-signed digital certificate from the server system 104. Examples device identification information can include, without limitation, include one or more of the model number of the client system 102, serial number (e.g., customer visible or otherwise) of the client system 102, the exterior color of the client system 102, and a hash (e.g., SHA-256) of firmware on the client system 102, and the data of manufacture of the client system 102.
[0034] Before providing the client data to the server system 104, the client-data providing module 1 10 may encrypt the client data using a client random key. The client-data providing module 1 10 may, for instance, encrypt a cieartext version of the enrollment client identification data by a cieartext client random key to produce an encrypted enrollment client identification data, encrypt the cieartext client random key to produce an encrypted client random key that is decryptable by the server system 104 (e.g., using a shared manufacturer's key), package the encrypted enrollment client identification data and the encrypted client random key into an enrollment data package, and send the enrollment data package to the server system 104.
[0035] The client communications module 1 12 may facilitate communication between the client system 102 and the server system 104 over the communications network 106. For instance, the client communications module 1 12 may facilitate the client system 102 sending client data to the server system 104 over the communications network 108 to facilitate fulfillment of a request for a manufacturer-signed digital certificate for the client system 102. The client communications module 1 12 may further facilitate the client system 102 receiving from the server system 104 the manufacturer-signed digital certificate over the communications network 108 after the server system 104 has generated the manufacturer-signed digital certificate.
[0036] With reference to the server system 104, the client-data acquisition module 1 14 may facilitate obtaining, from the client system 102, a client key and enrollment client identification data associated with the client system 102. The server system 104 may attempt to obtain a client key and enrollment client identification data from the client system 102 after the client system 102 submits a request for a manufacturer-signed digital certificate to the server system 104 (e.g., over the communications network 106. Depending on the example, the client key and the enrollment client identification data may be provided by the client system 102 to the server system 104 as part of the request for the manufacturer-signed digital certificate or subsequent to the request being received by the server system 104. in some instances, the client system 102 requests the manufacturer-signed digital certificate from the server system 104, in response the server system 104 requests the client key and the enrollment client identification data from the client system 102, and the client system 102 in turn sends the client key and the enrollment client identification data. As described herein, the enrollment client identification data may be encrypted by the client system 102 before it is sent to the server system 104 and sent within an enrollment data package describe herein. [0037] The authorization module 1 16 may facilitate determining whether the client system 102 is authorized to receive a manufacturer-signed digital certificate from the server system 104, and do so by determining whether the enrollment client identification data received from the client system 102 matches pre- enrollment client identification data associated with the client system 102. The server system 104 may obtain the pre-enrollment client identification data from a datastore remote from the client system 102, and the datastore may be one that is part of the server system 104. According to some examples, the pre-enrollment client identification data is prepared, and then stored on the datastore, by the client system 102 before the client system 102 ships from the manufacturer facility to a customer, a distributor, or a retailer. As described herein, while the client system 102 is with the manufacturer, the pre-enrollment client identification data may be prepared by the client system 102 in a manner similar to the way the client system 102 prepares the enrollment client identification data (e.g., at or after the client system 102 requests the manufacturer-signed digital certificate). As a result, for some examples, the pre-enrollment client identification data generated, stored, and associated with the client system 102 is intended to have the same data content as the enrollment client identification data generated by the client system 102 (e.g., the client-data providing module 1 10). As such, where the server system 104 determines that the enrollment client identification data matches the pre-enrollment client identification data, the server system 104 can regard the identify of the client system 102 as verified and, therefore, regard the client system 102 as authorized to receive a manufacturer-signed digital certificate.
[0038] The certificate generation module 1 18 ma facilitate generation of a manufacturer-signed digital certificate for the client system 102, based on a client key provided by the client system 102, and to do so if the client system 102 is determined (e.g., by the authorization module 1 16) to be authorized to receive the manufacturer-signed digital certificate. As described herein, once generated, the manufacturer-signed digital certificate may be encrypted using a cieartext server random session key, the cieartext server random session key may be encrypted to produce an encrypted server random session key (e.g., using the TP EK certificate of the client system 102), and the encrypted manufacturer- signed digital certificate and encrypted server random session key may be sent to the client system 102. Additionally, the certificate generation module 1 18 may update or store information regarding the manufacturer-signed digital certificate generated for the client system 102, such as the manufacturer-signed digital certificate's serial number, time and date of generation, or time and date sent to the client system.
[0039] The server communications module 120 may facilitate communication between the server system 104 and the client system 102 over the communications network 106. The server communications module 120, for example, may facilitate the server system 104 receiving client data, such as enrollment client identification data and a client key, from the client system 102 over the communications network 106. In addition, the server communications module 120 can send the client system 102 a manufacturer-signed digital certificate, generated by the server system 104, over the communications network 106.
[0040] FIG. 2 illustrates an example server system 200. As shown, the server system 200 includes a request receiving module 202, a client-data acquisition module 204, a decryption module 206, an authorization module 208, a certificate generation module 210, an encryption module 212, and a server communications module 214. The server system 200 may comprise one or more servers, which may be operating on, or implemented, using one or more cloud-based resources, such as a System-as-a-Service (SaaS), Platf rm-as-a-Service (PaaS), or infrastructure-as-a-Service (laaS). In various examples, the components or the arrangement of components in the server system 200 may differ from what is depicted in FIG. 2.
[0041] The request receiving module 202 may facilitate receiving a request for a manufacturer-signed digital certificate from a client system. The client-data acquisition module 204 may be similar to the client-data acquisition module 1 14 of the client system 102 described with respect to FIG. 1 . The decryption module 206 may facilitate the decryption of encrypted client data obtained from the client system by the client-data acquisition module 204, including encrypted enrollment client identification data. The authorization module 208 may be similar to the authorization module 1 18 of the client system 102 described with respect to FIG. 1 , and the certificate generation module 210 may be similar to the certificate generation module 1 18 of the client system 102 described with respect to FIG. 1 . The encryption module 212 may facilitate encrypting the manufacturer-signed digital certificate generated by the certificate generation module 210 before the manufacturer-signed digital certificate is sent to the client system. The server communications module 214 may be similar to the server communications module 120 of the client system 102 described with respect to FIG. 1.
[0042] FIG. 3 illustrates an example server system 300. As shown, the server system 300 includes a computer-readable medium 302, a processor 304, and a communications interface 306. In various examples, the components or the arrangement of components of the server system 300 may differ from what is depicted in FIG. 3. For instance, the server system 300 can include more or less components than those depicted in FIG. 3.
[0043] The computer-readable medium 302 may be any electronic, magnetic, optical, or other physical storage device that stores executable instructions. For example, the computer-readable medium 302 may be a Random Access Memory (RAM), an Electrically-Erasable Programmable Read-Only Memory (EEPROM), a storage drive, an optical disc, or the like. The computer-readable medium 302 can be encoded to store executable instructions that cause the processor 304 to perform operations in accordance with various examples described herein. In various examples, the computer-readable medium 302 is non-transitory. As shown in FIG. 3, the computer-readable medium 302 includes receiving manufacturer-signed digital certificate request instructions 308, obtaining enrollment client identification data and client key instructions 310, decryption encrypted client random key instructions 312, decryption encrypted enrollment client identification data instructions 314, determining authorization to receive manufacturer-signed digital certificate instructions 316, generating manufacturer- signed digital certificate instructions 318, and sending manufacturer-signed digital certificate instructions 320. [0044] The processor 304 may be one or more centra! processing units (CPUs), microprocessors, or other hardware devices suitable for retrieval and execution of one or more instructions stored in the computer-readable medium 302. The processor 304 may fetch, decode, and execute the instructions 308, 310, 312, 314, 316, 318, and 320 to enable the server system 300 to perform operations in accordance with various examples described herein. For some examples, the processor 304 includes one or more electronic circuits comprising a number of electronic components for performing the functionality of one or more of the instructions 308, 310, 312, 314, 318, 318, and 320.
[0045] The communications interface 306 may facilitate communication between the server system 300 and a remote network entity, such as the server system 104. Instructions 308, 310, 312, 314, 316, 318, and 320 can cause the processor 304 to send or receive network traffic through the communications interface 306.
[0046] The receiving manufacturer-signed digital certificate request instructions 308 may cause the processor 304 to receive a request for a manufacturer-signed digital certificate from a client system. The obtaining enrollment client identification data and client key instructions 310 may cause the processor 304 to obtain from the client system client key and enrollment client identification data associated with the client system. As described herein, the enrollment client identification data may be obtained from the client system as an enrollment data package comprising encrypted enrollment client identification data and encrypted client random key. The decryption encrypted client random key instructions 312 may cause the processor 304 to decrypt the encrypted random key to produce a cieartext client random key. The decryption encrypted enrollment client identification data instructions 314 may cause the processor 304 to decrypt the encrypted enrollment client identification data, using the cieartext client random key, to produce the enrollment client identification data in cieartext.
[0047] The determining authorization to receive manufacturer-signed digital certificate instructions 316 may cause the processor 304 to determine whether the client system is authorized to receive a manufacturer-signed digital certificate, and may do so by determining whether the enrollment client identification data matches pre-enro!iment client identification data associated with the client system. As described herein, the pre-enroliment client identification data may be obtained from a datastore to which the client system stored the pre-enrol!ment client identification data before leaving the manufacture's facility. The generating manufacturer-signed digital certificate instructions 318 may cause the processor 304 to generate the manufacturer-signed digital certificate if the client system is determined to be authorized by the processor 304 to receive the manufacturer- signed digital certificate. The sending manufacturer-signed digital certificate instructions 320 may cause the processor 304 to send the manufacturer-signed digital certificate, generated by the processor 304, to the client system.
[0048] FIG. 4 illustrates an example client system 400. As shown, the client system 400 includes a computer-readable medium 402, a processor 404, and a communications interface 408. In various examples, the components or the arrangement of components of the client system 400 may differ from what is depicted in FIG. 4. For instance, the client system 400 can include more or less components than those depicted in FIG. 4.
[0049] The computer-readable medium 402 may be similar to the computer- readable medium 302 described with respect to FIG. 3. Accordingly, the computer-readable medium 402 can be encoded to store executable instructions that cause the processor 404 to perform operations in accordance with various examples described herein. In various examples, the computer-readable medium 402 is non-transitory. As shown in FIG. 4, the computer-readable medium 402 includes requesting manufacturer-signed digital certificate instructions 408, sending enrollment client identification data and client key instructions 410, and receiving manufacturer-signed digital certificate instructions 412.
[0050] The processor 404 may be similar to the processor 304 described with respect to FIG. 3. Accordingly, the processor 404 may fetch, decode, and execute the instructions 408, 410, and 412 to enable the client system 400 to perform operations in accordance with various examples described herein. Additionally, the processor 404 may include one or more electronic circuits comprising a number of electronic components for performing the functionality of one or more of the instructions 408, 410, and 412. [0051] The communications interface 406 may facilitate communication between the client system 400 and a remote network entity, such as the server system 104. Instructions 408, 410, and 412 can cause the processor 404 to send or receive network traffic through the communications interface 406.
[0052] The requesting manufacturer-signed digital certificate instructions 408 may cause the processor 404 to send a request for a manufacturer-signed digital certificate to a server system. The sending enrollment client identification data and client key instructions 410 may cause the processor 404 to send enrollment client identification data and a client key to the server system. The receiving manufacturer-signed digital certificate instructions 412 may cause the processor 404 to receive the manufacturer-signed digital certificate from the server system in response to sending the enrollment client identification data and the client key to the server system. Once received, the manufacturer-signed digital certificate may be installed at the client system 400 for identification purposes.
[0053] FIG. 5 illustrates an example client system 500. As shown, the client system 500 includes a computer-readable medium 502, a processor 504, and a communications interface 506. In various examples, the components or the arrangement of components of the client system 500 may differ from what is depicted in FIG. 5. For instance, the client system 500 can include more or less components than those depicted in FIG. 5.
[0054] The computer-readable medium 502 may be similar to the computer- readable medium 302 described with respect to FIG. 3. Accordingly, the computer-readable medium 502 can be encoded to store executable instructions that cause the processor 504 to perform operations in accordance with various examples described herein. In various examples, the computer-readable medium 502 is non-transitory. As shown in FIG. 5, the computer-readable medium 502 includes requesting manufacturer-signed digital certificate instructions 508, receiving user confirmation of device identification information instructions 510, sending enrollment client identification data and client key instructions 512, and receiving manufacturer-signed digital certificate instructions 514.
[0055] The processor 504 may be similar to the processor 304 described with respect to FIG. 3. Accordingly, the processor 504 may fetch, decode, and execute the instructions 508, 510, 512, and 514 to enable the client system 500 to perform operations in accordance with various examples described herein. Additionally, the processor 504 may include one or more eiecironic circuits comprising a number of electronic components for performing the functionality of one or more of the instructions 508, 510, 512, and 514.
[0056] The communications interface 508 may facilitate communication between the client system 500 and a remote network entity, such as the server system 104. Instructions 508, 510, 512, and 514 can cause the processor 504 to send or receive network traffic through the communications interface 508.
[0057] The requesting manufacturer-signed digital certificate instructions 508 may cause the processor 504 to send a request for a manufacturer-signed digital certificate to a server system. The receiving user confirmation of device identification information instructions 510 may cause the processor 504 to receive a user confirmation indicating whether device identification information obtained from the client system 500 is accurate. In some examples, the processor 504 may obtain device identification information from the client system 500, display the obtained device identification information to a user at the client system 500, and solicit a user entry (e.g., via a keyboard or a mouse) from the user that indicates whether the obtained device identification information. The sending enrollment client identification data and client key instructions 512 may cause the processor 504 to send to the server system a client key and enrollment client identification data, including device identification information associated with the client system 500, if the user entry indicates that the device identification information is accurate. The receiving manufacturer-signed digital certificate instructions 514 may cause the processor 504 to receive the manufacturer-signed digital certificate from the server system in response to sending the enrollment client identification data and the client key to the server system.
[0058] FIG. 6 illustrates an example client system 600. As shown, the client system 800 includes a computer-readable medium 602, a processor 604, and a communications interface 608. In various examples, the components or the arrangement of components of the client system 600 may differ from what is depicted in FIG. 6. For instance, the client system 800 can include more or less components than those depicted in FIG. 8.
[0059] The computer-readable medium 602 may be similar to the computer- readable medium 302 described with respect to FIG. 3. Accordingly, the computer-readable medium 602 can be encoded to store executable instructions that cause the processor 604 to perform operations in accordance with various examples described herein. In various examples, the computer-readable medium 602 is non-transitory. As shown in FIG. 6, the computer-readable medium 602 includes requesting manufacturer-signed digital certificate instructions 608, obtaining customer order information instructions 610, sending customer order information instructions 612, receiving request for enrollment client identification data and client key instructions 614, sending enrollment client identification data and client key instructions 816, and receiving manufacturer-signed digital certificate instructions 618.
[0060] The processor 604 may be similar to the processor 304 described with respect to FIG. 3. Accordingly, the processor 804 may fetch, decode, and execute the instructions 608, 610, 812, 614, 616, and 618 to enable the client system 600 to perform operations in accordance with various examples described herein. Additionally, the processor 604 may include one or more electronic circuits comprising a number of electronic components for performing the functionality of one or more of the instructions 608, 610, 612, 614, 616, and 818.
[0061] The communications interface 606 may facilitate communication between the client system 600 and a remote network entity, such as the server system 104. Instructions 808, 810, 812, 814, 816, and 618 can cause the processor 604 to send or receive network traffic through the communications interface 806.
[0062] The requesting manufacturer-signed digital certificate instructions 808 may cause the processor 604 to send a request for a manufacturer-signed digital certificate to a server system. The obtaining customer order information instructions 810 may cause the processor 804 to obtain from the client system 600 customer order information associated with the client system 600. Obtaining from the client system 600 may comprise the processor 604 soliciting customer order information from a user at the client system (e.g., through user entry). The sending customer order information instructions 612 may cause the processor 604 to send the customer order information to the server system for verification, In some examples, the server system utilizes the customer order information provided by the client system to verify that the chain of custody of the client system 600 is in accordance with manufacturer's authorized practices.
[0063] The receiving request for enrollment client identification data and client key instructions 614 may cause the processor 604 to receive, from the server system, a request for enrollment client identification data and a client key. The server system may send the request to the client system in response to verifying the customer order information. The sending enrollment client identification data and client key instructions 616 may cause the processor 604 to send to the server system a client key and enrollment client identification data, which may include device identification information associated with the client system 600. The receiving manufacturer-signed digital certificate instructions 618 may cause the processor 604 to receive the manufacturer-signed digital certificate from the server system in response to sending the enrollment client identification data and the client key to the server system.
[0084] FIG. 7 illustrates an example method 700 performed by an example client system to facilitate generation of a manufacturer-signed digital certificate. . Although execution of the method 700 is described below with reference to the client system 102 of FIG. 1 , execution of the method 700 by other suitable systems or devices may be possible. The method 700 may be implemented in the form of executable instructions stored on a computer-readable medium or in the form of electronic circuitry. For some examples, the method 700 is performed by the client system 102 before the client system 102 leaves (e.g., ships from) a manufacturers facility.
[0065] In FIG. 7, the method 700 begins at block 702, with the client system 102 generating encrypted pre-enrollment client identification data using a client random key. The client random key may be randomly generated at the client system 102 using a random or pseudorandom number generation algorithm. At block 704, the method 700 continues with the client system 102 encrypting the cleartext client random key, generated at block 702, to produce an encrypted client random key. At block 708, the method 700 continues with the client system 102 combining the encrypted pre-enro!Iment client identification data with the encrypted client random key produced at block 704, thereby producing a pre- enroliment data package associated with the client system 102.
[0086] FIG. 8 illustrates an example method 800 performed by an example client system to facilitate generation of a manufacturer-signed digital certificate. Although execution of the method 800 is described below with reference to the client system 102 of FIG. 1 , execution of the method 800 by other suitable systems or devices may be possible. The method 800 may be implemented in the form of executable instructions stored on a computer-readable medium or in the form of electronic circuitry. For some examples, the method 800 is performed by the client system 102 before the client system 102 leaves (e.g., ships from) a manufacturers facility.
[0067] In FIG. 8, the method 800 begins at block 802, which may be similar to block 702 of the method 700 described with respect to FIG. 7. Likewise, blocks 804 and 806 may be respectively similar to blocks 704 and 704 of the method 700 described with respect to FIG. 7. At block 808, the method 800 continues with the client system 102 storing the pre-enrollment client identification data package, produced at block 808, on a remote datastore and associate the pre- enrollment data package with the client system 102.
[0068] FIG. 9 illustrates an example method 900 performed by an example client system to facilitate generation of a manufacturer-signed digital certificate. Although execution of the method 900 is described below with reference to the client system 400 of FIG. 4, execution of the method 900 by other suitable systems or devices may be possible. The method 900 may be implemented in the form of executable instructions stored on a computer-readable medium or in the form of electronic circuitry. For some examples, the method 900 is performed by the client system 400 after the client system 400 leaves (e.g., ships from) a manufacturer's facility. For instance, the method 900 may be performed by the client system 400 after the client system 400 is at the customers premises. [0069] In FIG. 9, the method 900 begins at block 902, with the client system 400 requesting, from a server system (e.g., the server system 300), a manufacturer-signed digital certificate for identifying the client system 400. At block 904, the method 900 continues with the client system 400 sending to the server system a client key and enrollment client identification data that includes a cryptoprocessor-associated digital certificate associated with a cryptoprocessor of the client system 400. As described herein, the cryptoprocessor of the client system 400 may or may not be separate from the processor 404 of the client system 400. Additionally, as described herein, the enrollment client identification data may also comprise device identification information associated with the client system, which may be utilized by the server system in generation of the manufacturer-signed digital certificate for the client system 400. At block 906, the method 900 continues with the client system 400 receiving from the server system the manufacturer-signed digital certificate requested at block 902.
[0070] FIG. 10 illustrates an example method 1000 performed b an example client system to facilitate generation of a manufacturer-signed digital certificate. Although execution of the method 1000 is described below with reference to the client system 500 of FIG. 5, execution of the method 1000 by other suitable systems or devices may be possible. The method 1000 may be implemented in the form of executable instructions stored on a computer-readable medium or in the form of electronic circuitry. For some examples, the method 1000 is performed by the client system 500 after the client system 500 leaves (e.g., ships from) a manufacturers facility. For instance, the method 1000 may be performed by the client system 500 after the client system 500 is at the customer's premises.
[0071] in FIG. 10, the method 1000 begins at block 1002, with the client system 500 requesting, from a server system (e.g., the server system 300), a manufacturer-signed digital certificate for identifying the client system 500. At block 1004, the method 1000 continues with the client system 500 determining, based on user confirmation, whether device identification information associated from the client system 500 is accurate. As described herein, the device identification information may be included in enrollment client identification data that may eventually be sent to the server system, if the device identification information is determined to be accurate at block 1004, the method 1000 proceeds to block 1006. in the event that the device identification information is determined to be inaccurate, a user at the client system 500 may be provided with instructions on manually reconciling the issue.
[0072] At biock 1006, the method 1000 continues with the client system 500 sending to the server system a client key and enrollment client identification data, where the enrollment client identification data includes a cryptoprocessor- associated digital certificate associated with a cryptoprocessor of the client system 500 and includes device identification information associated with the client system 500. As described herein, the cryptoprocessor of the client system 500 may or may not be separate from the processor 504 of the client system 500. At block 1008, the method 1000 continues with the client system 500 receiving from the server system the manufacturer-signed digital certificate requested at block 1002.
[0073] FIG. 1 1 illustrates an example method 1 100 performed by an example server system to facilitate generation of a manufacturer-signed digital certificate. Although execution of the method 1 100 is described below with reference to the server system 104 of FIG. 1 , execution of the method 1 100 by other suitable systems or devices may be possible. The method 1 100 may be implemented in the form of executable instructions stored on a computer-readable medium or in the form of electronic circuitry. For some examples, the method 1 100 is performed by the server system 104 after a client system requests a manufacturer-signed digital certificate.
[0074] in FIG. 1 1 , the method 1 100 begins at block 1 102, with the server system 104 obtaining from a client system (e.g., the client system 102) client data. As described herein, the client data may be obtained from the client system, and may be provided by the client system as part of its request for a manufacturer- signed digital certificate. In some examples, the server system 104 obtains the client data after the server system requests the client data from the client system. As noted herein, the client data may include enrollment client identification data and a client key, and the client data may be encrypted before being provided to the server system 104. At biock 1 104, the method 1 100 continues with the server system 104 determining authorization of the client system to receive a manufacturer-signed digital certificate based on the enrollment client identification data included in the client data obtained at block 1 102. At block 1 106, the method 1 100 continues with the server system 104 generating the manufacturer-signed digital certificate based on the client data obtained at block 1 102.
[0075] FIG. 12 illustrates an example method 1200 performed by an example server system to facilitate generation of a manufacturer-signed digital certificate. Although execution of the method 1200 is described below with reference to the server system 200 of FIG. 2, execution of the method 1200 by other suitable systems or devices may be possible. The method 1200 may be implemented in the form of executable instructions stored on a computer-readable medium or in the form of electronic circuitry. For some examples, the method 1200 is performed by the server system 200 after a client system requests a manufacturer-signed digital certificate.
[0076] in FIG. 12, the method 1200 begins at block 1202, with the server system 200 receiving a request from a client system (e.g., the client system 102) for a manufacturer-signed digital certificate. At block 1204, the method 1200 continues with the server system 200 obtaining from the client system client data. At block 1208, the method 1200 continues with the server system 200 decrypting encrypted enrollment client identification data included in the client data obtained at block 1204. At block 1208, the method 1200 continues with the server system 200 determining, based on the enrollment client identification data received produced at block 1208, whether the client system is authorized to receive a manufacturer-signed digital certificate. If the client system is determined to be authorized to receive the manufacturer-signed digital certificate, the method continues to block 1210.
[0077] At block 1210, the method 1200 continues with the server system 200 generating a cieartext manufacturer-signed digital certificate based on the client data obtained at block 1204. At block 1212, the method 1200 continues with the server system 200 encrypting the manufacturer-signed digital certificate generated at block 1210. At block 1214, the method 1200 continues with the server system 200 sending the encrypted manufacturer-signed digital certificate, generated at block 1212, to the client system,
[0078] in the foregoing description, numerous details are set forth to provide an understanding of the subject disclosed herein. However, implementations may be practiced without some or all of these details. Other implementations may include modifications and variations from the details discussed above. It is intended that the appended claims cover such modifications and variations.

Claims

1 . A server system, comprising:
a client-data acquisition module to obtain, from a client system, a client key and enrollment client identification data associated with the client system; an authorization module to determine whether the client system is authorized to receive a manufacturer-signed digital certificate for identifying the client system, wherein determining whether the client system is authorized to receive the manufacturer-signed digital certificate comprises determining whether the enrollment client identification data matches pre-enrollment client identification data associated with the client system; and
a certificate generation module to generate the manufacturer-signed digital certificate based on the client key if the client system is determined to be authorized to receive the manufacturer-signed digital certificate.
2. The server system of claim 1 , comprising an encryption module to encrypt the manufacturer-signed digital certificate by a cleartext server random session key to produce an encrypted manufacturer-signed digital certificate, and to encrypt the cleartext server random session key to produce an encrypted server random session key.
3. The server system of claim 2, wherein the cleartext server random session key is encrypted by a key included in a cryptoprocessor-associated digital certificate associated with a cryptoprocessor of the client system.
4. The server system of claim 1 , wherein determining whether the client system is authorized to receive the manufacturer-signed digital certificate comprises verifying, based on historical customer order data, whether customer order data provided by the client system indicates an authorized chain of custody for the client system.
5. The server system of claim 1 , wherein the enrollment client identification data comprises a cryptoprocessor-associated digital certificate associated with a cryptoprocessor of the client system.
6. The server system of claim 5, wherein the enrollment client identification data comprises device identification information associated with the client system and separate from the cryptoprocessor-associated digital certificate.
7. The server system of claim 1. wherein the enroilment client identification data is in cleartext and obtained from the client system through an enrollment data package comprising an encrypted client random key and encrypted enrollment client identification data, and wherein the server system comprises a decryption module to decrypt the encrypted client random key to produce a cleartext client random key and to decrypt the encrypted enrollment client identification data by the cleartext client random key to produce the enrollment client identification data.
8. A method, comprising:
generating, at a client system, encrypted pre-enro!lment client identification data associated with the client system by encrypting cleartext pre- enrollment client identification data by a cleartext client random key, wherein the cleartext pre-enrollment client identification data comprises a cryptoprocessor- associated digital certificate associated with a cryptoprocessor of the client system;
encrypting the cleartext client random key to produce an encrypted client random key; and
combining the encrypted pre-enrollment client identification data with the encrypted client random key to produce a pre-enrollment data package associated with the client system.
9. The method of claim 8, wherein the cryptoprocessor-associated digital certificate is a Trust Platform Module (TPM) Endorsement Key (EK) certificate.
10. The method of claim 8, wherein the cleartext pre-enrollment client identification data comprises device identification information associated with the client system and separate from the cryptoprocessor-associated digital certificate.
1 1 . The method of claim 8, comprising storing the pre-enroliment data package on a datastore remote from the ciient system,
12. A non-transitory computer readable medium having instructions stored thereon, the instructions being executable by a processor of a client system, the instructions causing the processor to:
request, from a server system, a manufacturer-signed digital certificate for identifying the ciient system;
send, to the server system, enrollment client identification data and a client key to the server system, wherein the enrollment client identification data comprises a cryptoproeessor-associated digital certificate associated with a cryptoprocessor of the client system; and
in response to sending the enrollment client identification data and the client key, receive the manufacturer-signed digital certificate from the server system, wherein the manufacturer-signed digital certificate is generated based on the client key,
13. The non-transitory computer readable medium of claim 12, wherein the cryptoproeessor-associated digital certificate is a Trusted Platform Module (TPM) Endorsement Key (EK) certificate.
14. The non-transitory computer readable medium of claim 12, wherein the enrollment ciient identification data comprises device identification information associated with the ciient system, and the instructions cause the processor to determine, based on confirmation from a user at the client system, whether the device identification information is accurate, wherein at least the enrollment client identification data is sent to the server system only if the device identification information is determined to be accurate,
15. The non-transitory computer readable medium of claim 12, wherein the instructions cause the processor to;
obtain user-entered customer order information associated with the client system; send the user-entered customer order information to the server system for verification; and
in response to sending the user-entered customer order information, receive from the server system a request for the enrollment client identification data and the client key.
PCT/US2015/018178 2015-02-27 2015-02-27 Manufacturer-signed digital certificate for identifying a client system WO2016137517A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/US2015/018178 WO2016137517A1 (en) 2015-02-27 2015-02-27 Manufacturer-signed digital certificate for identifying a client system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2015/018178 WO2016137517A1 (en) 2015-02-27 2015-02-27 Manufacturer-signed digital certificate for identifying a client system

Publications (1)

Publication Number Publication Date
WO2016137517A1 true WO2016137517A1 (en) 2016-09-01

Family

ID=56789630

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2015/018178 WO2016137517A1 (en) 2015-02-27 2015-02-27 Manufacturer-signed digital certificate for identifying a client system

Country Status (1)

Country Link
WO (1) WO2016137517A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111523862A (en) * 2020-04-27 2020-08-11 广东电网有限责任公司培训与评价中心 Method for acquiring talent data and related equipment
CN112926095A (en) * 2021-01-20 2021-06-08 厦门海西医药交易中心有限公司 Digital certificate handling method, system, mobile terminal and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6321339B1 (en) * 1998-05-21 2001-11-20 Equifax Inc. System and method for authentication of network users and issuing a digital certificate
US20040268142A1 (en) * 2003-06-30 2004-12-30 Nokia, Inc. Method of implementing secure access
US20140075185A1 (en) * 2012-09-10 2014-03-13 Microsoft Corporation Securely handling server certificate errors in synchronization communication
WO2014193181A1 (en) * 2013-05-30 2014-12-04 삼성전자 주식회사 Method and apparatus for installing profile

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6321339B1 (en) * 1998-05-21 2001-11-20 Equifax Inc. System and method for authentication of network users and issuing a digital certificate
US20040268142A1 (en) * 2003-06-30 2004-12-30 Nokia, Inc. Method of implementing secure access
US20140075185A1 (en) * 2012-09-10 2014-03-13 Microsoft Corporation Securely handling server certificate errors in synchronization communication
WO2014193181A1 (en) * 2013-05-30 2014-12-04 삼성전자 주식회사 Method and apparatus for installing profile

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
DAVID GALINDO ET AL.: "On the Generic Construction of Identity-Based Signatures with Additional Properties", ADVANCES IN CRYPTOLOGY ASIACRYPT 2006, 3 December 2006 (2006-12-03), pages 178 - 193 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111523862A (en) * 2020-04-27 2020-08-11 广东电网有限责任公司培训与评价中心 Method for acquiring talent data and related equipment
CN111523862B (en) * 2020-04-27 2024-02-23 广东电网有限责任公司培训与评价中心 Method and related equipment for acquiring talent data
CN112926095A (en) * 2021-01-20 2021-06-08 厦门海西医药交易中心有限公司 Digital certificate handling method, system, mobile terminal and storage medium

Similar Documents

Publication Publication Date Title
EP3602991B1 (en) Mechanism for achieving mutual identity verification via one-way application-device channels
CN106571951B (en) Audit log obtaining method, system and device
CN107832632B (en) Asset certification authorization query method, system, electronic device and computer readable storage medium
CN112134708A (en) Authorization method, authorization request method and device
US20110138177A1 (en) Online public key infrastructure (pki) system
US20080083039A1 (en) Method for integrity attestation of a computing platform hiding its configuration information
US9940446B2 (en) Anti-piracy protection for software
WO2020038137A1 (en) Two-dimensional code generation method, data processing method, apparatus, and server
CN110535807B (en) Service authentication method, device and medium
CN106936588B (en) Hosting method, device and system of hardware control lock
JPWO2019239591A1 (en) Authentication system, authentication method, application provider, authentication device, and authentication program
US11526596B2 (en) Remote processing of credential requests
WO2018153018A1 (en) Key update method and system
US20210249145A1 (en) Information communication device, authentication program for information communication device, and authentication method
CN111753014B (en) Identity authentication method and device based on block chain
CN113221128B (en) Account and password storage method and registration management system
JP2017531951A (en) Method, device, terminal and server for security check
CN110599270A (en) Electronic bill generation method and device and computer equipment
US20130283043A1 (en) Method and apparatus for authorization updating
US20140223528A1 (en) Certificate installation and delivery process, four factor authentication, and applications utilizing same
KR101746102B1 (en) User authentication method for integrity and security enhancement
US11683301B2 (en) Automatically obtaining a signed digital certificate from a trusted certificate authority
CN113505353A (en) Authentication method, device, equipment and storage medium
WO2016137517A1 (en) Manufacturer-signed digital certificate for identifying a client system
US20090210719A1 (en) Communication control method of determining whether communication is permitted/not permitted, and computer-readable recording medium recording communication control program

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15883608

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15883608

Country of ref document: EP

Kind code of ref document: A1