TW200841206A - Method and system for secure external TPM password generation and use - Google Patents

Abstract

Aspects of the present invention include a method and system for generating a secure access code at a remote device in communication with a computer system having a secure storage device; conveying the secure access code to the system secure storage device; receiving the secure access code at the system secure storage device with unique data characteristics associated with remote device; and, securely providing content to the remote device.

Description

200841206 IX. INSTRUCTIONS: [Technical field to which the invention pertains] The present invention relates to a method and operation for preserving the security operation of a computer (PC) and its associated peripherals, and more specifically, in a normal operation. Generate and use a secure password for a system based on the Trusted Platform Module (TPM), such as between a PC and its remote device. [Prior Art] It is widely known that passwords, key codes, and other basic secret-based systems using PCs and PC-based systems are vulnerable to physical and sometimes logical attacks. Inappropriate security solutions have so far been tolerated because of the low risk of crepe and the proposed solution (iv) is complex and easy to use for dry limbs. However, 'whether or not a user's personally established password is oversimplified (eg, 'birth period'), it can be easily guessed, or - the user system includes the toxic software unknown to the user, thereby enabling the user to utilize The high-entropy cryptosystem, which is more secure, is equally attacked. In the current environment, it is highly risky to take over the security. A, for example, the secret key, digital authentication, and the firewall's conventional security mechanism are not as secure as originally believed, because most of these mechanisms store the security information (usually - the key) on an unprotected hard drive. Upper and / or unprotected memory. As a result, these conventional mechanisms can be attacked by unauthorised users due to their vulnerability. Software attacks, virus applications, password theft, and cat-based fraud attempts often result in users unintentionally surrendering their security information (such as passwords and other access data) from systems that they previously assumed to be well protected. Similarly, the unauthorised changes to the platform 125896.doc 200841206 are gradually increasing, thereby allowing access to and misuse of system components and their valleys. In addition, even if the same computer is used and the same user's habits in the same location are not changed, the risk setting of a user can easily be changed daily without predictability. In today's environment, whether in the 'system: or - peripherals - part, remote or other, single factor (example > name code) and double factor (for example, user name and password) identity and security Both mechanisms proved to be improper. The following has also become the recent goal of some semiconductor manufacturers: seeking development (4) The specifications of trustworthy computing and security technology across multiple platforms, peripherals and related I! Atmel, along with other companies, is seeking to develop a trusted platform module that meets the industry standard open specifications published by the non-profit Trustworthy Computing Group tm(tcg). These standards—the goal is to increase security and reduce the vulnerability of hardware and software systems, especially because such systems often face malicious or unintentional fallacies or attacks. Functionally, by way of example, these standards provide: (1) a non-pairing function for the generation of key pairs on a wafer, which utilizes a hardware random number generator and signature and decryption operations, (2) Representing the platform configuration information in the Platform Control Register (PCR), the preservation of the hash value, and (3) the backend key that can be anonymously established by an owner for a trusted platform. The identity key is generated in the group without identification, the trusted platform module generates the identity key, and (4) allows an owner to obtain initialization and management functions different from the system control of the user. As a result, trusted platform modules have been developed and incorporated into product offerings that implement these standards. For example, a trusted platform module can be attached to a device that can store digital keys, authentication and passwords. 5th is the 125896.doc 200841206 main component. As another example, a trusted platform module can also be a unique public key infrastructure (PKI) key pair and credentials for a secure storage of the chip, and often attached to Mother of a PC Usually, each trusted platform module chip is considered a fixed token that can be used to enhance user authentication, data, communication, and platform security, because the information contained therein is more secure against external software attacks. Usually, users The system is designed to be more resistant to logic and physical attacks by using a cryptographic operation of the secret or identity (ID) stored in the trusted platform module.

Atmel manufactures a wide range of products that include a security processor that protects the privacy of the user by providing intervention protection storage and management of the end user identity, password and encryption key. Trusted platform module chips utilize standard software interfaces and often work in conjunction with other security methodologies to achieve interoperability across multiple platforms. However, even within this environment, ensuring physical and logical code and accessibility has its challenges. Although the platform has a trusted platform module 'which may determine and identify whether the trusted state configuration number has been delayed, for example, authorization initialization or use of the trusted platform module stored in the trusted platform module External activities still require external input, and dream of creating an opportunity for malicious behavior and risk exposure. In general, the unintentional or malicious detection of the code and the secret at its origin is dangerous, regardless of whether it is a secret established by a user in its system: to receive the brown from the person provided by the third party in its environment.遗==================================================================================================================== Additional contributions. The risk of sacrificing exposure and integrity of the user's system is compromised while allowing the user to make good use of the reasonable access methodology, and for the generation and use of access security, the code and secrets are used. It is not permitted to inadvertently or maliciously detect the code at the time of its origin or during the delivery of the system and (4) • "The robust system with the terminal device. The present invention addresses this need. [Abstract] φ The utility model relates to a method for maintaining the password generation of the external trusted platform module and utilizing the vector, the system, and the charging system. The method and system comprise a computer system with a storage device capable of being a trusted module. The remote communication device generates a security access code; the security access code is transported to the system, and the storage device receives the unique device associated with the remote device. The security feature of the material feature is provided; and the content is provided to the terminal device in a guaranteed manner. Another specific embodiment of this month provides a technique for ensuring that the security method has a machine Φ Shansheng: a remote end The location generates a cipher and then securely uses the cipher during a system operation with a trusted + station module. /, his specific embodiment includes involvement in a system capable of communicating with a remote device. The only device, device, system and method for the generation and use of the security access code. k The detailed description and drawings included in this document, the other specific examples of this application, the V-type, object, features, advantages, Aspects and benefits will become apparent. 125896.doc 200841206 [Embodiment] The present invention relates to the preservation method and operation of the security operation using personal lightning, sputum (PC) and its associated peripherals, and #姓姓In the middle + a more special 疋 a 'About the normal operation and use such as the PC disk basin to read and extinguish the cry „ _ /,,, know one of the pieces to be trusted platform module (can be used Module ) The main season continues — ~ <system, the security of the death weight. Propose the following

The present invention is made and utilized by those skilled in the art and is provided in the context of a patent and its claims. The various modifications of the preferred embodiments and the principles and features described herein are apparent to those skilled in the art. The present invention is intended to be limited to the particular embodiments shown, but rather to be accorded to the principles and features described herein. Relying on the computer system of the storage module of the platform module for communication - the remote device generates a _preservation access code; the security access code is transported to the system to maintain the storage device; in the system, the storage device receives A security access code associated with the only data feature of the remote component; and the content is provided to the remote device in a secure manner. Another embodiment of the present invention includes a computer system based on a trusted platform module that includes one or more central processing I-units (CPUs) connected to one or more internal system bus bars, and A random access memory (RAM), a read-only memory, and at least one input/output adapter supporting a variety of 1/〇 devices, a user interface adapter, and a device having a security storage device a remote device that communicates with the system generates a component that secures the access code; the secured access code is shipped to the system to secure the storage device; 125896.doc 200841206 In the department, the unified storage device receives the device associated with the remote The unique access feature of the unique data feature of the end device; and the content is provided to the remote device in a secure manner. Figure 1 represents a typical computer architecture in which one of the data processing techniques of the present invention can be implemented. Data processing system 120 includes one or more central processing units (CPUs) 122 coupled to internal system bus 123. The system bus 123 is also interconnected with a memory (RAM) 124, a read-only memory 126, and an input/output adapter 128, which supports various 1/〇 devices, such as a printer 130. Disk unit 132, or other devices including, but not limited to, biometric devices, audio output systems, and the like (not shown). System bus 123 is also coupled to communication adapter 134, which provides access to communication link 136. The user interface adapter 148 connects various user devices, such as a keyboard 14 and a mouse 142, or other devices not shown, such as a touch screen or a stylus microphone. Display adapter 144 connects system bus 123 to display device 146. Although FIG. 1 is a typical configuration, those skilled in the art will appreciate that the more general and functional aspects of the present invention vary depending on the embodiment of the system. For example, the system can have one or more processors, one or more remote devices, and one or more types of volatile and non-volatile memory. Other peripheral devices may be utilized in addition to or in lieu of the hardware depicted in the figures. The illustrated examples are not meant to imply architectural limitations with respect to the present invention. Figure 2 represents a typical reference architecture 200 of a data processing system in a configuration different from that of the diagram, having a trusted building block component (TbB) 21 in which one of the trusted platform architectures 200 of the present invention can be implemented. . Referring to Figure 2, a 125896.doc 200841206 CPU 202 is coupled via a busbar 204 to a first group of TBB components 2 10a. The first group of components 21a includes a RAM 206, a controller 208, and a display 212. The TBB component 210a of the first group is further coupled to a group of the building blocks 210b. The second group of trusted building blocks 21 Ob includes a boot ROM 214, a Trusted Platform Module (TpM) 220, one or more embedded devices 216, and one or more removable devices 218. The movable device 218 is coupled to a keyboard 222. The k-root is a must-have or component of a computer system with extreme integrity because there are limited checks on these components to identify malicious or similar activities. According to TCG: "A complete set of trust roots has at least the minimum functionality necessary to account for the platform characteristics that affect the trustworthiness of the platform. Three trust roots are common in a trusted platform; a trust for measurement Root (RTM), Trusted Root for Storage (RTS), and Trust Root for Reporting (RTR). [...] Typically the normal platform computing engine is controlled by the Core Trust Root (CRTM) for measurement. The CRTM is an instruction executed by the platform when acting as the RTM" (TCG Specification, Rev. 1.2, April 28, 2008, page /, which is incorporated herein by reference) ). The RTS is an ancient engine that can accurately summarize one of the values of the series of excerpts. The RTR is a computational engine that reliably reports information retained by the RTS. The reference architecture also illustrates the trusted platform module 22, which is operatively communicatively coupled to functions typically associated with a motherboard or co-resident thereon. FIG. 3 illustrates a trusted platform module 3〇〇's building blocks 31〇 to 399, for example, 125896.doc -12- 200841206, as shown in FIG. 2, a trusted platform module (FIG. 2, 22〇), which supports rts Feature. Input/output chunk 3 10 provides the flow of information on the communication bus 32, and performs protocol encoding/decoding suitable for communicating externally with the internal bus. The non-volatile storage block 33 is used to store an endorsement key (EK), a storage root start, a key (SRK), an owner authorization material, and a persistent flag can be implemented therein. It is verified that the identity key (AIK) chunk 335 is stored as a spot in a persistent external storage external to the trusted platform module 300. The code block 340 is typically used to measure the firmware of the platform device and is logically the CRTM. Preferably, the random number generator (RNG) chunk 345 is used as a true random bit generator for the seed of random number generation (RNG), which can be used for cc records, passwords, codes or other similar access identifiers. Generate, establish temporary usage and enhance the accessibility of the phrase. The Shad Engine Block 35 produces an excerpt. The rsa key generation block 353 standardizes the association algorithm using the associated use of the trusted platform module. The RSA engine block 355 is used to sign with a signing key, to encrypt and decrypt the stored key, and to decrypt with the EK. Opt-h Block 3 The 60-series or fully-enabled Trusted Platform Module 3〇〇 is activated or deactivated. The execution engine block 370 runs the code and performs initialization and measurement storage by the trusted platform module 300. For the trusted platform module, an associated protection storage command (pSC) of the trusted platform module rTS component is a trusted platform module - CreatWrapKey. The Trusted Platform Module - CreatWrapKey command uses a public key to prepare a unique key for private key operations at the endpoints of the Trusted Platform Module. The trusted platform module, the CreatWrapKey command, generates an RS A key and attaches the authorization secret to the RS a key. By 125896.doc -13 - 200841206

The authorized secrets are passed to the trusted flat A for the trusted platform module - CreateWrapKey command, λ 兮 广 Ρ 7 P ^ input to the authorization input protocol of the system in the area And the implementation usually requires the use of an unprotected software, thereby causing the system to be vulnerable. The present invention overcomes the limitations of this situation. The present invention is based on a preferred embodiment of the present invention - a system comprising a remote device capability 420 that is based on a trusted platform module. In system 400, the computing device side, which is based on a trusted platform module, is interconnected and can be interconnected via a busbar 44 and a security generator.

420 communicates directly or indirectly. The bus bar 44 can be, for example, a cpc bus, an SPC bus, a USB bus, or a less secure channel of other 1/〇 protocols. The security generator 420 is also interconnected and can communicate directly with a remote input receiving device such as, but not limited to, a biometric device such as block 460. The input receiving device is not in communication with an external or third party to the system. The security generator can be a wafer, a chipset, a remote device, a cryptographic processor, a smart card or other security code generation component. In operation, the present invention can securely generate an access code (i.e., password, authorization secret, and the like) in the remote device and securely transport the access code to the trusted platform of the system. Module. The Trusted Platform Module requires the use of authorization information for its attachment for its associated use. Such utilization authorization information is generated by the security generator and transmitted to the trusted platform module when the security is generated. Once generated, the security generator can also be used to securely identify the subsequent utilization of the key because both the security generator and the trusted platform module recognize a common access code or secret. Preferably, Guhai 125896.doc -14- 200841206 The user does not know the access code to ensure its security. In various embodiments, the present invention uses a Common Authorization Secret (CAS) between keys or associated with the trusted platform module and the data elements of the security generator. The security generator manager generates a stored root key (SRK) of the security generator. The security generator user generates an identity set (also known as an upper generation template) associated with the remote input receiver and attached to the SRK. The user attaches the identity CAS to the squat slot. The owner generates the trusted platform module Srk. The trusted platform module user generates a User Generation Key (UPK) attached to the Trusted Platform Module SRK, wherein the authorized secret can be the CAS. In a preferred embodiment, the security of the system is set at the time of initial purchase to generate the tm SRK and the "slow platform module SRK, however this is not the only information required by the present invention and then the user initiates entry into the remote device. Input and

^ .μ &lt; 々 心 1 寻 寻 寻 寻 寻 寻 寻 寻 寻 寻 寻 寻 寻 寻 寻 寻 寻 寻 、 、 、 、 、

The user is shown or the only component associated with its feature is entered at or from the device. The remote input receiver device has acquired and authenticated the unique data, and then uses the two OSAP temporary usages stored for transmission and thereafter transmitted to the remote input receiving device from the identity profile. Generate the shared 〇SAp secret.

Once the CAS is acquired, the remote input receiving device generates a random authorization secret (RAS). A command is transmitted to the remote input receiving device to resolve an identity profile and attach the RAS to the identity profile (the new identity profile in front) and re-encrypt the update profile. The command also uses the trusted platform module to encrypt the authentication protocol to secretly encrypt the RAS with the shared UI, and to transmit the encrypted information to the system. In a preferred embodiment, the system can then load the updated identity profile onto the remote input receiving device for later use. The system has received the encrypted information from the remote input receiving device, and the information is passed to the trusted platform module as part of the trusted platform module - CreateWrapKey command. The trusted platform module then generates a unique RSA key that has the RAS as its authentication secret. In a preferred embodiment, the trusted platform module can then load the key into the trusted platform module for later use. In a specific embodiment, the security generator is associated with a security wafer or a security processing unit configured and configured by the remote component. In another preferred embodiment, the remote device is an input center device capable of receiving, for example, but not limited to, biometric features associated with the unique identification characteristics of the user of the system as input. Other examples include, but are not limited to, the smart processor, the card statistics processor, and the software and hardware group operating on a USB flash drive with a security engine and a remote feed device. 125896.doc -16 - 200841206 Hehe. An example of the present invention in a preferred configuration, for example, in a particularly preferred configuration, a Secure Fingerprint Processing Unit (SFPU) is interoperable interconnected and capable of receiving a fingerprint feature of a user Biostatistical fast communication. In this preferred configuration, a shared secret (CAS, also known as ParentPassword) between the platform and the SFPU is used for initial and full subsequent use to generate a trusted platform module. The key group and the SFPU template group share a unique random access secret (RAS). Figure 5 illustrates a particularly preferred configuration procedure 500 for generating and using a common shared secret of the present invention. The SFPU manager generates the SFPU SRK at 502. The user then enters the fingerprint data at 504 by wiping the user's finger at the SFPU. At 506, the SFPU retrieves fingerprint feature data (eg, a detail item). At 508, a new biometric template (also referred to as an upper generation template) is generated from the item using a command such as SFPU_GetMinutiae. The parentPassword is attached to it using a command such as SFPU-GenerateTemplate at 5 17 and the new template is encrypted and transmitted to the system as the SFPU SRK with the previous generation. - At 506, the trusted platform module owner generates the trusted platform module SRK. At 508, the user generates a user generation key (UPK) attached to the SRK, wherein the authorization secret of the UPK is also the same ParentPassword (eg, attached to the upper generation template in the SFPU). Preferably, but not necessary, 'the parentPassword of all components of the system is set at the time of initial system acquisition 〇125896.doc -17- 200841206. Then, at 511, the user inputs the fingerprint by wiping the user's finger on the SFPU. Poor material. At 5 13 the S F P U # extracts fingerprint feature data (for example: detail item). A new biometric template (also known as a child model) is generated from the item using a command such as SFPU-GetMinutiae at 515. The new biometric template is encrypted and transmitted to the system as the SFPU SRK with the previous generation using a command such as SFPU_GenerateTemplate. Although in the specific embodiment, the SFPU SRK is used to encrypt the previous generation and the child prototype, those skilled in the art understand that the template can be encrypted using any other SFPU key, and will be within the spirit and scope of the present invention. . Similarly, although the above-mentioned generation and child keys are encrypted using the trusted platform module SRK, these keys can be encrypted using any other key. Then at 521 the user utilizes the command trusted platform module _ 〇 8 eight? The upper generation key OSAP session is initiated at the trusted platform module, and then the two OSAP temporary usages associated with the shared OSAP secret generation are stored for transmission to the SFPU in a subsequent step of 523. The SFPU needs to first generate the same shared OSAP secret as the trusted platform module, which requires knowledge of the parentPassword. The SFPU obtains the parentPassword from the upper template by first instructing the user to wipe a finger on the SFPU by using a command such as SFPU_GetMinutiae. Looking at which finger the user is using, a change associated with the picking of the identified authentication set (previous or child) may occur. The SFPU has acquired the (previous generation) fingerprint data, and then identifies the data at 533 with a command such as SFPU-OS APStart, from the parentPassword stored in the upper template, and to the second generation OSAP Pro 125896.doc of the SFPU - 18- 200841206 The usage generates the shared OSAP secret and stores the information. In a specific embodiment, the RAS is then generated and internally reserved for later use. Although in this particular embodiment, the RAS is generated at this point, those skilled in the art will appreciate that the RAS can be generated at various points in the program, and will be within the spirit and scope of the present invention. Since the encrypted child template is still in the system, a command such as SFPU_ChangeTemplateRandom is transmitted to the SFPU at 541 to (1) decrypt the template, (2) attach the RAS to it, and (3) Plus • Secret the template. At 543, the command also secretly encrypts the RAS with the shared OSAP and transmits it to the system with the encrypted template. In a preferred embodiment, the system can then load the new child prototype into the SFPU for later use. The system has received the encrypted RAS from the SFPU, and the information is transmitted to the trusted platform module at 551 as part of the trusted platform module - the CreaeWrapKey command. One result of this command is that the trusted platform module will generate a new child ® key containing the RAS as the authentication value. In a preferred embodiment, the trusted platform module can then load the key established by the command into the trusted platform module for later use. In another preferred embodiment of one of the above configurations, wherein the user wishes to sign an email using the operational key generated above, the present invention will: 1. The system utilizes the command 8??11-〇61!^111 A command of ^36 requests the user to wipe the finger of the template; 125896.doc -19- 200841206 2, through the system to generate the trusted platform module of the trusted platform module - Sign command; Transmitting to the SFPU, comparing the fingerprint data for authentication, and if yes, generating a trusted platform module authentication extract by using a command such as the SFPU-Authorize Trusted Platform Module based on the information in the child template; 4. Attach the excerpt to the trusted platform module - with the command; and,

5. The attached trusted platform module - an excerpt of the e-mail with the correct command is transmitted to the trusted platform module for signature generation. The present invention includes a unique technique for generating a security code in a remote device of a system and transporting the security code to the trusted platform module without exposing the security code to a soft attack or during normal operation. Toxic software. Many other specific embodiments of the invention are also contemplated. For example, in other specific embodiments, the invention can be applied directly to other trusted platform module entities such as owner authorization, delegated owner authorization, key migration authorization, and sealed component authorization. As utilized herein, it is desirable to interchangeably utilize terms such as personal computers, PCs, systems, and the like without distinction or limitation. Such systems may include, but are not limited to, servers, server-based systems, 't, day and day groups, touch sensing systems, assemblies, and devices. As utilized herein, it is intended that the terms "distal,", "peripheral", "device", and the like, are used interchangeably, but it is not intended to be singular or only singular, for example, a fixed line 125896.doc -20- 200841206 or Wireless-specific connection techniques, but the use of such terms to understand the terms of interest are or may be in operational communication with a system of the present invention. The use of this article by a gentleman is intended to interchangeably utilize the terms &quot;cipher&quot;, &quot;access,&quot;, code, and the like, but does not wish to be individually or necessarily specific to any particular type of security format, agreement or technology. Instead, use such terms to understand the skills of Guan Zhuang. Used or available to establish measurements by a system of the present invention. Any theory, mechanism, operation, proof, or search for the present invention is intended to further enhance the understanding of the present invention, and it is not intended that the present invention be in any way dependent on the theory or mechanism of operation, proof, or search. It should be understood that although the above description may make the use of the text better, better or better, it may be more desirable, but may not be necessary, and the lack of the above specific embodiments may also be covered by Musu Mingxi #, Within the scope of Feng Ming, this category is defined by the scope of the following patent application. Μ In reading the scope of the patent application, I hope that I will not want to apply for a patent when I use words such as &quot;one&quot;, &quot;one&quot;, &quot;at least one&quot;, The scope is limited to one item, and the “Guangdong Wang Genkou Gentleman” “is not specifically stated in the scope of the patent application. In addition, when using the language “at least-partial” and/or &quot;part&quot;, the project It may include a neighboring gossip knife and, to the contrary, a statement. "A series of items, unless the special description has been made according to the description and the dream and your body", but the surgeon will It is easy to understand that there may be variations to these specific embodiments: and == Γ _ spirit. Therefore, the cooked (10) syllabus "modifies without deviating from the attached patent application scope of 125896.doc • 21 · 200841206 spirit and scope. [Simple diagram of the diagram] Figure 1 shows a typical computer architecture of a data processing system. 2 represents a typical reference architecture in a configuration different from the diagram, with a constructive trust building block component in which f 糸 , , , , , , , , , , , , , , , , , , , , , , 2 One of the trusted platform module building blocks that support the root of trust (RTS) functionality for storage.

4 illustrates a system based on a trusted platform module that includes biometric capabilities in accordance with a preferred embodiment of the present invention. Figure 5 illustrates a particularly preferred configuration procedure for generating and using one of the present inventions to share secrets. [Description of main component symbols] 120 Data processing system 122 ^ 202 Central processing unit 123, 204 ' 440 Bus 124 &gt; 206 Random access memory 126 Read only memory 128 Input / output adapter 130 Printer 132 Magnetic Disc unit 134 communication adapter 136 communication link 140 - 222 keyboard 125896.doc -22- 200841206

142 Mouse 144 Display Adapter 146 Display Device 148 User Interface Adapter 200 Trusted Platform Architecture, 208 Controller 210a, 210b Trusted Building Block Component 212 Display 214 Boot-Only Readable Memory 216 Embedded Device 218 Moveable Device 220 ^ 430 ^ 300 Trusted Platform Module 310 Input/Output Block 320 Communication Bus 330 Non-volatile Storage Block 335 Confirmed Identity Block 340 Code Block 345 Random Generator Set Block 350 Sha-Ι Engine Block 353 RSA Key Generation Block 355 RSA Engine Block 360 Opt-In Block 370 Execution Engine Block 400 System with Trusted Platform Modules 125896.doc -23- 200841206 410 Computing device 420 security generator 125896.doc -24-

Claims (1)

200841206 X. Patent Application Range: 1. A method comprising: generating a full access code in a remote device in communication with a security storage device; and transporting the security access code to the system to secure the storage device; And the security storage device in the system receives a secure access code having a unique data feature associated with a remote device. 2. The method of claim 1, wherein the secure storage device comprises a trusted Φ platform module (TPM). 3. The method of claim 1, wherein the user does not know the security access code. 4. The method of claim 1, wherein the security access code system - high entropy cipher, key code, gas number, or alphanumeric composite. 5. The method of the syllabus, wherein the security access code is provided from a separator. The method of claim 5, wherein the separating device comprises a biometric device, a flash card, a flash disk, or the like. The method of claim 1 wherein the secure storage device resides and is in interactive communication with a central processing unit of the system, wherein the device includes a random authorization secret (RAS). The method of claim 7, wherein the RAS is attached to a public key on the secure storage device. 9. The method of claim </ RTI> further comprising: initiating a specific object authorization agreement (OSAP) session at the secure storage device. 1) The method of claim 9, further comprising storing at least one SAP Temporary 125896.doc 200841206. ^: The method of claim 10, further comprising generating a template at the remote device in response to a unique data feature received at the remote device. The method of claim 11, further comprising the remote device generating a secret storage device and transmitting the secret to the system. The method of claim 12, wherein the secret is stored or transmitted in association with the second template. The method of claim π, further comprising the system transmitting the shared secret from each end device to the secure storage device. 15. The method of claim 14, wherein the secure storage device identifies the unique data feature with a recognition template associated with the unique data feature and transmits the preserved content to the remote device. 16. The method of claim 15, wherein the remote device is capable of receiving an immediate input. 17. The method of claim 15, wherein the remote device is capable of reading biometric data. 18. The method of claim 17, wherein the biometric data is fingerprint data, iris data, omentum data, temperature data, facial data, vein patterns, or the like other biostatistical data. 19. The method of claim 17, wherein the secured storage device is a companion wafer positioned to interact with the central processing unit of the system. The method of claim 19, wherein the security generation and storage on a third device provides an increased protection level against the unauthorized access to the secured access code. 21. The method of claim 20, wherein the establishing of the secure access code comprises ΤΡΜ-CreateWrapKey, TPM_Seal, and a command to establish a security entity for later use. 22. The method of claim 21, wherein the authorization to secure the access code comprises TPM-. Unsea, TPM-Sign, TPM-Unbind, TPM-LoadKey, and many other trusted platform modules for requesting authorization by the entity. Group command. 23. The method of claim 22, wherein the authorization agreement is provided by a trusted platform module command that requires authorization to operate the owner. ® 24. The method of claim 23, wherein the authorization value is changeable by changing the TPM_ChangeAuth of the authorization value. 125896.doc