公开(公告)号：US09391980B1

公开(公告)日：2016-07-12

申请号：US14077120

申请日：2013-11-11

Applicant: Google Inc.

Inventor： Darren Krahn ,  Sumit Gwalani ,  William Alexander Drewry

IPC: H04L9/32 ,  H04L29/06

CPC classification number: G06F21/57 ,  H04L63/1433

Abstract: Systems and methods for enterprise platform verification are provided. In some aspects, a computing device includes a trusted platform module (TPM). The TPM includes an endorsement key (EK) physically embedded in the TPM. The TPM includes an attestation identity key (AIK), the AIK being used to verify that at least one TPM-protected key different from the EK and different from the AIK is generated at the TPM and is non-migratable. The TPM includes an enterprise machine key (EMK), the EMK being certified by the AIK, the EMK being uniquely associated with the client computing device, and the EMK being generated during enrollment of the client computing device with an enterprise and remaining active until a factory reset of the client computing device.

Abstract translation: 提供企业级平台验证的系统和方法。 在一些方面，计算设备包括可信平台模块（TPM）。 TPM包括物理上嵌入在TPM中的认可密钥（EK）。 TPM包括认证身份密钥（AIK），AIK用于验证在TPM处生成不同于EK并且不同于AIK的至少一个TPM保护的密钥，并且是不可迁移的。 TPM包括企业机器密钥（EMK），EMK由AIK认证，EMK与客户端计算设备唯一相关，EMK在客户端计算设备与企业注册期间生成，并保持活动状态，直到 出厂复位的客户端计算设备。

公开(公告)号：US09692599B1

公开(公告)日：2017-06-27

申请号：US14488206

申请日：2014-09-16

Applicant: Google Inc.

Inventor： Darren Krahn

IPC: G06F21/57 ,  H04L9/32

CPC classification number: H04L9/3247 ,  G06F21/57 ,  H04L9/0897 ,  H04L9/321 ,  H04L2209/127

Abstract: Techniques for security module endorsement are provided. An example method includes receiving a generalized endorsement key at a security module, wherein the security module is associated with a computing device and wherein the generalized endorsement key is independent of characteristics of the computing device, automatically extending integrity measurements stored in one or more registers of the security module with information characterizing the computing device, wherein the integrity measurements are based on one or more software processes at the computing device, digitally signing the extended integrity measurements with a digital signature, and generating a specialized endorsement credential as a combination of the digitally signed extended integrity measurements, the digital signature and the generalized endorsement key, wherein the specialized endorsement credential is used to validate authenticity of the security module.