Browse Prior Art Database

Secure Authentication for Remote Client Management

IP.com Disclosure Number: IPCOM000123680D
Original Publication Date: 1999-Mar-01
Included in the Prior Art Database: 2005-Apr-05
Document File: 2 page(s) / 93K

Publishing Venue

IBM

Related People

Challener, D: AUTHOR [+5]

Abstract

Problem Solved By This Invention: Today's managed clients have the ability to operate when no operating system image is resident on the platform. A server can locate a client and download software to that client for remote maintenance operations. Some examples include updating firmware, loading and installing a new operating system, running diagnostics, etc. However there is a security exposure as a non authorized server can take over the client and perform a destructive operation. This invention will add hardware authentication to this process using the built in hardware DES encryption engine. This solution will allow the client to verify that the server request is from an authorized server. For clarity the word server is used, however it can be authorized system management software run out of multiple servers.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 52% of the total text.

Secure Authentication for Remote Client Management

   Problem Solved By This Invention:

   Today's managed clients have the ability to operate
when no operating system image is resident on the platform.  A
server can locate a client and download software to that client for
remote maintenance operations.  Some examples include updating
firmware, loading and installing a new operating system, running
diagnostics, etc.  However there is a security exposure as a non
authorized server can take over the client and perform a destructive
operation.  This invention will add hardware authentication to this
process using the built in hardware DES encryption engine.  This
solution will allow the client to verify that the server request is
from an authorized server.  For clarity the word server is used,
however it can be authorized system management software run out of
multiple servers.

   Description of Invention:

   Future Desktop systems will contain the following
subsystems required for this invention to work: DES hardware engine
with non-system readable security keys.  This engine is capable of
encoding and decoding secure data.  The subsystem consists of a
microprocessor, memory (RAM and ROM), DES engine, and a protected
area for key storage.  This entire solution will be integrated within
the system core chipset at a very affordable cost structure (less
than $4 per system).

   Currently the client has a preboot execution environment
(PXE).  This consists of firmware within the client that allows the
transfer of files between a server and a client without an operating
system running.  The firmware allows the server to send to the client
a special packet which tells the client to wake up and boot off the
network.  The client then sends a packet out on the network asking
network configuration information so the client can talk on the
network and request files.  Files are then transferred using Trivial
File Transfer Protocol (TFTP) which is industry standard protocol.
Using this method a bootable image can be sent to the client to
execute.  This bootable image can contain programs that update the
system BIOS, start the instal...