Search

US-12627504-B2 - Key possession based verification in endpoint devices

US12627504B2US 12627504 B2US12627504 B2US 12627504B2US-12627504-B2

Abstract

Methods and systems for securing endpoint devices are disclosed. To secure the endpoint devices, multiple processes for validating authority to invoke performance of commands may be implemented. The processes may include request based processes and challenge response based processes. In the challenge response based processes, an invoker of a command may establish authority for invoking the command by showing possession of a key to which the authority for the command has been delegated and that is usable to verify signatures included in responses to challenges to the invoked commands.

Inventors

  • Bradley K. Goodman
  • Eric Joseph Bruno
  • Joseph Caisse

Assignees

  • DELL PRODUCTS L.P.

Dates

Publication Date
20260512
Application Date
20230627

Claims (20)

  1. 1 . A method for managing operation of an endpoint device, the method comprising: receiving, by the endpoint device, a command request for a command to be performed by the endpoint device; presenting, by the endpoint device to a user, a challenge based on the command that is to be performed by the endpoint device; making a determination regarding whether a response to the challenge comprises a signature that is verifiable using a permissions repository comprising a first trusted key associated with challenge-based permissions for the command and a second trusted key associated with request-based permissions for the command; in a first instance where the signature is verifiable using any trusted key associated with the permissions repository, designate the command as a verified command and initiate performance of the command; and in a second instance where the signature is not verifiable using any trusted key of the permissions repository, deny performance of the command, wherein the determination is made using certificates that define permissions, where a first type of certificate corresponds to the first trusted key and is usable to verify signed challenges for performances of commands by the endpoint device and a second type of certificate corresponds to the second trusted key and is usable to verify signed command requests for performances of the commands by the endpoint device.
  2. 2 . The method of claim 1 , further comprising: obtaining user input via an interface, the user input indicating the command to be performed by the endpoint device.
  3. 3 . The method of claim 2 , wherein the interface is a captive interface.
  4. 4 . The method of claim 1 , further comprising: obtaining the response to the command from the user.
  5. 5 . The method of claim 4 , wherein obtaining the response to the command comprises: providing the challenge to a personal security device via an operable connection; and receiving the response from the personal security device via the operable connection.
  6. 6 . The method of claim 5 , wherein the personal security device comprises one device selected from a list of devices consisting of a key fob, a smart card, a smart phone, and a tablet computer.
  7. 7 . The method of claim 1 , wherein verifying the signature comprises: making a first determination regarding whether the signature is verifiable using the first trusted key or the second trusted key; in a first instance of the first determination where the signature is verifiable using the first trusted key: identifying the challenge-based permissions associated with the first trusted key; and directly designating the command as the verified command to initiate the performance of the command; in a second instance of the first determination where the signature is verifiable using the second trusted key: making a second determination regarding whether a chain of authority delegations grant use of the command through key possession between a root of trust and the second trusted key; in a first instance of the second determination where the second trusted key is delegated use of the command through other keys of the permissions repository, designating the command as the verified command to initiate the performance of the command; and in a second instance of the second determination where none of the other keys of the permissions repository delegate use of the command through key possession: concluding that the signature is not verifiable.
  8. 8 . The method of claim 1 , wherein the signature corresponds to a private key for the command to be performed by the endpoint device.
  9. 9 . A non-transitory machine-readable medium having instructions stored therein, which when executed by at least one processor, cause a system to perform system first operations for managing operation of an endpoint device, the system first operations comprising: receiving, by the endpoint device, a command request for a command to be performed by the endpoint device; presenting, by the endpoint device to a user, a challenge based on the command that is to be performed by the endpoint device; making a determination regarding whether a response to the challenge comprises a signature that is verifiable using a permissions repository comprising a first trusted key associated with challenge-based permissions for the command and a second trusted key associated with request-based permissions for the command; in a first instance where the signature is verifiable using any trusted key associated with the permissions repository, designate the command as a verified command and initiate performance of the command; and in a second instance where the signature is not verifiable using any trusted key of the permissions repository, deny performance of the command, wherein the determination is made using certificates that define permissions, where a first type of certificate corresponds to the first trusted key and is usable to verify signed challenges for performances of commands by the endpoint device and a second type of certificate corresponds to the second trusted key and is usable to verify signed command requests for performances of the commands by the endpoint device.
  10. 10 . The non-transitory machine-readable medium of claim 9 , wherein the operations further comprise: obtaining user input via an interface, the user input indicating the command to be performed by the endpoint device.
  11. 11 . The non-transitory machine-readable medium of claim 10 , wherein the interface is a captive interface.
  12. 12 . The non-transitory machine-readable medium of claim 9 , wherein the operations further comprise: obtaining the response to the command from the user.
  13. 13 . The non-transitory machine-readable medium of claim 12 , wherein obtaining the response to the command comprises: providing the challenge to a personal security device via an operable connection; and receiving the response from the personal security device via the operable connection.
  14. 14 . The non-transitory machine-readable medium of claim 9 , wherein verifying the signature comprises: making a first determination regarding whether the signature is verifiable using the first trusted key or the second trusted key; in a first instance of the first determination where the signature is verifiable using the first trusted key: identifying the challenge-based permissions associated with the first trusted key; and directly designating the command as the verified command to initiate the performance of the command; in a second instance of the first determination where the signature is verifiable using the second trusted key: making a second determination regarding whether a chain of authority delegations grant use of the command through key possession between a root of trust and the second trusted key; in a first instance of the second determination where the second trusted key is delegated use of the command through other keys of the permission repository, designating the command as the verified command to initiate the performance of the command; and in a second instance of the second determination where none of the other keys of the permissions repository delegate use of the command through key possession: concluding that the signature is not verifiable.
  15. 15 . An endpoint device, comprising: a processor, and a memory coupled to the processor to store instructions, which when executed by the processor, cause the endpoint device to perform operations for managing operation of the endpoint device, the operations comprising: receiving, by the endpoint device, a command request for a command to be performed by the endpoint device; presenting, by the endpoint device to a user, a challenge based on the command that is to be performed by the endpoint device; making a determination regarding whether a response to the challenge comprises a signature that is verifiable using a permissions repository comprising a first trusted key associated with challenge-based permissions for the command and a second trusted key associated with request-based permissions for the command; in a first instance where the signature is verifiable using any trusted key associated with the permissions repository, designate the command as a verified command and initiate performance of the command; and in a second instance where the signature is not verifiable using any trusted key of the permissions repository, deny performance of the command, wherein the determination is made using certificates that define permissions, where a first type of certificate corresponds to the first trusted key and is usable to verify signed challenges for performances of commands by the endpoint device and a second type of certificate corresponds to the second trusted key and is usable to verify signed command requests for performances of the commands by the endpoint device.
  16. 16 . The endpoint device of claim 15 , wherein the operations further comprise: obtaining user input via an interface, the user input indicating the command to be performed by the endpoint device.
  17. 17 . The endpoint device of claim 16 , wherein the interface is a captive interface.
  18. 18 . The endpoint device of claim 15 , wherein the operations further comprise: obtaining the response to the command from the user.
  19. 19 . The endpoint device of claim 18 , wherein obtaining the response to the command comprises: providing the challenge to a personal security device via an operable connection; and receiving the response from the personal security device via the operable connection.
  20. 20 . The endpoint device of claim 15 , wherein verifying the signature comprises: making a first determination regarding whether the signature is verifiable using the first trusted key or the second trusted key; in a first instance of the first determination where the signature is verifiable using the first trusted key: identifying the challenge-based permissions associated with the first trusted key; and directly designating the command as the verified command to initiate the performance of the command; in a second instance of the first determination where the signature is verifiable using the second trusted key: making a second determination regarding whether a chain of authority delegations grant use of the command through key possession between a root of trust and the second trusted key; in a first instance of the second determination where the second trusted key is delegated use of the command through other keys of the permission repository, designating the command as the verified command to initiate the performance of the command; and in a second instance of the second determination where none of the other keys of the permissions repository delegate use of the command through key possession: concluding that the signature is not verifiable.

Description

FIELD Embodiments disclosed herein relate generally to security. More particularly, embodiments disclosed herein relate to securing performance of commands by devices. BACKGROUND Computing devices may provide computer-implemented services. The computer-implemented services may be used by users of the computing devices and/or devices operably connected to the computing devices. The computer-implemented services may be performed with hardware components such as processors, memory modules, storage devices, and communication devices. The operation of these components and the components of other devices may impact the performance of the computer-implemented services. BRIEF DESCRIPTION OF THE DRAWINGS Embodiments disclosed herein are illustrated by way of example and not limitation in the figures of the accompanying drawings in which like references indicate similar elements. FIG. 1 shows a block diagram illustrating a system in accordance with an embodiment. FIGS. 2A-2B show data flow diagrams in accordance with an embodiment. FIG. 3 shows a flow diagram illustrating method in accordance with an embodiment. FIG. 4 shows a block diagram illustrating a data processing system in accordance with an embodiment. DETAILED DESCRIPTION Various embodiments will be described with reference to details discussed below, and the accompanying drawings will illustrate the various embodiments. The following description and drawings are illustrative and are not to be construed as limiting. Numerous specific details are described to provide a thorough understanding of various embodiments. However, in certain instances, well-known or conventional details are not described in order to provide a concise discussion of embodiments disclosed herein. Reference in the specification to “one embodiment” or “an embodiment” means that a particular feature, structure, or characteristic described in conjunction with the embodiment can be included in at least one embodiment. The appearances of the phrases “in one embodiment” and “an embodiment” in various places in the specification do not necessarily all refer to the same embodiment. References to an “operable connection” or “operably connected” means that a particular device is able to communicate with one or more other devices. The devices themselves may be directly connected to one another or may be indirectly connected to one another through any number of intermediary devices, such as in a network topology. In general, embodiments disclosed herein relate to methods and systems for securing operation of endpoint devices using a flexible approach. The flexible approach may allow for commands to be invoked by users of endpoint devices without requiring the user to establish requests for the commands. To secure the operation of the endpoint device, invocations of commands may be challenged. To pass the challenge, an invoker of the command may be required to establish possession of a key to which authority for the commands has been delegated. To respond to the challenge, the invoker of the command may sign the challenge with a key. The endpoint device may attempt to establish a chain of delegations of authority for the command to a public key that is both usable to validate the signature in the response and usable to validate signed responses (as opposed to signed requests for performance of commands). If successfully established, then the endpoint device may proceed to perform the invoked command. Otherwise, the endpoint device may deny performance of the invoked command. By doing so, embodiments disclosed herein may secure endpoint devices while providing flexibility in how authority for invoking of commands may be established. For example, by only requiring that the invoker of a command establish possession of a key to which authority has been delegated for the command, the complexity of invoking performance of commands may be reduced. For example, a user may only need to invoke commands through captive interfaces rather than being required to have access to systems through which requests for performance of commands may be generated. Thus, embodiments disclosed herein may address, among other technical problems, the technical problem of security in distributed systems. By providing for flexibility through which authority for command invocation can be established, the usability of endpoint devices may be improved while retaining security in operation of the endpoint devices. In an embodiment, a method for managing operation of an endpoint device is provided. The method may include presenting a challenge based on a command that is to be performed by the endpoint device to a user; making a determination regarding whether a response to the command comprises a signature that is verifiable using a key associated with a possession based permission for the command; in a first instance of the determination where the response comprises the signature that is verifiable using a key associated with the pos