US20080046752A1 - Method, system, and program product for remotely attesting to a state of a computer system - Google Patents
Method, system, and program product for remotely attesting to a state of a computer system Download PDFInfo
- Publication number
- US20080046752A1 US20080046752A1 US11/463,563 US46356306A US2008046752A1 US 20080046752 A1 US20080046752 A1 US 20080046752A1 US 46356306 A US46356306 A US 46356306A US 2008046752 A1 US2008046752 A1 US 2008046752A1
- Authority
- US
- United States
- Prior art keywords
- computer system
- data
- computer
- dynamic
- remote
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0853—Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/164—Implementing security features at a particular protocol layer at the network layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/12—Details relating to cryptographic hardware or logic circuitry
- H04L2209/127—Trusted platform modules [TPM]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/166—Implementing security features at a particular protocol layer at the transport layer
Definitions
- This invention relates to remotely establishing the specific or dynamic properties of a computer system. More specifically, it relates to remotely establishing trust in properties of a computer system.
- TCG Current Trusted Computing Group
- the software state includes measurements of the software chain, and might include configuration files used to initialize or customize a software module.
- the attestation method begins with a Core Root of Trust for Measurement (CRTM) that measures the software and possibly configuration files of the next layer of software to run. Each layer in turn measures the next layer before calling it. Digests of these measurements are extended through a one-way hash function into Platform Configuration Registers (PCRs) contained in a Trusted Platform Module (TPM). The measurement names and values are also appended to a measurement list.
- PCRs Platform Configuration Registers
- TPM Trusted Platform Module
- a set of PCRs is quoted—digested, and digitally signed with a trusted Attestation Identity Key (AIK).
- AIK trusted Attestation Identity Key
- the remote party/system validates the AIK certificate issued by a trusted privacy certificate authority, the digital signature of the quote, and the integrity of the measurement list by comparing it to the PCR state included in the quote. Once the measurement list is trusted, the remote system uses it to determine whether the attesting system is running trusted software.
- the remote system By measuring data common to many systems, and by storing only static data, not data generated at run time, the remote system needs to store only a small list of trusted measurements (software modules or configuration files), and can use that list to attest a large number of systems across an enterprise. While this attestation is valuable for trusted computing, it does not address establishing trust in data that may be specific to a system or even data that may be generated or changed as the system runs.
- Drawbacks of known solutions include (among others): (1) third parties are difficult to establish; (2) third parties are currently unable to solve key revocation in a scalable and cost-efficient way; and (3) it is extremely difficult to find commonly trusted parties in heterogeneous distributed environments.
- the present invention expands the current use of PCRs to include not only common, static data measurements, but also computer system-specific, static data measurements and dynamic data. Adding static but system specific measurements allows a remote system to attest to and therefore attach those measurements to measurements of common data such as the software running on the system. Such static data would typically be present at system startup.
- An example of system specific static data is a network communications channel public key or certificate. Adding these measurements to PCRs allows a remote system to attest to the system properties at the end points of a secure communication channel by anchoring public keys and relevant attributes associated with establishing a secure channel to the system's integrity measurements.
- Adding dynamic data calculated as the system runs allows a remote party/system to attest to and therefore attach those measurements to measurements of common data such as the software running on the system.
- Some dynamic data is typically generated once.
- An example of dynamic data typically assigned at boot time is a dynamically assigned IP address.
- Other dynamic data is continuously generated.
- An example of dynamic data determined as the system runs applications is a log of activity such as logins or system hardware or software errors. Adding these measurements to PCRs allows the remote system to attest that the activity, system, event, or error log was generated by a trusted system and not altered.
- a first aspect of the present invention provides a method of remotely attesting to a state of a computer system, comprising: storing data specific TO the computer system in a set of Platform Configuration Registers (PCRs); receiving an attestation challenge from a remote computer system; and responding to the attestation challenge using the data specific to the computer system.
- PCRs Platform Configuration Registers
- a second aspect of the present invention provides a method of a remote system establishing a secure connection to a local system comprising: receiving a list of names of measured items specific to the local system, values of the measured items, and signed states of current Platform Configuration Register (PCR) values on the remote system from the local system; requesting a secure connection to the local system and receiving an authentication credential of the local system; verifying that the authentication credential is contained in the received list of names; and determining whether to continue establishing the secure connection based on the verifiying.
- PCR Platform Configuration Register
- a third aspect of the present invention provides a system for remotely attesting to a state of a computer system, comprising: a measurement system for measuring data specific to the computer system; a PCR system for storing the data in a set of Platform Configuration Registers (PCRs); a challenge reception system for receiving an attestation challenge from a remote computer system; and a quotation system for responding to the attestation challenge using the data stored in the set of PCRs.
- PCRs Platform Configuration Registers
- a fourth aspect of the present invention provides a program product stored on a computer readable medium for remotely attesting to a state of a computer system, the computer readable medium comprising program code for causing a computer system to perform the following steps: measuring data specific to the computer system; storing the data in a set of Platform Configuration Registers (PCRs); receiving an attestation challenge from a remote computer system; and responding to the attestation challenge using the data stored in the set of PCRs.
- PCRs Platform Configuration Registers
- a fifth aspect of the present invention provides a method for deploying an application for remotely attesting to a state of a computer system, comprising: providing a computer infrastructure being operable to: measure data specific the computer system; store the data in a set of Platform Configuration Registers (PCRs); receive an attestation challenge from a remote computer system; and respond to the attestation challenge using the data stored in the set of PCRs.
- PCRs Platform Configuration Registers
- a sixth aspect of the present invention provides computer software embodied in a propagated signal for remotely attesting to a state of a computer system, the computer software comprising instructions for causing a computer system to perform the following steps: measuring data specific the computer system; storing the data in a set of Platform Configuration Registers (PCRs); receiving an attestation challenge from a remote computer system; and responding to the attestation challenge using the data stored in the set of PCRs.
- PCRs Platform Configuration Registers
- the present invention provides a method, system, and program product for remotely attesting to a state of a computer system, as well as for a remote system to establish a secure connection to a local system.
- FIG. 1 depicts a system for remotely attesting to the state of a computer system according to the present invention.
- FIG. 2 depicts a flow chart of a remote attestation process according to the present invention.
- FIG. 3 depicts a flow chart showing the addition of a computer system-specific static measurement according to the present invention.
- FIG. 4 depicts a flow chart showing the addition of a dynamic measurement at boot time according to the present invention.
- FIG. 5 depicts a flow chart showing the addition of dynamic measurements as the computer system is running according to the present invention.
- FIG. 6 depicts a flow chart showing the use of attestation in the establishment of a secure communications tunnel according to the present invention.
- the present invention expands the current use of PCRs to include not only common, static data measurements, but also computer system-specific static data measurements and dynamic data. Adding static but system specific measurements allows a remote system to attest to and therefore attach those measurements to measurements of common data such as the software running on the system. Such static data would typically be present at system startup.
- An example of system specific static data is a network communications channel public key or certificate. Adding these measurements to PCRs allows a remote system to attest to the system properties at the end points of a secure communication channel by anchoring public keys and relevant attributes associated with establishing a secure channel to the system's integrity measurements.
- Adding dynamic data calculated as the system runs allows a remote party/system to attest to and therefore attach those measurements to measurements of common data such as the software running on the system.
- Some dynamic data is typically generated once.
- An example of dynamic data typically assigned at boot time is a dynamically assigned IP address.
- Other dynamic data is continuously generated.
- An example of dynamic data determined as the system runs applications is a log of activity such as logins or system hardware or software errors. Adding these measurements to PCRs allows the remote system to attest that the activity, system, event, or error log was generated by a trusted system and not altered.
- system 10 includes a local (computer) system 14 deployed within a computer infrastructure/environment 12 .
- a network environment e.g., the Internet, a wide area network (WAN), a local area network (LAN), a virtual private network (VPN), etc.
- communication throughout the network can occur via any combination of various types of communications links.
- the communication links can comprise addressable connections that may utilize any combination of wired and/or wireless transmission methods.
- connectivity could be provided by conventional TCP/IP sockets-based protocol, and an Internet service provider could be used to establish connectivity to the Internet.
- computer infrastructure 12 is intended to demonstrate that some or all of the components of system 10 could be deployed, managed, serviced, etc. by a service provider who offers to remotely attest to a state of a computer system according to the present invention.
- local system 14 includes a processing unit 16 , a memory 18 , a bus 20 , and input/output (I/O) interfaces 22 . Further, local system 14 is shown in communication with external I/O devices/resources 24 and storage system 26 .
- processing unit 16 executes computer program code, such as operating system 30 , which is stored in memory 18 and/or storage system 26 . While executing computer program code, processing unit 16 can read and/or write data to/from memory 18 , storage system 26 , and/or I/O interfaces 22 .
- Bus 20 provides a communication link between each of the components in local system 14 .
- External interfaces 24 can comprise any devices (e.g., keyboard, pointing device, display, etc.) that enable a user to interact with local system 14 and/or any devices (e.g., network card, modem, etc.) that enable local system 14 to communicate with one or more other devices.
- devices e.g., keyboard, pointing device, display, etc.
- devices e.g., network card, modem, etc.
- Computerized infrastructure 12 is only illustrative of various types of computer infrastructures for implementing the invention.
- computerized infrastructure 12 comprises two or more devices (e.g., a server cluster) that communicate over a network to perform the various process steps of the invention.
- local system 14 is only representative of various possible computer systems that can include numerous combinations of hardware.
- local system 14 can comprise any specific purpose article of manufacture comprising hardware and/or computer program code for performing specific functions, any article of manufacture that comprises a combination of specific purpose and general purpose hardware/software, or the like.
- the program code and hardware can be created using standard programming and engineering techniques, respectively.
- processing unit 16 may comprise a single processing unit, or be distributed across one or more processing units in one or more locations, e.g., on a client and server.
- memory 18 and/or storage system 26 can comprise any combination of various types of data storage and/or transmission media that reside at one or more physical locations.
- I/O interfaces 22 can comprise any system for exchanging information with one or more external interfaces 24 .
- one or more additional components e.g., system software, math co-processing unit, etc.
- local system 14 comprises a handheld device or the like
- one or more external interfaces 24 e.g., a display
- storage system 26 could be contained within local system 14 , not externally as shown.
- Storage system 26 can be any type of system (e.g., a database) capable of providing storage for information under the present invention.
- storage system 26 could include one or more storage devices, such as a magnetic disk drive or an optical disk drive.
- storage system 26 includes data distributed across, for example, a local area network (LAN), wide area network (WAN) or a storage area network (SAN) (not shown).
- LAN local area network
- WAN wide area network
- SAN storage area network
- remote (computer) system 54 includes computerized components similar to local system 14 .
- additional components such as cache memory, communication systems, system software layers (e.g., BIOS, Boot, etc.) may be incorporated into local system 14 and/or remote system 54 .
- Local attestation system 32 Shown in memory 18 of local system 14 is operating system 30 and local attestation system 32 .
- Local attestation system 32 includes measurement system 34 , digest system 36 , registry system 38 , and challenge reception system 40 .
- trusted platform module 45 Also provided on local system 14 (as a chip outside of memory 18 ) is trusted platform module 45 that contains a set of PCRs 44 and a quotation system 42 .
- remote attestation system 46 Shown loaded (e.g., in memory) of remote system 54 is remote attestation system 46 , which includes connection system 48 , challenge system 50 , and validation system 52 . It should be appreciated that the same functionality could be implemented with a different configuration of systems and/or subsystems than is shown in FIG. 1 . This depiction is intended to be illustrative only.
- the present invention allows a secure connection to be established between local system 14 and remote system 54 .
- the state of local system 14 will be attested to by remote system 54 using data not previously utilized for such attestation.
- connection system 48 attempts to establish a secure connection (e.g., such as an SSL or IPSec connection) with local system 14 .
- Measurement system 34 will initially make initial data measurements.
- data measured includes (among other things) data specific to local system 14 .
- Measurement system 34 will also compile a list of names of measured items and their measured values.
- the data measured can include static data and/or dynamic data associated with local system 14 .
- static data is a public key used for establishing a communications channel.
- the dynamic data can be data generated as local system 14 is running. Along these lines, the dynamic data can be generated once and assigned to local system 14 , or periodically as local system 14 runs. Examples of dynamic data include a network dynamic IP address assigned to local system 14 , a notification that a user has logged into local system 14 , information related to the execution or termination of a program running on local system 14 , an event such as an error condition occurring on local system 14 , or the like.
- digest system 36 will compute a digest that contains the information measured by measurement system 34 , and registry system 38 will store the digest in a set (e.g., one or more) of PCRs 44 .
- challenge system 50 will issue an attestation challenge that is received by challenge reception system 40 .
- quotation system 42 will generate a quotation/response to the attestation challenge.
- quotation system 42 will incorporate the challenge into a TPM quote, along with a digest of the selected PCRs.
- the quote is signed with an AIK.
- the signature, list compiled by measurement system 34 , the AIK, and AIK certificate (e.g., an authentication credential such as an X.509 certificate) are returned to the remote system 54 .
- validation system 52 Upon receipt, validation system 52 will validate the AIK certificate. Validation may include validating the digest, validating the signature against a privacy certificate authority public key, validating the expiration data, etc. This establishes trust in the AIK public key using the privacy certificate authority as the root of trust. The validation system will also validate the quote signature using the AIK public key. This establishes trust in the quote contents. Further, validation system 52 will validate the measurements. Expected PCR values are reconstructed using the digests included in the measurement list. The expected values are digested and validated against the digest returned in the quote. This establishes trust in the measurement list contents. In addition, validation system 52 will verify that the authentication credential was contained in the received list. Specifically, validation system 52 will verify that a hash of the authentication credential was contained in the received list. Based on the validation performed by validation system 52 , connection system 48 will determine whether to continue establishing the secure connection with local system 14 .
- FIG. 2 shows a flow chart 100 of the attestation process of the present invention.
- a measuring software layer measures the next measured software layer to be called.
- the measuring software layer calculates a digest of the measured layer and extends the digest into a TPM PCR.
- the measuring software layer adds information about the measured software layer to a measurement list.
- steps 120 and 130 can be interchangeable. Steps 110 , 120 , 130 are repeated multiple times as each measured software layer becomes the measuring software layer for the next pass through the loop. During some passes through the loop, other static data such as a software configuration file may be measured.
- step 140 the software waits for an attestation challenge from a remote system/party.
- step 150 the software incorporates the challenge into a TPM quote, along with a digest of the selected PCRs.
- the quote is signed with an AIK.
- the signature, the list, the AIK, and AIK certificate are returned to the remote system/party.
- step 160 the remote system validates the AIK certificate. Validation may include validating the digest, validating the signature against a privacy certificate authority public key, validating the expiration date, etc. This establishes trust in the AIK public key using the privacy certificate authority as the root of trust.
- step 170 the remote system validates the quote signature using the AIK public key. This establishes trust in the quote contents.
- step 180 the measurement list is validated. Expected PCR values are reconstructed using the digests included in the measurement list. The expected values are digested and validated against the digest returned in the quote. This establishes trust in the measurement list contents.
- step 190 the measurement list entries are compared to trusted values for the software or configuration files. It should also be understood that the order of steps 160 , 170 , 180 , and 190 are interchangeable. If all validation steps 160 , 170 , 180 , and 190 succeed, the remote system determines that local system can be trusted.
- FIG. 3 depicts a flow chart 200 showing the addition of a system specific static measurement.
- the steps are substantially similar to those described in FIG. 2 and will not be repeated for clarity.
- a measurement is made of data specific to the local system. Examples of such data are networking public keys, certificates, etc.
- measurement list entries are now expanded to include this system specific data.
- the remote system atomically links the common software measurements to system specific data. This atomicity assures the remote system that the system specific data did indeed come from the local system running the trusted software.
- FIG. 4 depicts a flow chart 300 showing the addition of a dynamic measurement at boot time. Similar to FIG. 3 , the steps are substantially similar to those of FIG. 2 and will not be repeated for clarity. However, in step 310 a measurement is made of dynamic data determined at boot time. Examples of such data are a dynamically allocated IP address, etc. In step 390 , measurement list entries are now expanded to include this dynamic data. In this way, the remote system atomically links the common software measurements to the dynamic data. This atomicity assures the remote system that the dynamic data did indeed come from the local system running the trusted software.
- FIG. 5 depicts a flow chart 400 showing the addition of dynamic measurements as the local system is running. Similar to FIGS. 3 and 4 , the steps are substantially similar to those of FIG. 2 and will not be repeated for clarity. However, in step 410 a measurement is made of dynamic data determined as the local system is running. Examples of such data are user login request, software application startup and exit, hardware and software events, etc. Events may be augmented with time stamps, system state, user identifiers, etc. Data could also include a digest of a log file containing such events. In step 490 , measurement list entries are now expanded to include this dynamic data determined as the local system is running. For example, the measurement list can now have event or audit logs appended to the previous measurements.
- the remote system atomically links the common software measurements to the dynamic data determined as the local system is running. This atomicity assures the remote system that the dynamic data determined as the local system is running did indeed come from the local system running the trusted software. For example, the remote system can now be assured that an event or audit log was generated by trusted software and has not been tampered with by an un-trusted entity.
- FIG. 6 depicts a flow chart 500 showing the use of attestation in the establishment of a secure communications tunnel such as an SSL connection, or an IPSec connection.
- a measuring software layer reads a measured item.
- the measuring software layer calculates a digest of the measured item and extends the digest into a TPM PCR.
- the measuring software layer adds the measured item to a list of names of measured items along with the value of the measurement. Steps 510 , 520 , 530 are repeated for all measured items. Measured items typically include upper software layers to be called by the measuring software layer and may include software configuration files. In this embodiment, an additional measured item is a secure communications authentication credential.
- the credential can be an X.509 certificate, other forms of public key certificates, or other data formats containing an authentication public key.
- the remote system receives a list containing the names and values of all measured items. It also receives a TPM quote, which is a signed TPM state that includes the current TPM PCR values, and the TPM's AIK certificate.
- the remote system validates the AIK certificate as in step 160 of FIG. 2 .
- the remote system validates the quote signature as in step 170 of FIG. 2 .
- the remote system verifies the received list of measured items against the reported PCR state from the TPM quote. This step establishes that the measurement list can be trusted.
- the remote system establishes a secure connection to the attesting party.
- the secure connection can be established before the attestation quote generation and validation.
- the remote system receives an authentication credential and uses it to establish the connection. This should be the same credential that was measured in steps 510 , 520 , and 530 .
- the remote system verifies that the authentication credential received in the measurement list and that received during the secure connection setup are identical.
- the remote system is assured that the attesting party is the same party that set up the secure communications channel. Without the trust link established by including the authentication certificate in the TPM quote, it would have been possible that the attestation of correct software state came from one remote system, but that the secure connection came from a different party. For example, a man-in-the-middle could establish the secure connection, but pass the attestation request on to the attestation party and return its response. Including the system specific authentication certificate in the TPM quote eliminates the possibility of this attack.
- This embodiment is described in terms of one attesting/local system and one remote system. It is understood that, for certain applications the roles may be reversed during the protocol, so that each system can establish trust in the other. That is, during certain protocols, both parties can be both the attesting system and the remote system attempting to establish trust.
- the invention provides a computer-readable/useable medium that includes computer program code to enable a computer infrastructure to remotely attest to a state of a computer system.
- the computer-readable/useable medium includes program code that implements each of the various process steps of the invention. It is understood that the terms computer-readable medium or computer useable medium comprises one or more of any type of physical embodiment of the program code.
- the computer-readable/useable medium can comprise program code embodied on one or more portable storage articles of manufacture (e.g., a compact disc, a magnetic disk, a tape, etc.), on one or more data storage portions of a providing device, such as memory 18 ( FIG. 1 ) and/or storage system 26 ( FIG. 1 ) (e.g., a fixed disk, a read-only memory, a random access memory, a cache memory, etc.), and/or as a data signal (e.g., a propagated signal) traveling over a network (e.g., during a wired/wireless electronic distribution of the program code).
- a portable storage articles of manufacture e.g., a compact disc, a magnetic disk, a tape, etc.
- data storage portions of a providing device such as memory 18 ( FIG. 1 ) and/or storage system 26 ( FIG. 1 ) (e.g., a fixed disk, a read-only memory, a random access memory, a cache memory, etc.
- the invention provides a business method that performs the process steps of the invention on a subscription, advertising, and/or fee basis. That is, a service provider, such as a Solution Integrator, could offer to remotely attest to a state of a computer system.
- the service provider can create, maintain, support, etc., a computer infrastructure, such as computerized infrastructure 12 ( FIG. 1 ) that performs the process steps of the invention for one or more customers.
- the service provider can receive payment from the target organization(s) under a subscription and/or fee agreement and/or the service provider can receive payment from the sale of advertising content to one or more third parties.
- the invention provides a computer-implemented method for remotely attesting to a state of a computer system.
- a computerized infrastructure such as computer infrastructure 12 ( FIG. 1 )
- one or more systems for performing the process steps of the invention can be obtained (e.g., created, purchased, used, modified, etc.) and deployed to the computer infrastructure.
- the deployment of a system can comprise one or more of (1) installing program code on a providing device, such as local system 14 ( FIG. 1 ), from a computer-readable medium; (2) adding one or more providing devices to the computer infrastructure; and (3) incorporating and/or modifying one or more existing systems of the computer infrastructure to enable the computer infrastructure to perform the process steps of the invention.
- program code and “computer program code” are synonymous and mean any expression, in any language, code or notation, of a set of instructions intended to cause a providing device having an information processing capability to perform a particular function either directly or after either or both of the following: (a) conversion to another language, code or notation; and/or (b) reproduction in a different material form.
- program code can be embodied as one or more of: an application/software program, component software/a library of functions, an operating system, a basic I/O system/driver for a particular providing and/or I/O device, and the like.
Abstract
A method, system, and program product for remotely attesting to a state of computing system is provided. Specifically, the present invention allows a remote system to establish trust in the properties of the computer system. The properties to be trusted are expanded from the usual system software layers and related configuration files to novel types of data such as static data specific to the computer system, dynamic data determined at system startup, or dynamic data created as the computer system runs applications.
Description
- 1. Field of the Invention
- This invention relates to remotely establishing the specific or dynamic properties of a computer system. More specifically, it relates to remotely establishing trust in properties of a computer system.
- 2. Related Art
- Current Trusted Computing Group (TCG) use cases provide the means for remote parties to attest to the software state of a computer system/platform. The software state includes measurements of the software chain, and might include configuration files used to initialize or customize a software module. The attestation method, as described in TCG documents, begins with a Core Root of Trust for Measurement (CRTM) that measures the software and possibly configuration files of the next layer of software to run. Each layer in turn measures the next layer before calling it. Digests of these measurements are extended through a one-way hash function into Platform Configuration Registers (PCRs) contained in a Trusted Platform Module (TPM). The measurement names and values are also appended to a measurement list.
- During the remote attestation process, a set of PCRs is quoted—digested, and digitally signed with a trusted Attestation Identity Key (AIK). The remote party/system validates the AIK certificate issued by a trusted privacy certificate authority, the digital signature of the quote, and the integrity of the measurement list by comparing it to the PCR state included in the quote. Once the measurement list is trusted, the remote system uses it to determine whether the attesting system is running trusted software.
- Current uses measure known, expected, constant, system-independent data. A typical measurement is a software stack, from bootstrap loader, through Operating System load, and finally application load. Remote systems doing an attestation are expected to have known good values. Even when other data such as configuration files are measured, the literature envisions a limited number of variations among systems, a relatively homogeneous environment.
- By measuring data common to many systems, and by storing only static data, not data generated at run time, the remote system needs to store only a small list of trusted measurements (software modules or configuration files), and can use that list to attest a large number of systems across an enterprise. While this attestation is valuable for trusted computing, it does not address establishing trust in data that may be specific to a system or even data that may be generated or changed as the system runs.
- For example, there are currently mechanisms to establish secure communication tunnels, usually based on public key certificates (e.g., SSL, IPSEC, and Web Services Security). There are also techniques to establish properties of remote systems using the TPM or other core root of trust elements. Unfortunately, these two separate mechanisms do not ensure that the system for which properties are established during remote attestation is the same system at which the protected tunnel ends. This is essential for establishing security guarantees in distributed environments. One known solution is to create trusted third parties that “vouch” that certificates used during remote attestation and certificates used to establish secure tunnels belong to the same system. Drawbacks of known solutions include (among others): (1) third parties are difficult to establish; (2) third parties are currently unable to solve key revocation in a scalable and cost-efficient way; and (3) it is extremely difficult to find commonly trusted parties in heterogeneous distributed environments.
- In view of the foregoing, there exists a need for a solution that solves at least one of the deficiencies in the related art.
- The present invention expands the current use of PCRs to include not only common, static data measurements, but also computer system-specific, static data measurements and dynamic data. Adding static but system specific measurements allows a remote system to attest to and therefore attach those measurements to measurements of common data such as the software running on the system. Such static data would typically be present at system startup. An example of system specific static data is a network communications channel public key or certificate. Adding these measurements to PCRs allows a remote system to attest to the system properties at the end points of a secure communication channel by anchoring public keys and relevant attributes associated with establishing a secure channel to the system's integrity measurements.
- Adding dynamic data calculated as the system runs allows a remote party/system to attest to and therefore attach those measurements to measurements of common data such as the software running on the system. Some dynamic data is typically generated once. An example of dynamic data typically assigned at boot time is a dynamically assigned IP address. Other dynamic data is continuously generated. An example of dynamic data determined as the system runs applications is a log of activity such as logins or system hardware or software errors. Adding these measurements to PCRs allows the remote system to attest that the activity, system, event, or error log was generated by a trusted system and not altered.
- A first aspect of the present invention provides a method of remotely attesting to a state of a computer system, comprising: storing data specific TO the computer system in a set of Platform Configuration Registers (PCRs); receiving an attestation challenge from a remote computer system; and responding to the attestation challenge using the data specific to the computer system.
- A second aspect of the present invention provides a method of a remote system establishing a secure connection to a local system comprising: receiving a list of names of measured items specific to the local system, values of the measured items, and signed states of current Platform Configuration Register (PCR) values on the remote system from the local system; requesting a secure connection to the local system and receiving an authentication credential of the local system; verifying that the authentication credential is contained in the received list of names; and determining whether to continue establishing the secure connection based on the verifiying.
- A third aspect of the present invention provides a system for remotely attesting to a state of a computer system, comprising: a measurement system for measuring data specific to the computer system; a PCR system for storing the data in a set of Platform Configuration Registers (PCRs); a challenge reception system for receiving an attestation challenge from a remote computer system; and a quotation system for responding to the attestation challenge using the data stored in the set of PCRs.
- A fourth aspect of the present invention provides a program product stored on a computer readable medium for remotely attesting to a state of a computer system, the computer readable medium comprising program code for causing a computer system to perform the following steps: measuring data specific to the computer system; storing the data in a set of Platform Configuration Registers (PCRs); receiving an attestation challenge from a remote computer system; and responding to the attestation challenge using the data stored in the set of PCRs.
- A fifth aspect of the present invention provides a method for deploying an application for remotely attesting to a state of a computer system, comprising: providing a computer infrastructure being operable to: measure data specific the computer system; store the data in a set of Platform Configuration Registers (PCRs); receive an attestation challenge from a remote computer system; and respond to the attestation challenge using the data stored in the set of PCRs.
- A sixth aspect of the present invention provides computer software embodied in a propagated signal for remotely attesting to a state of a computer system, the computer software comprising instructions for causing a computer system to perform the following steps: measuring data specific the computer system; storing the data in a set of Platform Configuration Registers (PCRs); receiving an attestation challenge from a remote computer system; and responding to the attestation challenge using the data stored in the set of PCRs.
- Therefore, the present invention provides a method, system, and program product for remotely attesting to a state of a computer system, as well as for a remote system to establish a secure connection to a local system.
- These and other features of this invention will be more readily understood from the following detailed description of the various aspects of the invention taken in conjunction with the accompanying drawings in which:
-
FIG. 1 depicts a system for remotely attesting to the state of a computer system according to the present invention. -
FIG. 2 depicts a flow chart of a remote attestation process according to the present invention. -
FIG. 3 depicts a flow chart showing the addition of a computer system-specific static measurement according to the present invention. -
FIG. 4 depicts a flow chart showing the addition of a dynamic measurement at boot time according to the present invention. -
FIG. 5 depicts a flow chart showing the addition of dynamic measurements as the computer system is running according to the present invention. -
FIG. 6 depicts a flow chart showing the use of attestation in the establishment of a secure communications tunnel according to the present invention. - The drawings are not necessarily to scale. The drawings are merely schematic representations, not intended to portray specific parameters of the invention. The drawings are intended to depict only typical embodiments of the invention, and therefore should not be considered as limiting the scope of the invention. In the drawings, like numbering represents like elements.
- The present invention expands the current use of PCRs to include not only common, static data measurements, but also computer system-specific static data measurements and dynamic data. Adding static but system specific measurements allows a remote system to attest to and therefore attach those measurements to measurements of common data such as the software running on the system. Such static data would typically be present at system startup. An example of system specific static data is a network communications channel public key or certificate. Adding these measurements to PCRs allows a remote system to attest to the system properties at the end points of a secure communication channel by anchoring public keys and relevant attributes associated with establishing a secure channel to the system's integrity measurements.
- Adding dynamic data calculated as the system runs allows a remote party/system to attest to and therefore attach those measurements to measurements of common data such as the software running on the system. Some dynamic data is typically generated once. An example of dynamic data typically assigned at boot time is a dynamically assigned IP address. Other dynamic data is continuously generated. An example of dynamic data determined as the system runs applications is a log of activity such as logins or system hardware or software errors. Adding these measurements to PCRs allows the remote system to attest that the activity, system, event, or error log was generated by a trusted system and not altered.
- Referring now to
FIG. 1 , asystem 10 for remotely attesting to a state of a computer system according to the present invention is shown. As depicted,system 10 includes a local (computer)system 14 deployed within a computer infrastructure/environment 12. This is intended to demonstrate, among other things, that the present invention could be implemented within a network environment (e.g., the Internet, a wide area network (WAN), a local area network (LAN), a virtual private network (VPN), etc.), or on a stand-alone computer system. In the case of the former, communication throughout the network can occur via any combination of various types of communications links. For example, the communication links can comprise addressable connections that may utilize any combination of wired and/or wireless transmission methods. Where communications occur via the Internet, connectivity could be provided by conventional TCP/IP sockets-based protocol, and an Internet service provider could be used to establish connectivity to the Internet. Still yet,computer infrastructure 12 is intended to demonstrate that some or all of the components ofsystem 10 could be deployed, managed, serviced, etc. by a service provider who offers to remotely attest to a state of a computer system according to the present invention. - As shown,
local system 14 includes aprocessing unit 16, amemory 18, abus 20, and input/output (I/O) interfaces 22. Further,local system 14 is shown in communication with external I/O devices/resources 24 andstorage system 26. In general, processingunit 16 executes computer program code, such asoperating system 30, which is stored inmemory 18 and/orstorage system 26. While executing computer program code, processingunit 16 can read and/or write data to/frommemory 18,storage system 26, and/or I/O interfaces 22.Bus 20 provides a communication link between each of the components inlocal system 14.External interfaces 24 can comprise any devices (e.g., keyboard, pointing device, display, etc.) that enable a user to interact withlocal system 14 and/or any devices (e.g., network card, modem, etc.) that enablelocal system 14 to communicate with one or more other devices. -
Computerized infrastructure 12 is only illustrative of various types of computer infrastructures for implementing the invention. For example, in one embodiment,computerized infrastructure 12 comprises two or more devices (e.g., a server cluster) that communicate over a network to perform the various process steps of the invention. Moreover,local system 14 is only representative of various possible computer systems that can include numerous combinations of hardware. To this extent, in other embodiments,local system 14 can comprise any specific purpose article of manufacture comprising hardware and/or computer program code for performing specific functions, any article of manufacture that comprises a combination of specific purpose and general purpose hardware/software, or the like. In each case, the program code and hardware can be created using standard programming and engineering techniques, respectively. Moreover, processingunit 16 may comprise a single processing unit, or be distributed across one or more processing units in one or more locations, e.g., on a client and server. Similarly,memory 18 and/orstorage system 26 can comprise any combination of various types of data storage and/or transmission media that reside at one or more physical locations. Further, I/O interfaces 22 can comprise any system for exchanging information with one or moreexternal interfaces 24. Still further, it is understood that one or more additional components (e.g., system software, math co-processing unit, etc.) not shown inFIG. 1 can be included inlocal system 14. However, iflocal system 14 comprises a handheld device or the like, it is understood that one or more external interfaces 24 (e.g., a display) and/orstorage system 26 could be contained withinlocal system 14, not externally as shown. -
Storage system 26 can be any type of system (e.g., a database) capable of providing storage for information under the present invention. To this extent,storage system 26 could include one or more storage devices, such as a magnetic disk drive or an optical disk drive. In another embodiment,storage system 26 includes data distributed across, for example, a local area network (LAN), wide area network (WAN) or a storage area network (SAN) (not shown). It should be understood that although not shown, remote (computer)system 54 includes computerized components similar tolocal system 14. In addition, although not shown, additional components, such as cache memory, communication systems, system software layers (e.g., BIOS, Boot, etc.) may be incorporated intolocal system 14 and/orremote system 54. - Shown in
memory 18 oflocal system 14 is operatingsystem 30 andlocal attestation system 32.Local attestation system 32 includesmeasurement system 34, digestsystem 36,registry system 38, andchallenge reception system 40. Also provided on local system 14 (as a chip outside of memory 18) is trustedplatform module 45 that contains a set of PCRs 44 and aquotation system 42. Shown loaded (e.g., in memory) ofremote system 54 isremote attestation system 46, which includesconnection system 48,challenge system 50, andvalidation system 52. It should be appreciated that the same functionality could be implemented with a different configuration of systems and/or subsystems than is shown inFIG. 1 . This depiction is intended to be illustrative only. - As indicated above, the present invention allows a secure connection to be established between
local system 14 andremote system 54. Specifically, the state oflocal system 14 will be attested to byremote system 54 using data not previously utilized for such attestation. To this extent, assume thatconnection system 48 attempts to establish a secure connection (e.g., such as an SSL or IPSec connection) withlocal system 14.Measurement system 34 will initially make initial data measurements. In a typical embodiment, data measured includes (among other things) data specific tolocal system 14.Measurement system 34 will also compile a list of names of measured items and their measured values. - Under the present invention, the data measured can include static data and/or dynamic data associated with
local system 14. One example of static data is a public key used for establishing a communications channel. The dynamic data can be data generated aslocal system 14 is running. Along these lines, the dynamic data can be generated once and assigned tolocal system 14, or periodically aslocal system 14 runs. Examples of dynamic data include a network dynamic IP address assigned tolocal system 14, a notification that a user has logged intolocal system 14, information related to the execution or termination of a program running onlocal system 14, an event such as an error condition occurring onlocal system 14, or the like. - Regardless, digest
system 36 will compute a digest that contains the information measured bymeasurement system 34, andregistry system 38 will store the digest in a set (e.g., one or more) of PCRs 44. In attempting to establish and/or maintain the connection tolocal system 14,challenge system 50 will issue an attestation challenge that is received bychallenge reception system 40. In response,quotation system 42 will generate a quotation/response to the attestation challenge. Specifically,quotation system 42 will incorporate the challenge into a TPM quote, along with a digest of the selected PCRs. The quote is signed with an AIK. The signature, list compiled bymeasurement system 34, the AIK, and AIK certificate (e.g., an authentication credential such as an X.509 certificate) are returned to theremote system 54. - Upon receipt,
validation system 52 will validate the AIK certificate. Validation may include validating the digest, validating the signature against a privacy certificate authority public key, validating the expiration data, etc. This establishes trust in the AIK public key using the privacy certificate authority as the root of trust. The validation system will also validate the quote signature using the AIK public key. This establishes trust in the quote contents. Further,validation system 52 will validate the measurements. Expected PCR values are reconstructed using the digests included in the measurement list. The expected values are digested and validated against the digest returned in the quote. This establishes trust in the measurement list contents. In addition,validation system 52 will verify that the authentication credential was contained in the received list. Specifically,validation system 52 will verify that a hash of the authentication credential was contained in the received list. Based on the validation performed byvalidation system 52,connection system 48 will determine whether to continue establishing the secure connection withlocal system 14. - These operations will be now be described in conjunction with the flow diagrams of
FIGS. 2-6 .FIG. 2 shows aflow chart 100 of the attestation process of the present invention. Instep 110, a measuring software layer measures the next measured software layer to be called. Instep 120, the measuring software layer calculates a digest of the measured layer and extends the digest into a TPM PCR. Instep 130, the measuring software layer adds information about the measured software layer to a measurement list. - It should be understood that the order of
steps Steps - In
step 140, the software waits for an attestation challenge from a remote system/party. Instep 150, the software incorporates the challenge into a TPM quote, along with a digest of the selected PCRs. The quote is signed with an AIK. The signature, the list, the AIK, and AIK certificate are returned to the remote system/party. Instep 160, the remote system validates the AIK certificate. Validation may include validating the digest, validating the signature against a privacy certificate authority public key, validating the expiration date, etc. This establishes trust in the AIK public key using the privacy certificate authority as the root of trust. Instep 170, the remote system validates the quote signature using the AIK public key. This establishes trust in the quote contents. Instep 180, the measurement list is validated. Expected PCR values are reconstructed using the digests included in the measurement list. The expected values are digested and validated against the digest returned in the quote. This establishes trust in the measurement list contents. Instep 190, the measurement list entries are compared to trusted values for the software or configuration files. It should also be understood that the order ofsteps validation steps -
FIG. 3 . depicts aflow chart 200 showing the addition of a system specific static measurement. In general, the steps are substantially similar to those described inFIG. 2 and will not be repeated for clarity. However, in step 210 a measurement is made of data specific to the local system. Examples of such data are networking public keys, certificates, etc. Instep 290, measurement list entries are now expanded to include this system specific data. In this way, the remote system atomically links the common software measurements to system specific data. This atomicity assures the remote system that the system specific data did indeed come from the local system running the trusted software. -
FIG. 4 depicts aflow chart 300 showing the addition of a dynamic measurement at boot time. Similar toFIG. 3 , the steps are substantially similar to those ofFIG. 2 and will not be repeated for clarity. However, in step 310 a measurement is made of dynamic data determined at boot time. Examples of such data are a dynamically allocated IP address, etc. Instep 390, measurement list entries are now expanded to include this dynamic data. In this way, the remote system atomically links the common software measurements to the dynamic data. This atomicity assures the remote system that the dynamic data did indeed come from the local system running the trusted software. -
FIG. 5 depicts aflow chart 400 showing the addition of dynamic measurements as the local system is running. Similar toFIGS. 3 and 4 , the steps are substantially similar to those ofFIG. 2 and will not be repeated for clarity. However, in step 410 a measurement is made of dynamic data determined as the local system is running. Examples of such data are user login request, software application startup and exit, hardware and software events, etc. Events may be augmented with time stamps, system state, user identifiers, etc. Data could also include a digest of a log file containing such events. Instep 490, measurement list entries are now expanded to include this dynamic data determined as the local system is running. For example, the measurement list can now have event or audit logs appended to the previous measurements. In this way, the remote system atomically links the common software measurements to the dynamic data determined as the local system is running. This atomicity assures the remote system that the dynamic data determined as the local system is running did indeed come from the local system running the trusted software. For example, the remote system can now be assured that an event or audit log was generated by trusted software and has not been tampered with by an un-trusted entity. -
FIG. 6 depicts aflow chart 500 showing the use of attestation in the establishment of a secure communications tunnel such as an SSL connection, or an IPSec connection. Instep 510, a measuring software layer reads a measured item. Instep 520, the measuring software layer calculates a digest of the measured item and extends the digest into a TPM PCR. Instep 530, the measuring software layer adds the measured item to a list of names of measured items along with the value of the measurement.Steps step 550, the remote system receives a list containing the names and values of all measured items. It also receives a TPM quote, which is a signed TPM state that includes the current TPM PCR values, and the TPM's AIK certificate. Instep 560, the remote system validates the AIK certificate as instep 160 ofFIG. 2 . Instep 570, the remote system validates the quote signature as instep 170 ofFIG. 2 . Instep 580, the remote system verifies the received list of measured items against the reported PCR state from the TPM quote. This step establishes that the measurement list can be trusted. Instep 585, the remote system establishes a secure connection to the attesting party. In an alternate implementation, the secure connection can be established before the attestation quote generation and validation. As part of the secure connection protocol, the remote system receives an authentication credential and uses it to establish the connection. This should be the same credential that was measured insteps step 590, in addition to the validation functions performed as described forstep 190 ofFIG. 2 , the remote system verifies that the authentication credential received in the measurement list and that received during the secure connection setup are identical. - By executing these validation steps, the remote system is assured that the attesting party is the same party that set up the secure communications channel. Without the trust link established by including the authentication certificate in the TPM quote, it would have been possible that the attestation of correct software state came from one remote system, but that the secure connection came from a different party. For example, a man-in-the-middle could establish the secure connection, but pass the attestation request on to the attestation party and return its response. Including the system specific authentication certificate in the TPM quote eliminates the possibility of this attack.
- This embodiment is described in terms of one attesting/local system and one remote system. It is understood that, for certain applications the roles may be reversed during the protocol, so that each system can establish trust in the other. That is, during certain protocols, both parties can be both the attesting system and the remote system attempting to establish trust.
- While shown and described herein as a method and system for remotely attesting to a state of a computer system, it is understood that the invention further provides various alternative embodiments. For example, in one embodiment, the invention provides a computer-readable/useable medium that includes computer program code to enable a computer infrastructure to remotely attest to a state of a computer system. To this extent, the computer-readable/useable medium includes program code that implements each of the various process steps of the invention. It is understood that the terms computer-readable medium or computer useable medium comprises one or more of any type of physical embodiment of the program code. In particular, the computer-readable/useable medium can comprise program code embodied on one or more portable storage articles of manufacture (e.g., a compact disc, a magnetic disk, a tape, etc.), on one or more data storage portions of a providing device, such as memory 18 (
FIG. 1 ) and/or storage system 26 (FIG. 1 ) (e.g., a fixed disk, a read-only memory, a random access memory, a cache memory, etc.), and/or as a data signal (e.g., a propagated signal) traveling over a network (e.g., during a wired/wireless electronic distribution of the program code). - In another embodiment, the invention provides a business method that performs the process steps of the invention on a subscription, advertising, and/or fee basis. That is, a service provider, such as a Solution Integrator, could offer to remotely attest to a state of a computer system. In this case, the service provider can create, maintain, support, etc., a computer infrastructure, such as computerized infrastructure 12 (
FIG. 1 ) that performs the process steps of the invention for one or more customers. In return, the service provider can receive payment from the target organization(s) under a subscription and/or fee agreement and/or the service provider can receive payment from the sale of advertising content to one or more third parties. - In still another embodiment, the invention provides a computer-implemented method for remotely attesting to a state of a computer system. In this case, a computerized infrastructure, such as computer infrastructure 12 (
FIG. 1 ), can be provided and one or more systems for performing the process steps of the invention can be obtained (e.g., created, purchased, used, modified, etc.) and deployed to the computer infrastructure. To this extent, the deployment of a system can comprise one or more of (1) installing program code on a providing device, such as local system 14 (FIG. 1 ), from a computer-readable medium; (2) adding one or more providing devices to the computer infrastructure; and (3) incorporating and/or modifying one or more existing systems of the computer infrastructure to enable the computer infrastructure to perform the process steps of the invention. - As used herein, it is understood that the terms “program code” and “computer program code” are synonymous and mean any expression, in any language, code or notation, of a set of instructions intended to cause a providing device having an information processing capability to perform a particular function either directly or after either or both of the following: (a) conversion to another language, code or notation; and/or (b) reproduction in a different material form. To this extent, program code can be embodied as one or more of: an application/software program, component software/a library of functions, an operating system, a basic I/O system/driver for a particular providing and/or I/O device, and the like.
- The foregoing description of various aspects of the invention has been presented for purposes of illustration and description. It is not intended to be exhaustive or to limit the invention to the precise form disclosed, and obviously, many modifications and variations are possible. Such modifications and variations that may be apparent to a person skilled in the art are intended to be included within the scope of the invention as defined by the accompanying claims.
Claims (30)
1. A method of remotely attesting to a state of a computer system, comprising:
storing data specific to the computer system in a set of Platform Configuration Registers (PCRs);
receiving an attestation challenge from a remote computer system; and
responding to the attestation challenge using the data specific to the computer system.
2. The method of claim 1 , wherein the data specific to the computer system comprises static data associated with the computer system
3. The method of claim 3 , wherein the static data comprises public key data used for establishing a communications channel.
4. The method of claim 1 , wherein the data specific to the computer system comprises dynamic data associated with the computer system that is generated as the computer system is running.
5. The method of claim 4 , wherein the dynamic data is generated once and assigned to the computer system.
6. The method of claim 4 , wherein the dynamic data comprises a network dynamic IP address assigned to the computer system.
7. The method of claim 4 , wherein the dynamic data is generated periodically as the computer system runs.
8. The method of claim 7 , wherein the dynamic data comprises a notification that a user has logged into the computer system.
9. The method of claim 7 , wherein the dynamic data relates to at least one of: an execution or a termination of a program running on the computer system.
10. The method of claim 7 , wherein the dynamic data comprises an event occurring on the computer system.
11. The method of claim 10 , wherein the event comprises an error condition detected by the computer system.
12. A method of a remote system establishing a secure connection to a local system comprising:
receiving a list of names of measured items specific to the local system, values of the measured items, and signed states of current Platform Configuration Register (PCR) values on the remote system from the local system;
requesting a secure connection to the local system and receiving an authentication credential of the local system;
verifying that the authentication credential is contained in the received list; and
determining whether to continue establishing the secure connection based on the verifying.
13. The method of claim 12 , wherein the authentication credential comprises an X.509 certificate.
14. The method of claim 12 , wherein the secure connection comprises at least one of the following: an SSL connection, or an IPSec connection.
15. The method of claim 12 , further comprising the step of verifying that a hash of the authentication credential is contained in the received list.
16. A system for remotely attesting to a state of a computer system, comprising:
a measurement system for measuring data specific to the computer system;
a PCR system for storing the data in a set of Platform Configuration Registers (PCRs);
a challenge reception system for receiving an attestation challenge from a remote computer system; and
a quotation system for responding to the attestation challenge using the data stored in the set of PCRs.
17. The system of claim 16 , wherein the data specific to the computer system comprises static data associated with the computer system.
18. The system of claim 17 , wherein the static data comprises public key data used for establishing a communications channel.
19. The system of claim 16 , wherein the data specific to the computer system comprises dynamic data associated with the computer system that is generated as the computer system is running.
20. The system of claim 19 , wherein the dynamic data is generated once and assigned to the computer system.
21. The system of claim 19 , wherein the dynamic data comprises a network dynamic IP address assigned to the computer system.
22. The system of claim 19 , wherein the dynamic data is generated periodically as the computer system runs.
23. The system of claim 22 , wherein the dynamic data comprises a notification that a user has logged into the computer system.
24. The system of claim 22 , wherein the dynamic data relates to at least one of: an execution or a termination of a program running on the computer system.
25. The system of claim 22 , wherein the dynamic data comprises an event occurring on the computer system.
26. The system of claim 25 , wherein the event comprises an error condition detected by the computer system.
27. The system of claim 16 , further comprising a digest system for computing a digest that contains the data specific to the computer system, wherein the PCR system stores the digest in the set of PCRs.
28. A program product stored on a computer readable medium for remotely attesting to a state of a computer system, the computer readable medium comprising program code for causing a computer system to perform the following steps:
measuring data specific to the computer system;
storing the data in a set of Platform Configuration Registers (PCRs);
receiving an attestation challenge from a remote computer system; and
responding to the attestation challenge using the data stored in the set of PCRs.
29. The program product of claim 28 , wherein the data specific to the computer system comprises at least one of the following types of data: static data associated with the computer system, or dynamic data associated with the computer system.
30. A method for deploying an application for remotely attesting to a state of a computer system, comprising:
providing a computerized infrastructure being operable to:
measure data specific to the computer system;
store the data in a set of Platform Configuration Registers (PCRs);
receive an attestation challenge from a remote computer system; and
respond to the attestation challenge using the data stored in the set of PCRs.
Priority Applications (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/463,563 US20080046752A1 (en) | 2006-08-09 | 2006-08-09 | Method, system, and program product for remotely attesting to a state of a computer system |
US12/170,504 US9298922B2 (en) | 2006-08-09 | 2008-07-10 | Method, system, and program product for remotely attesting to a state of a computer system |
US15/044,609 US9536092B2 (en) | 2006-08-09 | 2016-02-16 | Method, system, and program product for remotely attesting to a state of a computer system |
US15/261,118 US9836607B2 (en) | 2006-08-09 | 2016-09-09 | Method, system, and program product for remotely attesting to a state of a computer system |
US15/261,059 US10242192B2 (en) | 2006-08-09 | 2016-09-09 | Method, system, and program product for remotely attesting to a state of a computer system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/463,563 US20080046752A1 (en) | 2006-08-09 | 2006-08-09 | Method, system, and program product for remotely attesting to a state of a computer system |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US12/170,504 Continuation US9298922B2 (en) | 2006-08-09 | 2008-07-10 | Method, system, and program product for remotely attesting to a state of a computer system |
Publications (1)
Publication Number | Publication Date |
---|---|
US20080046752A1 true US20080046752A1 (en) | 2008-02-21 |
Family
ID=39102748
Family Applications (5)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/463,563 Abandoned US20080046752A1 (en) | 2006-08-09 | 2006-08-09 | Method, system, and program product for remotely attesting to a state of a computer system |
US12/170,504 Active 2027-10-25 US9298922B2 (en) | 2006-08-09 | 2008-07-10 | Method, system, and program product for remotely attesting to a state of a computer system |
US15/044,609 Active US9536092B2 (en) | 2006-08-09 | 2016-02-16 | Method, system, and program product for remotely attesting to a state of a computer system |
US15/261,118 Active US9836607B2 (en) | 2006-08-09 | 2016-09-09 | Method, system, and program product for remotely attesting to a state of a computer system |
US15/261,059 Expired - Fee Related US10242192B2 (en) | 2006-08-09 | 2016-09-09 | Method, system, and program product for remotely attesting to a state of a computer system |
Family Applications After (4)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US12/170,504 Active 2027-10-25 US9298922B2 (en) | 2006-08-09 | 2008-07-10 | Method, system, and program product for remotely attesting to a state of a computer system |
US15/044,609 Active US9536092B2 (en) | 2006-08-09 | 2016-02-16 | Method, system, and program product for remotely attesting to a state of a computer system |
US15/261,118 Active US9836607B2 (en) | 2006-08-09 | 2016-09-09 | Method, system, and program product for remotely attesting to a state of a computer system |
US15/261,059 Expired - Fee Related US10242192B2 (en) | 2006-08-09 | 2016-09-09 | Method, system, and program product for remotely attesting to a state of a computer system |
Country Status (1)
Country | Link |
---|---|
US (5) | US20080046752A1 (en) |
Cited By (32)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080046898A1 (en) * | 2006-08-18 | 2008-02-21 | Fujitsu Limited | Method and System for Implementing an External Trusted Platform Module |
US20080046581A1 (en) * | 2006-08-18 | 2008-02-21 | Fujitsu Limited | Method and System for Implementing a Mobile Trusted Platform Module |
US20080183992A1 (en) * | 2006-12-05 | 2008-07-31 | Don Martin | Tape backup method |
US20080288783A1 (en) * | 2006-12-15 | 2008-11-20 | Bernhard Jansen | Method and system to authenticate an application in a computing platform operating in trusted computing group (tcg) domain |
US20090300348A1 (en) * | 2008-06-02 | 2009-12-03 | Samsung Electronics Co., Ltd. | Preventing abuse of services in trusted computing environments |
US20100031047A1 (en) * | 2008-02-15 | 2010-02-04 | The Mitre Corporation | Attestation architecture and system |
US20100082984A1 (en) * | 2008-09-26 | 2010-04-01 | Microsoft Corporation | Protocol-Independent Remote Attestation And Sealing |
US20110202755A1 (en) * | 2009-11-25 | 2011-08-18 | Security First Corp. | Systems and methods for securing data in motion |
FR2976753A1 (en) * | 2011-06-15 | 2012-12-21 | Airbus Operations Sas | Method for initiating communication between communication systems for aircraft, involves sending certificate of conformity to communication system to allow system to decide whether communication with another system is agreed |
US8601498B2 (en) | 2010-05-28 | 2013-12-03 | Security First Corp. | Accelerator system for use with secure data storage |
US8650434B2 (en) | 2010-03-31 | 2014-02-11 | Security First Corp. | Systems and methods for securing data in motion |
US8654971B2 (en) | 2009-05-19 | 2014-02-18 | Security First Corp. | Systems and methods for securing data in the cloud |
US20140089664A1 (en) * | 2008-10-10 | 2014-03-27 | Microsoft Corporation | Trusted and confidential remote tpm initialization |
WO2014072579A1 (en) * | 2012-11-08 | 2014-05-15 | Nokia Corporation | Partially virtualizing pcr banks in mobile tpm |
US8769270B2 (en) | 2010-09-20 | 2014-07-01 | Security First Corp. | Systems and methods for secure data sharing |
US8769699B2 (en) | 2004-10-25 | 2014-07-01 | Security First Corp. | Secure data parser method and system |
US9075996B2 (en) | 2012-07-30 | 2015-07-07 | Microsoft Technology Licensing, Llc | Evaluating a security stack in response to a request to access a service |
US20160050071A1 (en) * | 2014-08-18 | 2016-02-18 | Proton World International N.V. | Device and method for providing trusted platform module services |
US20160283411A1 (en) * | 2015-03-27 | 2016-09-29 | Intel Corporation | Methods and Apparatus to Utilize A Trusted Loader In A Trusted Computing Environment |
WO2016195708A1 (en) * | 2015-06-05 | 2016-12-08 | Hewlett Packard Enterprise Development Lp | Remote attestation of a network endpoint device |
EP3229164A1 (en) * | 2016-04-07 | 2017-10-11 | Huawei Technologies Co., Ltd. | Devices for measuring and verifying system states |
US10033756B1 (en) * | 2017-10-26 | 2018-07-24 | Hytrust, Inc. | Methods and systems for holistically attesting the trust of heterogeneous compute resources |
WO2018104890A3 (en) * | 2016-12-06 | 2018-08-30 | Enrico Maim | Methods and entities, in particular of a transactional nature, using secure devices |
US20190158461A1 (en) * | 2015-12-22 | 2019-05-23 | Mcafee, Llc | Attestation device custody transfer protocol |
CN110188530A (en) * | 2019-05-30 | 2019-08-30 | 苏州浪潮智能科技有限公司 | A kind of safety certifying method, device, equipment and readable storage medium storing program for executing |
US10482034B2 (en) * | 2016-11-29 | 2019-11-19 | Microsoft Technology Licensing, Llc | Remote attestation model for secure memory applications |
US10915632B2 (en) | 2018-11-27 | 2021-02-09 | International Business Machines Corporation | Handling of remote attestation and sealing during concurrent update |
US11163865B2 (en) * | 2019-03-22 | 2021-11-02 | Advanced New Technologies Co., Ltd. | Trusted computing method, and server |
US11232190B2 (en) * | 2018-11-01 | 2022-01-25 | Trustonic Limited | Device attestation techniques |
US20220108008A1 (en) * | 2021-12-15 | 2022-04-07 | Intel Corporation | Platform health verification |
US20220303266A1 (en) * | 2019-01-03 | 2022-09-22 | Capital One Services, Llc | Secure authentication of a user |
US20230185969A1 (en) * | 2020-06-29 | 2023-06-15 | Siemens Aktiengesellschaft | Consensus method for a distributed database |
Families Citing this family (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
FI107773B (en) * | 1998-12-11 | 2001-09-28 | Nokia Mobile Phones Ltd | Set handover timing |
US20080046752A1 (en) | 2006-08-09 | 2008-02-21 | Stefan Berger | Method, system, and program product for remotely attesting to a state of a computer system |
US8387152B2 (en) * | 2008-06-27 | 2013-02-26 | Microsoft Corporation | Attested content protection |
US9087196B2 (en) * | 2010-12-24 | 2015-07-21 | Intel Corporation | Secure application attestation using dynamic measurement kernels |
US8966642B2 (en) * | 2011-04-05 | 2015-02-24 | Assured Information Security, Inc. | Trust verification of a computing platform using a peripheral device |
US9014023B2 (en) | 2011-09-15 | 2015-04-21 | International Business Machines Corporation | Mobile network services in a mobile data network |
US8971192B2 (en) | 2011-11-16 | 2015-03-03 | International Business Machines Corporation | Data breakout at the edge of a mobile data network |
US8793504B2 (en) * | 2012-02-22 | 2014-07-29 | International Business Machines Corporation | Validating a system with multiple subsystems using trusted platform modules and virtual platform modules |
US20200204991A1 (en) * | 2018-12-21 | 2020-06-25 | Micron Technology, Inc. | Memory device and managed memory system with wireless debug communication port and methods for operating the same |
CN108280351A (en) * | 2017-12-25 | 2018-07-13 | 上海电力学院 | A kind of credible startup method of the electricity consumption acquisition terminal based on TPM |
EP3561709B1 (en) * | 2018-04-25 | 2020-07-29 | Siemens Aktiengesellschaft | Data processing apparatus, system, and method for proving or checking the security of a data processing apparatus |
US11321465B2 (en) * | 2019-04-04 | 2022-05-03 | Cisco Technology, Inc. | Network security by integrating mutual attestation |
CN112688782B (en) * | 2019-10-17 | 2023-09-08 | 华为技术有限公司 | Remote proving method and equipment for combined equipment |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050149722A1 (en) * | 2003-12-30 | 2005-07-07 | Intel Corporation | Session key exchange |
US20050268093A1 (en) * | 2004-05-25 | 2005-12-01 | Proudler Graeme J | Method and apparatus for creating a trusted environment in a computing platform |
US20060015732A1 (en) * | 2004-07-15 | 2006-01-19 | Sony Corporation | Processing system using internal digital signatures |
US7058807B2 (en) * | 2002-04-15 | 2006-06-06 | Intel Corporation | Validation of inclusion of a platform within a data center |
US7210169B2 (en) * | 2002-08-20 | 2007-04-24 | Intel Corporation | Originator authentication using platform attestation |
US7350072B2 (en) * | 2004-03-30 | 2008-03-25 | Intel Corporation | Remote management and provisioning of a system across a network based connection |
US20080163212A1 (en) * | 2006-12-29 | 2008-07-03 | Zimmer Vincent J | Paralleled management mode integrity checks |
US7574600B2 (en) * | 2004-03-24 | 2009-08-11 | Intel Corporation | System and method for combining user and platform authentication in negotiated channel security protocols |
Family Cites Families (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1282023A1 (en) * | 2001-07-30 | 2003-02-05 | Hewlett-Packard Company | Trusted platform evaluation |
JP4064914B2 (en) * | 2003-12-02 | 2008-03-19 | インターナショナル・ビジネス・マシーンズ・コーポレーション | Information processing apparatus, server apparatus, method for information processing apparatus, method for server apparatus, and apparatus executable program |
US20050149729A1 (en) * | 2003-12-24 | 2005-07-07 | Zimmer Vincent J. | Method to support XML-based security and key management services in a pre-boot execution environment |
US7373509B2 (en) * | 2003-12-31 | 2008-05-13 | Intel Corporation | Multi-authentication for a computing device connecting to a network |
US7412596B2 (en) * | 2004-10-16 | 2008-08-12 | Lenovo (Singapore) Pte. Ltd. | Method for preventing system wake up from a sleep state if a boot log returned during the system wake up cannot be authenticated |
US7818585B2 (en) * | 2004-12-22 | 2010-10-19 | Sap Aktiengesellschaft | Secure license management |
US7836299B2 (en) * | 2005-03-15 | 2010-11-16 | Microsoft Corporation | Virtualization of software configuration registers of the TPM cryptographic processor |
US7636442B2 (en) * | 2005-05-13 | 2009-12-22 | Intel Corporation | Method and apparatus for migrating software-based security coprocessors |
US8150416B2 (en) | 2005-08-08 | 2012-04-03 | Jambo Networks, Inc. | System and method for providing communication services to mobile device users incorporating proximity determination |
US8631507B2 (en) * | 2006-03-27 | 2014-01-14 | Intel Corporation | Method of using signatures for measurement in a trusted computing environment |
US7814531B2 (en) * | 2006-06-30 | 2010-10-12 | Intel Corporation | Detection of network environment for network access control |
US20080046752A1 (en) | 2006-08-09 | 2008-02-21 | Stefan Berger | Method, system, and program product for remotely attesting to a state of a computer system |
-
2006
- 2006-08-09 US US11/463,563 patent/US20080046752A1/en not_active Abandoned
-
2008
- 2008-07-10 US US12/170,504 patent/US9298922B2/en active Active
-
2016
- 2016-02-16 US US15/044,609 patent/US9536092B2/en active Active
- 2016-09-09 US US15/261,118 patent/US9836607B2/en active Active
- 2016-09-09 US US15/261,059 patent/US10242192B2/en not_active Expired - Fee Related
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7058807B2 (en) * | 2002-04-15 | 2006-06-06 | Intel Corporation | Validation of inclusion of a platform within a data center |
US7210169B2 (en) * | 2002-08-20 | 2007-04-24 | Intel Corporation | Originator authentication using platform attestation |
US20050149722A1 (en) * | 2003-12-30 | 2005-07-07 | Intel Corporation | Session key exchange |
US7574600B2 (en) * | 2004-03-24 | 2009-08-11 | Intel Corporation | System and method for combining user and platform authentication in negotiated channel security protocols |
US7350072B2 (en) * | 2004-03-30 | 2008-03-25 | Intel Corporation | Remote management and provisioning of a system across a network based connection |
US20050268093A1 (en) * | 2004-05-25 | 2005-12-01 | Proudler Graeme J | Method and apparatus for creating a trusted environment in a computing platform |
US20060015732A1 (en) * | 2004-07-15 | 2006-01-19 | Sony Corporation | Processing system using internal digital signatures |
US20080163212A1 (en) * | 2006-12-29 | 2008-07-03 | Zimmer Vincent J | Paralleled management mode integrity checks |
Cited By (70)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9992170B2 (en) | 2004-10-25 | 2018-06-05 | Security First Corp. | Secure data parser method and system |
US9906500B2 (en) | 2004-10-25 | 2018-02-27 | Security First Corp. | Secure data parser method and system |
US9338140B2 (en) | 2004-10-25 | 2016-05-10 | Security First Corp. | Secure data parser method and system |
US9294445B2 (en) | 2004-10-25 | 2016-03-22 | Security First Corp. | Secure data parser method and system |
US9135456B2 (en) | 2004-10-25 | 2015-09-15 | Security First Corp. | Secure data parser method and system |
US9294444B2 (en) | 2004-10-25 | 2016-03-22 | Security First Corp. | Systems and methods for cryptographically splitting and storing data |
US9047475B2 (en) | 2004-10-25 | 2015-06-02 | Security First Corp. | Secure data parser method and system |
US11178116B2 (en) | 2004-10-25 | 2021-11-16 | Security First Corp. | Secure data parser method and system |
US9009848B2 (en) | 2004-10-25 | 2015-04-14 | Security First Corp. | Secure data parser method and system |
US8769699B2 (en) | 2004-10-25 | 2014-07-01 | Security First Corp. | Secure data parser method and system |
US8904194B2 (en) | 2004-10-25 | 2014-12-02 | Security First Corp. | Secure data parser method and system |
US9985932B2 (en) | 2004-10-25 | 2018-05-29 | Security First Corp. | Secure data parser method and system |
US9871770B2 (en) | 2004-10-25 | 2018-01-16 | Security First Corp. | Secure data parser method and system |
US20080046581A1 (en) * | 2006-08-18 | 2008-02-21 | Fujitsu Limited | Method and System for Implementing a Mobile Trusted Platform Module |
US8522018B2 (en) * | 2006-08-18 | 2013-08-27 | Fujitsu Limited | Method and system for implementing a mobile trusted platform module |
US20080046898A1 (en) * | 2006-08-18 | 2008-02-21 | Fujitsu Limited | Method and System for Implementing an External Trusted Platform Module |
US8272002B2 (en) | 2006-08-18 | 2012-09-18 | Fujitsu Limited | Method and system for implementing an external trusted platform module |
US8904080B2 (en) | 2006-12-05 | 2014-12-02 | Security First Corp. | Tape backup method |
US20080183992A1 (en) * | 2006-12-05 | 2008-07-31 | Don Martin | Tape backup method |
US8060941B2 (en) * | 2006-12-15 | 2011-11-15 | International Business Machines Corporation | Method and system to authenticate an application in a computing platform operating in trusted computing group (TCG) domain |
US20080288783A1 (en) * | 2006-12-15 | 2008-11-20 | Bernhard Jansen | Method and system to authenticate an application in a computing platform operating in trusted computing group (tcg) domain |
US9276905B2 (en) * | 2008-02-15 | 2016-03-01 | The Mitre Corporation | Attestation architecture and system |
US20100031047A1 (en) * | 2008-02-15 | 2010-02-04 | The Mitre Corporation | Attestation architecture and system |
US20090300348A1 (en) * | 2008-06-02 | 2009-12-03 | Samsung Electronics Co., Ltd. | Preventing abuse of services in trusted computing environments |
US8161285B2 (en) * | 2008-09-26 | 2012-04-17 | Microsoft Corporation | Protocol-Independent remote attestation and sealing |
US20100082984A1 (en) * | 2008-09-26 | 2010-04-01 | Microsoft Corporation | Protocol-Independent Remote Attestation And Sealing |
US9787674B2 (en) | 2008-10-10 | 2017-10-10 | Microsoft Technology Licensing, Llc | Trusted and confidential remote TPM initialization |
US20140089664A1 (en) * | 2008-10-10 | 2014-03-27 | Microsoft Corporation | Trusted and confidential remote tpm initialization |
US9237135B2 (en) * | 2008-10-10 | 2016-01-12 | Microsoft Technology Licensing, Llc | Trusted and confidential remote TPM initialization |
US8654971B2 (en) | 2009-05-19 | 2014-02-18 | Security First Corp. | Systems and methods for securing data in the cloud |
US9064127B2 (en) | 2009-05-19 | 2015-06-23 | Security First Corp. | Systems and methods for securing data in the cloud |
US8745372B2 (en) * | 2009-11-25 | 2014-06-03 | Security First Corp. | Systems and methods for securing data in motion |
US9516002B2 (en) | 2009-11-25 | 2016-12-06 | Security First Corp. | Systems and methods for securing data in motion |
US8745379B2 (en) | 2009-11-25 | 2014-06-03 | Security First Corp. | Systems and methods for securing data in motion |
US20110202755A1 (en) * | 2009-11-25 | 2011-08-18 | Security First Corp. | Systems and methods for securing data in motion |
US9213857B2 (en) | 2010-03-31 | 2015-12-15 | Security First Corp. | Systems and methods for securing data in motion |
US9443097B2 (en) | 2010-03-31 | 2016-09-13 | Security First Corp. | Systems and methods for securing data in motion |
US10068103B2 (en) | 2010-03-31 | 2018-09-04 | Security First Corp. | Systems and methods for securing data in motion |
US9589148B2 (en) | 2010-03-31 | 2017-03-07 | Security First Corp. | Systems and methods for securing data in motion |
US8650434B2 (en) | 2010-03-31 | 2014-02-11 | Security First Corp. | Systems and methods for securing data in motion |
US9411524B2 (en) | 2010-05-28 | 2016-08-09 | Security First Corp. | Accelerator system for use with secure data storage |
US8601498B2 (en) | 2010-05-28 | 2013-12-03 | Security First Corp. | Accelerator system for use with secure data storage |
US8769270B2 (en) | 2010-09-20 | 2014-07-01 | Security First Corp. | Systems and methods for secure data sharing |
US9264224B2 (en) | 2010-09-20 | 2016-02-16 | Security First Corp. | Systems and methods for secure data sharing |
US9785785B2 (en) | 2010-09-20 | 2017-10-10 | Security First Corp. | Systems and methods for secure data sharing |
FR2976753A1 (en) * | 2011-06-15 | 2012-12-21 | Airbus Operations Sas | Method for initiating communication between communication systems for aircraft, involves sending certificate of conformity to communication system to allow system to decide whether communication with another system is agreed |
US9075996B2 (en) | 2012-07-30 | 2015-07-07 | Microsoft Technology Licensing, Llc | Evaluating a security stack in response to a request to access a service |
US9307411B2 (en) | 2012-11-08 | 2016-04-05 | Nokia Technologies Oy | Partially virtualizing PCR banks in mobile TPM |
WO2014072579A1 (en) * | 2012-11-08 | 2014-05-15 | Nokia Corporation | Partially virtualizing pcr banks in mobile tpm |
US10275599B2 (en) * | 2014-08-18 | 2019-04-30 | Proton World International N.V. | Device and method for providing trusted platform module services |
US20160050071A1 (en) * | 2014-08-18 | 2016-02-18 | Proton World International N.V. | Device and method for providing trusted platform module services |
US9606940B2 (en) * | 2015-03-27 | 2017-03-28 | Intel Corporation | Methods and apparatus to utilize a trusted loader in a trusted computing environment |
US20160283411A1 (en) * | 2015-03-27 | 2016-09-29 | Intel Corporation | Methods and Apparatus to Utilize A Trusted Loader In A Trusted Computing Environment |
WO2016195708A1 (en) * | 2015-06-05 | 2016-12-08 | Hewlett Packard Enterprise Development Lp | Remote attestation of a network endpoint device |
US20190158461A1 (en) * | 2015-12-22 | 2019-05-23 | Mcafee, Llc | Attestation device custody transfer protocol |
EP3229164A1 (en) * | 2016-04-07 | 2017-10-11 | Huawei Technologies Co., Ltd. | Devices for measuring and verifying system states |
US10482034B2 (en) * | 2016-11-29 | 2019-11-19 | Microsoft Technology Licensing, Llc | Remote attestation model for secure memory applications |
WO2018104890A3 (en) * | 2016-12-06 | 2018-08-30 | Enrico Maim | Methods and entities, in particular of a transactional nature, using secure devices |
US11843693B2 (en) | 2016-12-06 | 2023-12-12 | Enrico Maim | Methods and entities, in particular of a transactional nature, using secure devices |
EP3971750A1 (en) * | 2016-12-06 | 2022-03-23 | Enrico Maim | Methods and entities, in particular transactional, implementing secure devices |
US10033756B1 (en) * | 2017-10-26 | 2018-07-24 | Hytrust, Inc. | Methods and systems for holistically attesting the trust of heterogeneous compute resources |
US11232190B2 (en) * | 2018-11-01 | 2022-01-25 | Trustonic Limited | Device attestation techniques |
US10915632B2 (en) | 2018-11-27 | 2021-02-09 | International Business Machines Corporation | Handling of remote attestation and sealing during concurrent update |
US20220303266A1 (en) * | 2019-01-03 | 2022-09-22 | Capital One Services, Llc | Secure authentication of a user |
US11818122B2 (en) * | 2019-01-03 | 2023-11-14 | Capital One Services, Llc | Secure authentication of a user |
US11163865B2 (en) * | 2019-03-22 | 2021-11-02 | Advanced New Technologies Co., Ltd. | Trusted computing method, and server |
CN110188530A (en) * | 2019-05-30 | 2019-08-30 | 苏州浪潮智能科技有限公司 | A kind of safety certifying method, device, equipment and readable storage medium storing program for executing |
US20230185969A1 (en) * | 2020-06-29 | 2023-06-15 | Siemens Aktiengesellschaft | Consensus method for a distributed database |
US11741267B2 (en) * | 2020-06-29 | 2023-08-29 | Siemens Aktiengesellschaft | Consensus method for a distributed database |
US20220108008A1 (en) * | 2021-12-15 | 2022-04-07 | Intel Corporation | Platform health verification |
Also Published As
Publication number | Publication date |
---|---|
US9836607B2 (en) | 2017-12-05 |
US10242192B2 (en) | 2019-03-26 |
US9536092B2 (en) | 2017-01-03 |
US9298922B2 (en) | 2016-03-29 |
US20080270603A1 (en) | 2008-10-30 |
US20160164862A1 (en) | 2016-06-09 |
US20160381008A1 (en) | 2016-12-29 |
US20160381007A1 (en) | 2016-12-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10242192B2 (en) | Method, system, and program product for remotely attesting to a state of a computer system | |
US11281457B2 (en) | Deployment of infrastructure in pipelines | |
JP7141193B2 (en) | Document access to blockchain network | |
Nikitin et al. | {CHAINIAC}: Proactive {Software-Update} transparency via collectively signed skipchains and verified builds | |
CN111052120B (en) | Digital asset traceability and assurance using distributed ledgers | |
US11341121B2 (en) | Peer partitioning | |
US8321921B1 (en) | Method and apparatus for providing authentication and encryption services by a software as a service platform | |
JP4939851B2 (en) | Information processing terminal, secure device, and state processing method | |
US9407505B2 (en) | Configuration and verification by trusted provider | |
EP3382537B1 (en) | Verifying that usage of virtual network function (vnf) by a plurality of compute nodes comply with allowed usage rights | |
Hardjono et al. | Decentralized trusted computing base for blockchain infrastructure security | |
CN110598434A (en) | House information processing method and device based on block chain network, electronic equipment and storage medium | |
US20200042675A1 (en) | Hardware based identities for software modules | |
WO2022058183A1 (en) | Integrating device identity into a permissioning framework of a blockchain | |
JP2004038968A (en) | Multiplexing of secure counter for implementing second level secure counter | |
Feigenbaum et al. | Trust management and proof-carrying code in secure mobile-code applications | |
WO2023124420A1 (en) | Application signature methods and system, transaction terminal and service platform | |
US20230057898A1 (en) | Privacy preserving auditable accounts | |
Cappos et al. | Package management security | |
US20210226771A1 (en) | Method and system for authentication seal deployment in networked immutable transactions | |
Akram et al. | An introduction to the trusted platform module and mobile trusted module | |
Lisi et al. | Automated responsible disclosure of security vulnerabilities | |
Almstedt et al. | ContractBox: Realizing accountable data sharing on the edge using a small scale blockchain | |
Liu et al. | Distributed Cloud Forensic System with Decentralization and Multi-participation | |
US20230289451A1 (en) | Secure device validator ledger |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: INTERNATIONAL BUSINESS MACHINES CORPORATION, NEW Y Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:BERGER, STEFAN;GOLDMAN, KENNETH;JAEGER, TRENTON R.;AND OTHERS;REEL/FRAME:018345/0870;SIGNING DATES FROM 20060913 TO 20060916 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |