Processing

Please wait...

Settings

Settings

Goto Application

1. WO2008026086 - ATTESTATION OF COMPUTING PLATFORMS

Publication Number WO/2008/026086
Publication Date 06.03.2008
International Application No. PCT/IB2007/052586
International Filing Date 03.07.2007
IPC
G06F 21/44 2013.01
GPHYSICS
06COMPUTING; CALCULATING OR COUNTING
FELECTRIC DIGITAL DATA PROCESSING
21Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
30Authentication, i.e. establishing the identity or authorisation of security principals
44Program or device authentication
G06F 21/57 2013.01
GPHYSICS
06COMPUTING; CALCULATING OR COUNTING
FELECTRIC DIGITAL DATA PROCESSING
21Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
G06F 21/64 2013.01
GPHYSICS
06COMPUTING; CALCULATING OR COUNTING
FELECTRIC DIGITAL DATA PROCESSING
21Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
60Protecting data
64Protecting data integrity, e.g. using checksums, certificates or signatures
CPC
G06F 21/445
GPHYSICS
06COMPUTING; CALCULATING; COUNTING
FELECTRIC DIGITAL DATA PROCESSING
21Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
30Authentication, i.e. establishing the identity or authorisation of security principals
44Program or device authentication
445by mutual authentication, e.g. between devices or programs
G06F 21/57
GPHYSICS
06COMPUTING; CALCULATING; COUNTING
FELECTRIC DIGITAL DATA PROCESSING
21Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
G06F 21/645
GPHYSICS
06COMPUTING; CALCULATING; COUNTING
FELECTRIC DIGITAL DATA PROCESSING
21Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
60Protecting data
64Protecting data integrity, e.g. using checksums, certificates or signatures
645using a third party
G06F 2221/2103
GPHYSICS
06COMPUTING; CALCULATING; COUNTING
FELECTRIC DIGITAL DATA PROCESSING
2221Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
2103Challenge-response
G06F 2221/2115
GPHYSICS
06COMPUTING; CALCULATING; COUNTING
FELECTRIC DIGITAL DATA PROCESSING
2221Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
2115Third party
G06F 2221/2129
GPHYSICS
06COMPUTING; CALCULATING; COUNTING
FELECTRIC DIGITAL DATA PROCESSING
2221Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
2129Authenticate client device independently of the user
Applicants
  • INTERNATIONAL BUSINESS MACHINES CORPORATION (AllExceptUS)
  • CAMENISCH, Jan [CH]/[CH] (UsOnly)
  • PORITZ, Jonathan [US]/[US] (UsOnly)
  • ZIMMERMANN, Roger [CH]/[CA] (UsOnly)
Inventors
  • CAMENISCH, Jan
  • PORITZ, Jonathan
  • ZIMMERMANN, Roger
Agents
  • MEYER, Michael
Priority Data
06119945.131.08.2006EP
Publication Language English (EN)
Filing Language English (EN)
Designated States
Title
(EN) ATTESTATION OF COMPUTING PLATFORMS
(FR) ATTESTATION DE PLATES-FORMES INFORMATIQUES
Abstract
(EN)
Methods and apparatus are provided for attesting the configuration of a computing platform (1) to a verifier (3). A signature key (SK) is bound to the platform (1) and bound to a defined configuration of the platform (1). A credential (C(SK), CDAA(SK)) for the signature key (SK) is obtained from an evaluator (2). This credential (C(SK), CDAA(SK)) certifies that the signature key (SK) is bound to an unspecified trusted platform configuration. The platform (1) can then demonstrate to the verifier (3) the ability to sign a challenge from the verifier (3) using the signature key (SK), and demonstrate possession of the credential (C(SK), CDAA(SK)) to the verifier (3), thereby attesting that the platform (1) has a trusted configuration without disclosing the platform configuration to the verifier (3). The ability to sign the challenge may be demonstrated by returning the signed challenge to the verifier (3), and possession of the credential may similarly be demonstrated by sending the credential C(SK) to the verifier (3). Alternatively, the credential may be an anonymous credential CDAA(SK) bound to a public key of the signature key (SK). In this case, possession of the credential CDAA(SK), and the ability to sign the challenge, can be demonstrated without actually disclosing the credential or the public key of the signature key (SK) to the verifier (3). Corresponding methods and apparatus relating to operation of an evaluator (2) and verifier (3) in the attestation process are also provided.
(FR)
L'invention concerne des procédés et un appareil permettant d'attester la configuration d'une plate-forme informatique (1) à un vérificateur (3). Une clé de signature (SK) est liée à la plate-forme (1) et à une configuration définie de celle-ci (1). Un certificat (C(SK), CDAA(SK)) de clé de signature (SK) est obtenu d'un évaluateur (2). Ce certificat (C(SK), CDAA(SK)) garantit que la clé de signature (SK) est liée à une configuration de plate-forme sécurisée non spécifiée. La plate-forme (1) peut ensuite prouver au vérificateur (3) qu'elle est apte à signer une demande d'accès provenant du vérificateur (3) au moyen de la clé de signature (SK) et qu'elle possède le certificat (C(SK), CDAA(SK)), ce qui atteste le fait que la plate-forme (1) est dotée d'une configuration sécurisée sans que cette configuration soit révélée au vérificateur (3). L'aptitude à signer la demande d'accès peut être prouvée par le renvoi de la demande d'accès signée au vérificateur (3) et la possession du certificat peut être prouvée de la même manière par l'envoi du certificat C(SK) au vérificateur (3). En variante, le certificat peut être un certificat anonyme CDAA(SK) lié à une clé publique de la clé de signature (SK). Dans ce cas, la possession du certificat CDAA(SK) et l'aptitude à signer la demande d'accès peuvent être prouvées sans que le certificat ou la clé publique de la clé de signature(SK) ne soit révélé au vérificateur (3). L'invention concerne également des procédés et un appareil correspondants permettant l'utilisation d'un évaluateur (2) et d'un vérificateur (3) dans le processus d'attestation.
Latest bibliographic data on file with the International Bureau