Processing

Please wait...

Settings

Settings

Goto Application

1. CN101512535 - Attestation of computing platforms

Office China
Application Number 200780031990.3
Application Date 03.07.2007
Publication Number 101512535
Publication Date 19.08.2009
Publication Kind A
IPC
G06F 21/00
GPHYSICS
06COMPUTING; CALCULATING OR COUNTING
FELECTRIC DIGITAL DATA PROCESSING
21Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
G06F 21/24
GPHYSICS
06COMPUTING; CALCULATING OR COUNTING
FELECTRIC DIGITAL DATA PROCESSING
21Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
24by protecting data directly, e.g. by labelling
CPC
G06F 21/645
GPHYSICS
06COMPUTING; CALCULATING; COUNTING
FELECTRIC DIGITAL DATA PROCESSING
21Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
60Protecting data
64Protecting data integrity, e.g. using checksums, certificates or signatures
645using a third party
G06F 21/445
GPHYSICS
06COMPUTING; CALCULATING; COUNTING
FELECTRIC DIGITAL DATA PROCESSING
21Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
30Authentication, i.e. establishing the identity or authorisation of security principals
44Program or device authentication
445by mutual authentication, e.g. between devices or programs
G06F 21/57
GPHYSICS
06COMPUTING; CALCULATING; COUNTING
FELECTRIC DIGITAL DATA PROCESSING
21Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
G06F 2221/2103
GPHYSICS
06COMPUTING; CALCULATING; COUNTING
FELECTRIC DIGITAL DATA PROCESSING
2221Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
2103Challenge-response
G06F 2221/2115
GPHYSICS
06COMPUTING; CALCULATING; COUNTING
FELECTRIC DIGITAL DATA PROCESSING
2221Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
2115Third party
G06F 2221/2129
GPHYSICS
06COMPUTING; CALCULATING; COUNTING
FELECTRIC DIGITAL DATA PROCESSING
2221Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
2129Authenticate client device independently of the user
Applicants IBM
国际商业机器公司
Inventors Camenisch Jan
J·卡梅尼西
Poritz Jonathan
J·波里茨
Zimmermann Roger
R·齐默尔曼
Agents feng pu li zhengyu
北京市金杜律师事务所
北京市金杜律师事务所
Priority Data 06119945.1 31.08.2006 EP
Title
(EN) Attestation of computing platforms
(ZH) 计算平台的证明
Abstract
(EN)
Methods and apparatus are provided for attesting the configuration of a computing platform (1) to a verifier (3). A signature key (SK) is bound to the platform (1) and bound to a defined configuration of the platform (1). A credential (C(SK), CDAA(SK)) for the signature key (SK) is obtained from an evaluator (2). This credential (C(SK), CDAA(SK)) certifies that the signature key (SK) is bound to an unspecified trusted platform configuration. The platform (1) can then demonstrate to the verifier (3) the ability to sign a challenge from the verifier (3) using the signature key (SK), and demonstrate possession of the credential (C(SK), CDAA(SK)) to the verifier (3), thereby attesting that the platform (1) has a trusted configuration without disclosing the platform configuration to the verifier (3). The ability to sign the challenge may be demonstrated by returning the signed challenge to the verifier (3), and possession of the credential may similarly be demonstrated by sending the credential C(SK) to the verifier (3). Alternatively, the credential may be an anonymous credential CDAA(SK) bound to a public key of the signature key (SK). In this case, possession of the credential CDAA(SK), and the ability to sign the challenge, can be demonstrated without actually disclosing the credential or the public key of the signature key (SK) to the verifier (3). Corresponding methods and apparatus relating to operation of an evaluator (2) and verifier (3) in the attestation process are also provided.

(ZH)

提供了用于向验证者(3)证明计算平台(1)的配置的方法和装置。签名密钥(SK)绑定至平台(1)并且绑定至平台(1)的已定义配置。从评价者(2)获得针对该签名密钥(SK)的证书(C(SK),CDAA(SK))。此证书(C(SK),CDAA(SK))证实签名密钥(SK)绑定至未指定的可信平台配置。平台(1)继而可以向验证者(3)表明其使用该签名密钥(SK)对来自验证者(3)的质询进行签名的能力,并且向验证者(3)表明对证书(C(SK),CDAA(SK))的拥有,由此证明平台(1)具有可信的配置,而无需向验证者(3)公开平台配置。可以通过将经过签名的质询返回给验证者(3)来表明对质询进行签名的能力,并且可以通过向验证者(3)发送证书C(SK)来类似地表明对证书的拥有。备选地,证书可以是绑定至签名密钥(SK)的公钥的匿名证书CDAA(SK)。在这种情况下,可以表明对证书CDAA(SK)的拥有以及对质询进行签名的能力,而无需向验证者(3)实际公开证书或者签名密钥(SK)的公钥。还提供了与证明过程中的评价者(2)和验证者(3)的操作有关的相应方法和装置。