Processing

Please wait...

Settings

Settings

Goto Application

1. EP2080142 - ATTESTATION OF COMPUTING PLATFORMS

Office European Patent Office
Application Number 07789866
Application Date 03.07.2007
Publication Number 2080142
Publication Date 22.07.2009
Publication Kind B1
IPC
G06F 21/44
GPHYSICS
06COMPUTING; CALCULATING OR COUNTING
FELECTRIC DIGITAL DATA PROCESSING
21Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
30Authentication, i.e. establishing the identity or authorisation of security principals
44Program or device authentication
G06F 21/57
GPHYSICS
06COMPUTING; CALCULATING OR COUNTING
FELECTRIC DIGITAL DATA PROCESSING
21Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
G06F 21/64
GPHYSICS
06COMPUTING; CALCULATING OR COUNTING
FELECTRIC DIGITAL DATA PROCESSING
21Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
60Protecting data
64Protecting data integrity, e.g. using checksums, certificates or signatures
CPC
G06F 21/645
GPHYSICS
06COMPUTING; CALCULATING; COUNTING
FELECTRIC DIGITAL DATA PROCESSING
21Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
60Protecting data
64Protecting data integrity, e.g. using checksums, certificates or signatures
645using a third party
G06F 21/445
GPHYSICS
06COMPUTING; CALCULATING; COUNTING
FELECTRIC DIGITAL DATA PROCESSING
21Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
30Authentication, i.e. establishing the identity or authorisation of security principals
44Program or device authentication
445by mutual authentication, e.g. between devices or programs
G06F 21/57
GPHYSICS
06COMPUTING; CALCULATING; COUNTING
FELECTRIC DIGITAL DATA PROCESSING
21Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
G06F 2221/2103
GPHYSICS
06COMPUTING; CALCULATING; COUNTING
FELECTRIC DIGITAL DATA PROCESSING
2221Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
2103Challenge-response
G06F 2221/2115
GPHYSICS
06COMPUTING; CALCULATING; COUNTING
FELECTRIC DIGITAL DATA PROCESSING
2221Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
2115Third party
G06F 2221/2129
GPHYSICS
06COMPUTING; CALCULATING; COUNTING
FELECTRIC DIGITAL DATA PROCESSING
2221Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
2129Authenticate client device independently of the user
Applicants IBM
Inventors CAMENISCH JAN
PORITZ JONATHAN
ZIMMERMANN ROGER
Designated States
Priority Data 06119945 31.08.2006 EP
07789866 03.07.2007 EP
Title
(DE) BESCHEINIGUNG VON RECHNERPLATTFORMEN
(EN) ATTESTATION OF COMPUTING PLATFORMS
(FR) ATTESTATION DE PLATES-FORMES INFORMATIQUES
Abstract
(EN)
Methods and apparatus are provided for attesting the configuration of a computing platform (1) to a verifier (3). A signature key (SK) is bound to the platform (1) and bound to a defined configuration of the platform (1). A credential (C(SK), CDAA(SK)) for the signature key (SK) is obtained from an evaluator (2). This credential (C(SK), CDAA(SK)) certifies that the signature key (SK) is bound to an unspecified trusted platform configuration. The platform (1) can then demonstrate to the verifier (3) the ability to sign a challenge from the verifier (3) using the signature key (SK), and demonstrate possession of the credential (C(SK), CDAA(SK)) to the verifier (3), thereby attesting that the platform (1) has a trusted configuration without disclosing the platform configuration to the verifier (3). The ability to sign the challenge may be demonstrated by returning the signed challenge to the verifier (3), and possession of the credential may similarly be demonstrated by sending the credential C(SK) to the verifier (3). Alternatively, the credential may be an anonymous credential CDAA(SK) bound to a public key of the signature key (SK). In this case, possession of the credential CDAA(SK), and the ability to sign the challenge, can be demonstrated without actually disclosing the credential or the public key of the signature key (SK) to the verifier (3). Corresponding methods and apparatus relating to operation of an evaluator (2) and verifier (3) in the attestation process are also provided.

(FR)
L'invention concerne des procédés et un appareil permettant d'attester la configuration d'une plate-forme informatique (1) à un vérificateur (3). Une clé de signature (SK) est liée à la plate-forme (1) et à une configuration définie de celle-ci (1). Un certificat (C(SK), CDAA(SK)) de clé de signature (SK) est obtenu d'un évaluateur (2). Ce certificat (C(SK), CDAA(SK)) garantit que la clé de signature (SK) est liée à une configuration de plate-forme sécurisée non spécifiée. La plate-forme (1) peut ensuite prouver au vérificateur (3) qu'elle est apte à signer une demande d'accès provenant du vérificateur (3) au moyen de la clé de signature (SK) et qu'elle possède le certificat (C(SK), CDAA(SK)), ce qui atteste le fait que la plate-forme (1) est dotée d'une configuration sécurisée sans que cette configuration soit révélée au vérificateur (3). L'aptitude à signer la demande d'accès peut être prouvée par le renvoi de la demande d'accès signée au vérificateur (3) et la possession du certificat peut être prouvée de la même manière par l'envoi du certificat C(SK) au vérificateur (3). En variante, le certificat peut être un certificat anonyme CDAA(SK) lié à une clé publique de la clé de signature (SK). Dans ce cas, la possession du certificat CDAA(SK) et l'aptitude à signer la demande d'accès peuvent être prouvées sans que le certificat ou la clé publique de la clé de signature(SK) ne soit révélé au vérificateur (3). L'invention concerne également des procédés et un appareil correspondants permettant l'utilisation d'un évaluateur (2) et d'un vérificateur (3) dans le processus d'attestation.