| Method, system, and program product for remotely attesting to a state of a computer system -> Monitor Keywords |
|
|
  Method, system, and program product for remotely attesting to a state of a computer systemUSPTO Application #: 20080046752Title: Method, system, and program product for remotely attesting to a state of a computer system Abstract: A method, system, and program product for remotely attesting to a state of computing system is provided. Specifically, the present invention allows a remote system to establish trust in the properties of the computer system. The properties to be trusted are expanded from the usual system software layers and related configuration files to novel types of data such as static data specific to the computer system, dynamic data determined at system startup, or dynamic data created as the computer system runs applications. (end of abstract)
Agent: Hoffman, Warnick & D'alessandro LLC - Albany, NY, US Inventors: Stefan Berger, Kenneth Goldman, Trenton R. Jaeger, Ronald Perez, Reiner Sailer, Enriquillo Valdez USPTO Applicaton #: 20080046752 - Class: 713186 (USPTO) The Patent Description & Claims data below is from USPTO Patent Application 20080046752. Brief Patent Description - Full Patent Description - Patent Application Claims
BACKGROUND OF THE INVENTION [0001]1. Field of the Invention [0002]This invention relates to remotely establishing the specific or dynamic properties of a computer system. More specifically, it relates to remotely establishing trust in properties of a computer system. [0003]2. Related Art [0004]Current Trusted Computing Group (TCG) use cases provide the means for remote parties to attest to the software state of a computer system/platform. The software state includes measurements of the software chain, and might include configuration files used to initialize or customize a software module. The attestation method, as described in TCG documents, begins with a Core Root of Trust for Measurement (CRTM) that measures the software and possibly configuration files of the next layer of software to run. Each layer in turn measures the next layer before calling it. Digests of these measurements are extended through a one-way hash function into Platform Configuration Registers (PCRs) contained in a Trusted Platform Module (TPM). The measurement names and values are also appended to a measurement list. [0005]During the remote attestation process, a set of PCRs is quoted--digested, and digitally signed with a trusted Attestation Identity Key (AIK). The remote party/system validates the AIK certificate issued by a trusted privacy certificate authority, the digital signature of the quote, and the integrity of the measurement list by comparing it to the PCR state included in the quote. Once the measurement list is trusted, the remote system uses it to determine whether the attesting system is running trusted software. [0006]Current uses measure known, expected, constant, system-independent data. A typical measurement is a software stack, from bootstrap loader, through Operating System load, and finally application load. Remote systems doing an attestation are expected to have known good values. Even when other data such as configuration files are measured, the literature envisions a limited number of variations among systems, a relatively homogeneous environment. [0007]By measuring data common to many systems, and by storing only static data, not data generated at run time, the remote system needs to store only a small list of trusted measurements (software modules or configuration files), and can use that list to attest a large number of systems across an enterprise. While this attestation is valuable for trusted computing, it does not address establishing trust in data that may be specific to a system or even data that may be generated or changed as the system runs. [0008]For example, there are currently mechanisms to establish secure communication tunnels, usually based on public key certificates (e.g., SSL, IPSEC, and Web Services Security). There are also techniques to establish properties of remote systems using the TPM or other core root of trust elements. Unfortunately, these two separate mechanisms do not ensure that the system for which properties are established during remote attestation is the same system at which the protected tunnel ends. This is essential for establishing security guarantees in distributed environments. One known solution is to create trusted third parties that "vouch" that certificates used during remote attestation and certificates used to establish secure tunnels belong to the same system. Drawbacks of known solutions include (among others): (1) third parties are difficult to establish; (2) third parties are currently unable to solve key revocation in a scalable and cost-efficient way; and (3) it is extremely difficult to find commonly trusted parties in heterogeneous distributed environments. [0009]In view of the foregoing, there exists a need for a solution that solves at least one of the deficiencies in the related art. SUMMARY OF THE INVENTION [0010]The present invention expands the current use of PCRs to include not only common, static data measurements, but also computer system-specific, static data measurements and dynamic data. Adding static but system specific measurements allows a remote system to attest to and therefore attach those measurements to measurements of common data such as the software running on the system. Such static data would typically be present at system startup. An example of system specific static data is a network communications channel public key or certificate. Adding these measurements to PCRs allows a remote system to attest to the system properties at the end points of a secure communication channel by anchoring public keys and relevant attributes associated with establishing a secure channel to the system's integrity measurements. [0011]Adding dynamic data calculated as the system runs allows a remote party/system to attest to and therefore attach those measurements to measurements of common data such as the software running on the system. Some dynamic data is typically generated once. An example of dynamic data typically assigned at boot time is a dynamically assigned IP address. Other dynamic data is continuously generated. An example of dynamic data determined as the system runs applications is a log of activity such as logins or system hardware or software errors. Adding these measurements to PCRs allows the remote system to attest that the activity, system, event, or error log was generated by a trusted system and not altered. [0012]A first aspect of the present invention provides a method of remotely attesting to a state of a computer system, comprising: storing data specific TO the computer system in a set of Platform Configuration Registers (PCRs); receiving an attestation challenge from a remote computer system; and responding to the attestation challenge using the data specific to the computer system. [0013]A second aspect of the present invention provides a method of a remote system establishing a secure connection to a local system comprising: receiving a list of names of measured items specific to the local system, values of the measured items, and signed states of current Platform Configuration Register (PCR) values on the remote system from the local system; requesting a secure connection to the local system and receiving an authentication credential of the local system; verifying that the authentication credential is contained in the received list of names; and determining whether to continue establishing the secure connection based on the verifiying. [0014]A third aspect of the present invention provides a system for remotely attesting to a state of a computer system, comprising: a measurement system for measuring data specific to the computer system; a PCR system for storing the data in a set of Platform Configuration Registers (PCRs); a challenge reception system for receiving an attestation challenge from a remote computer system; and a quotation system for responding to the attestation challenge using the data stored in the set of PCRs. [0015]A fourth aspect of the present invention provides a program product stored on a computer readable medium for remotely attesting to a state of a computer system, the computer readable medium comprising program code for causing a computer system to perform the following steps: measuring data specific to the computer system; storing the data in a set of Platform Configuration Registers (PCRs); receiving an attestation challenge from a remote computer system; and responding to the attestation challenge using the data stored in the set of PCRs. [0016]A fifth aspect of the present invention provides a method for deploying an application for remotely attesting to a state of a computer system, comprising: providing a computer infrastructure being operable to: measure data specific the computer system; store the data in a set of Platform Configuration Registers (PCRs); receive an attestation challenge from a remote computer system; and respond to the attestation challenge using the data stored in the set of PCRs. [0017]A sixth aspect of the present invention provides computer software embodied in a propagated signal for remotely attesting to a state of a computer system, the computer software comprising instructions for causing a computer system to perform the following steps: measuring data specific the computer system; storing the data in a set of Platform Configuration Registers (PCRs); receiving an attestation challenge from a remote computer system; and responding to the attestation challenge using the data stored in the set of PCRs. [0018]Therefore, the present invention provides a method, system, and program product for remotely attesting to a state of a computer system, as well as for a remote system to establish a secure connection to a local system. BRIEF DESCRIPTION OF THE DRAWINGS [0019]These and other features of this invention will be more readily understood from the following detailed description of the various aspects of the invention taken in conjunction with the accompanying drawings in which: [0020]FIG. 1 depicts a system for remotely attesting to the state of a computer system according to the present invention. [0021]FIG. 2 depicts a flow chart of a remote attestation process according to the present invention. Continue reading... Full patent description for Method, system, and program product for remotely attesting to a state of a computer system Brief Patent Description - Full Patent Description - Patent Application Claims Click on the above for other options relating to this Method, system, and program product for remotely attesting to a state of a computer system patent application. Patent Applications in related categories: 20080235516 - Portable electronic door opener device and method for secure door opening - A portable computing device for opening a door (an electronic door opener) and a method for its use is disclosed. The computing device has a shared secret key, a standard certificate, means for communicating with the door, and a processor adapted for performing operations with shared secret keys and standard ... 20080235515 - Pre-processing biometric parameters before encoding and decoding - Biometric parameters acquired from human faces, voices, fingerprints, and irises are used for user authentication and access control. Because the biometric parameters are continuous and vary from one reading to the next, syndrome codes are applied to determine biometric syndrome vectors. The biometric syndrome vectors can be stored securely, while ... ###  How KEYWORD MONITOR works... a FREE service from FreshPatents1. Sign up (takes 30 seconds). 2. Fill in the keywords to be monitored. 3. Each week you receive an email with patent applications related to your keywords. Start now! - Receive info on patent apps like Method, system, and program product for remotely attesting to a state of a computer system or other areas of interest. ### Previous Patent Application: System, apparatus and method for providing data security using usb device Next Patent Application: Methods and apparatus for managing user access to a computing environment Industry Class: Electrical computers and digital processing systems: support ### FreshPatents.com Support Thank you for viewing the Method, system, and program product for remotely attesting to a state of a computer system patent info. IP-related news and info Results in 0.40764 seconds Other interesting Feshpatents.com categories: Electronics: Semiconductor , Audio , Illumination , Connectors , Crypto , |
||
