US2008046752A1PendingUtilityA1
Method, system, and program product for remotely attesting to a state of a computer system
Est. expiryAug 9, 2026(~0.1 yrs left)· nominal 20-yr term from priority
Inventors:Stefan BergerKenneth A. GoldmanTrenton R. JaegerRonald PerezReiner SailerEnriquillo Valdez
G06F 21/57H04L 2209/127H04L 63/164H04L 63/0823H04L 63/1433H04L 63/0428H04L 63/06H04L 63/166H04L 9/3271H04L 63/0853
48
PatentIndex Score
0
Cited by
0
References
0
Claims
Abstract
A method, system, and program product for remotely attesting to a state of computing system is provided. Specifically, the present invention allows a remote system to establish trust in the properties of the computer system. The properties to be trusted are expanded from the usual system software layers and related configuration files to novel types of data such as static data specific to the computer system, dynamic data determined at system startup, or dynamic data created as the computer system runs applications.
Claims
exact text as granted — not AI-modified1 . A method of remotely attesting to a state of a computer system, comprising:
storing data specific to the computer system in a set of Platform Configuration Registers (PCRs); receiving an attestation challenge from a remote computer system; and responding to the attestation challenge using the data specific to the computer system.
2 . The method of claim 1 , wherein the data specific to the computer system comprises static data associated with the computer system
3 . The method of claim 3 , wherein the static data comprises public key data used for establishing a communications channel.
4 . The method of claim 1 , wherein the data specific to the computer system comprises dynamic data associated with the computer system that is generated as the computer system is running.
5 . The method of claim 4 , wherein the dynamic data is generated once and assigned to the computer system.
6 . The method of claim 4 , wherein the dynamic data comprises a network dynamic IP address assigned to the computer system.
7 . The method of claim 4 , wherein the dynamic data is generated periodically as the computer system runs.
8 . The method of claim 7 , wherein the dynamic data comprises a notification that a user has logged into the computer system.
9 . The method of claim 7 , wherein the dynamic data relates to at least one of: an execution or a termination of a program running on the computer system.
10 . The method of claim 7 , wherein the dynamic data comprises an event occurring on the computer system.
11 . The method of claim 10 , wherein the event comprises an error condition detected by the computer system.
12 . A method of a remote system establishing a secure connection to a local system comprising:
receiving a list of names of measured items specific to the local system, values of the measured items, and signed states of current Platform Configuration Register (PCR) values on the remote system from the local system; requesting a secure connection to the local system and receiving an authentication credential of the local system; verifying that the authentication credential is contained in the received list; and determining whether to continue establishing the secure connection based on the verifying.
13 . The method of claim 12 , wherein the authentication credential comprises an X.509 certificate.
14 . The method of claim 12 , wherein the secure connection comprises at least one of the following: an SSL connection, or an IPSec connection.
15 . The method of claim 12 , further comprising the step of verifying that a hash of the authentication credential is contained in the received list.
16 . A system for remotely attesting to a state of a computer system, comprising:
a measurement system for measuring data specific to the computer system; a PCR system for storing the data in a set of Platform Configuration Registers (PCRs); a challenge reception system for receiving an attestation challenge from a remote computer system; and a quotation system for responding to the attestation challenge using the data stored in the set of PCRs.
17 . The system of claim 16 , wherein the data specific to the computer system comprises static data associated with the computer system.
18 . The system of claim 17 , wherein the static data comprises public key data used for establishing a communications channel.
19 . The system of claim 16 , wherein the data specific to the computer system comprises dynamic data associated with the computer system that is generated as the computer system is running.
20 . The system of claim 19 , wherein the dynamic data is generated once and assigned to the computer system.
21 . The system of claim 19 , wherein the dynamic data comprises a network dynamic IP address assigned to the computer system.
22 . The system of claim 19 , wherein the dynamic data is generated periodically as the computer system runs.
23 . The system of claim 22 , wherein the dynamic data comprises a notification that a user has logged into the computer system.
24 . The system of claim 22 , wherein the dynamic data relates to at least one of: an execution or a termination of a program running on the computer system.
25 . The system of claim 22 , wherein the dynamic data comprises an event occurring on the computer system.
26 . The system of claim 25 , wherein the event comprises an error condition detected by the computer system.
27 . The system of claim 16 , further comprising a digest system for computing a digest that contains the data specific to the computer system, wherein the PCR system stores the digest in the set of PCRs.
28 . A program product stored on a computer readable medium for remotely attesting to a state of a computer system, the computer readable medium comprising program code for causing a computer system to perform the following steps:
measuring data specific to the computer system; storing the data in a set of Platform Configuration Registers (PCRs); receiving an attestation challenge from a remote computer system; and responding to the attestation challenge using the data stored in the set of PCRs.
29 . The program product of claim 28 , wherein the data specific to the computer system comprises at least one of the following types of data: static data associated with the computer system, or dynamic data associated with the computer system.
30 . A method for deploying an application for remotely attesting to a state of a computer system, comprising:
providing a computerized infrastructure being operable to:
measure data specific to the computer system;
store the data in a set of Platform Configuration Registers (PCRs);
receive an attestation challenge from a remote computer system; and
respond to the attestation challenge using the data stored in the set of PCRs.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.