System and method for authenticating an operating system

US 20030196085A1
Filed: 05/07/2003
Published: 10/16/2003
Est. Priority Date: 10/26/1998
Status: Active Grant

First Claim

Patent Images

1. In a computer system having a processor, an operating system (OS), and a software identity register that holds an identity of the operating system, the processor having a private key, a method comprising:

forming an OS certificate containing the identity from the software identity register; and

signing the OS certificate using the private key.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for authenticating an operating system includes, in accordance with one aspect, a method in a computer system having a processor, an operating system (OS), and a software identity register that holds an identity of the operating system, the processor having a private key. The method comprises forming an OS certificate containing the identity from the software identity register and signing the OS certificate using the private key. In accordance with another aspect, the signed identity is submitted to a recipient to prove an identity of the operating system to the recipient.

286 Citations

52 Claims

1. In a computer system having a processor, an operating system (OS), and a software identity register that holds an identity of the operating system, the processor having a private key, a method comprising:
- forming an OS certificate containing the identity from the software identity register; and
  
  signing the OS certificate using the private key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A method as recited in claim 1, wherein the OS certificate further contains the processor public key.
  - 3. A method as recited in claim 1, wherein the processor includes the software identity register.
  - 4. A method as recited in claim 1, wherein the processor comprises a central processing unit (CPU).
  - 5. A method as recited in claim 1, wherein the processor is part of a central processing unit (CPU).
  - 6. A method as recited in claim 1, further comprising submitting the signed OS certificate to a recipient to prove the identity of the operating system to the recipient.
  - 7. A method as recited in claim 6, wherein the recipient comprises a content provider.
  - 8. A method as recited in claim 1, wherein forming the OS certificate comprises forming the OS certificate with one or more items from a boot log containing identities of software components that are executing on a central processing unit (CPU) of the computer system.

9. In a computer system having a processor and an operating system (OS), the processor having both a private key of a public/private key pair and a software identity register that holds an identity of the operating system, a method comprising:
- obtaining the identity of the operating system; and
  
  signing the identity using the processor private key.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. A method as recited in claim 9, wherein the processor comprises part of a central processing unit (CPU).
  - 11. A method as recited in claim 9, wherein the processor is separate from the central processing unit (CPU).
  - 12. A method as recited in claim 9, wherein obtaining the identity of the operating system comprises retrieving the identity from the software identity register.
  - 13. A method as recited in claim 9, further comprising submitting the signed identity to a recipient to prove the identity of the operating system to the recipient.
  - 14. A method as recited in claim 13, wherein the recipient comprises a content provider.

15. A system comprising:
- a client having a processor and an operating system (OS), the processor having a private key, a manufacturer certificate supplied by a manufacturer of the processor, and a software identity register that holds an identity of the operating system, the client being configured to submit a request over a network;
  
  a computer system having a server to serve content to the client, the computer system being configured to receive the request over the network, generate a challenge nonce, and return the challenge nonce to the client; and
  
  the client being further configured to form an OS certificate containing both the identity from the software identity register and the challenge nonce, and to sign the OS certificate using the private key, the client returning the OS certificate and the processor manufacturer certificate to the computer system for evaluation to determine whether to reject or fulfill the request.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 16. A system as recited in claim 15, wherein the processor comprises a central processing unit (CPU).
  - 17. A system as recited in claim 15, wherein the processor is part of a central processing unit (CPU).
  - 18. The system as recited in claim 15, wherein the computer system is configured to determine whether to trust the identity in the OS certificate.
  - 19. The system as recited in claim 15, wherein the computer system is configured to determine whether the challenge nonce returned in the OS certificate is the challenge nonce generated by the computer system.
  - 20. The system as recited in claim 15, wherein the computer system is configured to verify the signature on the OS certificate using a public key of the processor.
  - 21. The system as recited in claim 20, wherein the public key of the processor is included in the manufacturer certificate.
  - 22. The system as recited in claim 15, wherein the computer system is configured to verify a manufacturer signature on the manufacturer certificate.
  - 23. The system as recited in claim 15, wherein the computer system is configured to determine whether to trust the manufacturer of the processor.
  - 24. The system as recited in claim 15, wherein the computer system is configured to download the content specified in the request in an event that the computer system elects to fulfill the request.
  - 25. The system as recited in claim 15, wherein the computer system comprises a content provider and wherein the client comprises a subscriber unit.

26. For execution on a computer system having a processor, an operating system (OS), and a software identity register that holds an identity of the operating system, the processor having a private key, a computer program stored on one or more computer-readable storage media of the computer system;
- the program comprising;
  
  forming an OS certificate containing the identity from the software identity register; and
  
  signing the OS certificate using the processor private key.
- View Dependent Claims (27, 28, 29, 30, 31, 32)
- - 27. A program as recited in claim 26, wherein the processor comprises a central processing unit (CPU).
  - 28. A program as recited in claim 26, wherein the processor is separate from the central processing unit (CPU).
  - 29. A program as recited in claim 26, further comprising submitting the signed OS certificate to a recipient to prove the identity of the operating system to the recipient.
  - 30. A program as recited in claim 29, wherein the recipient comprises a content provider.
  - 31. A program as recited in claim 26, wherein forming the OS certificate comprises forming the OS certificate with one or more items from a boot log containing identities of software components that are executing on a central processing unit (CPU) of the computer system.
  - 32. A program as recited in claim 26, wherein the processor includes the software identity register.

33. In a system having a client and a computer, in which the client has a processor and an operating system (OS) and the processor further includes a private key, a manufacturer certificate supplied by a manufacturer of the processor, and a software identity register that holds an identity of the operating system, a computer program stored on one or more computer-readable storage media resident at the client and computer for establishing a chain of trust between the client and the computer, the program comprising:
- submitting a request from the client to the computer, the request specifying a particular content;
  
  generating, at the computer, a challenge nonce;
  
  returning the challenge nonce from the computer to the client;
  
  forming, at the client, an OS certificate containing the identity from the software identity register and signing the OS certificate using the private key;
  
  passing the OS certificate and the processor manufacturer certificate from the client to the computer; and
  
  evaluating, at the computer, the OS certificate and the processor manufacturer to determine whether to reject or fulfill the request.
- View Dependent Claims (34, 35, 36)
- - 34. A program as recited in claim 33, wherein the processor comprises a central processing unit (CPU).
  - 35. A program as recited in claim 33, wherein the processor is separate from the central processing unit (CPU).
  - 36. A program as recited in claim 33, wherein the client comprises a subscriber unit and the computer comprises a content provider.

37. In a computer system having a cryptographic mechanism, an operating system (OS), and a software identity register that holds an identity of the operating system, the cryptographic mechanism having a private key of a pair of private and public keys, a method comprising:
- obtaining the identity of the operating system; and
  
  signing the identity using the private key of the cryptographic mechanism.
- View Dependent Claims (38, 39, 40, 41, 42, 43)
- - 38. A method as recited in claim 37, wherein:
    - obtaining the identity of the operating system comprises forming an OS certificate containing the identity from the software identity register and information describing the operating system; and
      
      signing the identity using the private key of the cryptographic mechanism comprises signing the OS certificate using the private key of the cryptographic mechanism.
  - 39. A method as recited in claim 37, wherein the cryptographic mechanism comprises at least part of a central processing unit (CPU).
  - 40. A method as recited in claim 37, wherein the cryptographic mechanism is separate from a central processing unit (CPU).
  - 41. A method as recited in claim 37, further comprising submitting the signed identity to a recipient to prove the identity of the operating system to the recipient.
  - 42. A method as recited in claim 41, wherein the recipient comprises a content provider.
  - 43. A method as recited in claim 37, wherein the cryptographic mechanism includes the software identity register.

44. One or more computer readable media having stored thereon a plurality of instructions that, when executed in a computer system having a cryptographic mechanism and an operating system (OS), causes the computer system to:
- form an OS certificate containing an identity of the operating system from a software identity register; and
  
  sign the OS certificate using a private key of a pair of private and public keys of the cryptographic mechanism.
- View Dependent Claims (45, 46, 47, 48)
- - 45. One or more computer readable media as recited in claim 44, wherein the cryptographic mechanism is at least part of a central processing unit (CPU).
  - 46. One or more computer readable media as recited in claim 44, further comprising submitting the signed OS certificate to a recipient to prove the identity of the operating system to the recipient.
  - 47. One or more computer readable media as recited in claim 46, wherein the recipient comprises a content provider.
  - 48. One or more computer readable media as recited in claim 44, wherein forming the OS certificate comprises forming the OS certificate with one or more items from a boot log containing identities of software components that are executing on a central processing unit (CPU) of the computer system.

49. A system comprising:
- a first processor, wherein the first processor comprises a central processing unit (CPU); and
  
  a second processor having a key pair including a private key and a public key, wherein the private key is to be used by the second processor to sign an identity of an operating system being executed by the first processor.
- View Dependent Claims (50, 51, 52)
- - 50. A system as recited in claim 49, wherein the first processor further includes a software identity register that holds the identity of the operating system.
  - 51. A system as recited in claim 49, further comprising a memory, coupled to the first and second processors, configured to store instructions that, when executed by the first processor, cause the first processor to submit the signed identity to a recipient to prove the identity of the operating system to the recipient.
  - 52. A system as recited in claim 49, wherein the recipient comprises a content provider.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
England, Paul, Lampson, Butler W., DeTreville, John D.

Granted Patent

US 7,424,606 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/156
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/575   Secure boot

G06F 2221/2113   Multi-level security, e.g. ...

G06F 9/4406   Loading of operating system

G06F 9/468   Specific access rights for ...

H04L 63/0435   wherein the sending and rec...

H04L 63/0442   wherein the sending and rec...

H04L 63/166   at the transport layer

System and method for authenticating an operating system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

286 Citations

52 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for authenticating an operating system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

286 Citations

52 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links