Method and system for verifying binding of an initial trusted device to a secured processing system
First Claim
1. A method of securing a processing system, said processing system including multiple devices that verify the identity of a particular processing system prior to initializing to a functioning state, said method comprising:
- first generating a binding of a given one of said devices to said processing system in conformity with system identifying information provided by said processing system and a first private information known only to said given device;
second generating a proof of said binding in conformity with said system identifying information, a second private information known only to said given device, and a unique device identifier;
transmitting said proof of binding from said processing system to a credential provider;
determining at said credential provider whether or not said proof of binding indicates that said generated binding is valid; and
in response to determining that said generated binding is valid, issuing a platform credential for said processing system.
3 Assignments
0 Petitions
Accused Products
Abstract
A method and system for verifying binding of an initial trusted device to a secured processing system binds an initial device or replacement when no binding information is available from another device in the system. A platform credential is issued only when a valid binding is verified, by sending a proof of binding to a credential provider, such as the manufacturer. The method secures against security breaches that can occur when a device is removed from the system during the binding process. The binding information is generated in the device upon installation and includes system identification information so that at each initialization, upon return of binding information from the system to the device, the device can ensure that it is installed in the proper system and abort operation if the system does not match.
40 Citations
25 Claims
-
1. A method of securing a processing system, said processing system including multiple devices that verify the identity of a particular processing system prior to initializing to a functioning state, said method comprising:
-
first generating a binding of a given one of said devices to said processing system in conformity with system identifying information provided by said processing system and a first private information known only to said given device;
second generating a proof of said binding in conformity with said system identifying information, a second private information known only to said given device, and a unique device identifier;
transmitting said proof of binding from said processing system to a credential provider;
determining at said credential provider whether or not said proof of binding indicates that said generated binding is valid; and
in response to determining that said generated binding is valid, issuing a platform credential for said processing system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system comprising:
-
a plurality of devices intercommunicating and constituting a processing system, said devices each including a memory for storing system program instructions and data and a processor for executing said system program instructions, and wherein said system program instructions include program instructions for first generating a binding of a given one of said devices to said processing system in conformity with system identifying information provided by said processing system and a first private information known only to said given device, second generating a proof of said binding in conformity with said system identifying information, a second private information known only to said given device, and a unique device identifier, transmitting said proof of binding from said processing system to a credential provider; and
a credential provider server coupled via a network to said processing system, said credential provider server including a server processor for executing server program instructions and a memory for storing said sever program instructions, and wherein said server program instructions comprise program instructions for receiving said proof of binding at said credential provider, determining at said credential provider whether or not said proof of binding indicates that said generated binding is valid, and in response to determining that said generated binding is valid, issuing a platform credential for said processing system. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A computer program product comprising signal-bearing media encoding server program instructions for execution within a server certifying security of a processing system that includes multiple secured devices, said server program instructions comprising program instructions for:
-
receiving from said processing system an signed result of a system-specific identifier and a device-specific identifier, signed by a device-specific key;
determining from said signed result, whether or not a valid binding of one of said multiple secured devices has been completed; and
responsive to determining that a valid binding was accomplished, issuing a credential certifying said processing system as secured.
-
-
24. A computer program product comprising signal-bearing media encoding program instructions for execution within a processing system that includes multiple secured devices, said program instructions comprising program instructions for:
-
receiving in a given one of said devices, a system-specific identifier associated with a particular system;
generating binding information in conformity with information known only to said given device and said received system-specific identifier; and
transmitting information in conformity with said generated binding information to a credential provider, whereby said binding may be validated contingent to issuing a valid platform credential for said processing system. - View Dependent Claims (25)
-
Specification