METHOD TO VERIFY THE INTEGRITY OF COMPONENTS ON A TRUSTED PLATFORM USING INTEGRITY DATABASE SERVICES

US 20070143629A1
Filed: 12/08/2006
Published: 06/21/2007
Est. Priority Date: 11/29/2004
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a client platform capable of being connected to a network, including an integrity report generator to generate an integrity report;

an integrity authority capable of being connected to the network including a database to store a plurality of integrity records;

an authentication server capable of being connected to the network to authenticate the client platform; and

a verification server capable of being connected to the network to receive said integrity report from the client platform, to compare said integrity report with said plurality of integrity records from the integrity authority, and to provide a trust report to the authentication server.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A client platform can be verified prior to being granted access to a resource or service on a network by validating individual hardware and software components of the client platform. Digests are generated for the components of the client platform. The digests can be collected into an integrity report. An authenticator entity receives the integrity report and compares the digests with digests stored in either a local signature database, a global signature database in an integrity authority, or both. Alternatively, the digests can be collected and stored on a portable digest-collector dongle. Once digests are either validated or invalidated, an overall integrity/trust score can be generated. She overall integrity/trust score can be used to determine whether the client platform should be granted access to the resource on the network using a policy.

286 Citations

46 Claims

1. A system, comprising:
- a client platform capable of being connected to a network, including an integrity report generator to generate an integrity report;
  
  an integrity authority capable of being connected to the network including a database to store a plurality of integrity records;
  
  an authentication server capable of being connected to the network to authenticate the client platform; and
  
  a verification server capable of being connected to the network to receive said integrity report from the client platform, to compare said integrity report with said plurality of integrity records from the integrity authority, and to provide a trust report to the authentication server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. A system according to claim 1, further comprising:
    - a resource available on the network; and
      
      a policy server capable of being connected to the network to control access to the resource by the client platform according to an integrity/trust score.
  - 3. A system according to claim 1, wherein the verification server includes a profiles database to store information regarding the client platform.
  - 4. A system according to claim 1, wherein said integrity report is digitally signed.
  - 5. A system according to claim 4, wherein said integrity report is digitally signed using a Trusted Platform Module (TPM) certificate.
  - 6. A system according to claim 1, wherein said integrity report includes a hash of at least one component of the client platform.
  - 7. A system according to claim 1, wherein the verification server includes a comparator to compare said integrity report with said plurality of integrity records to generate said trust report.
  - 8. A system according to claim 1, wherein said trust report includes an integrity/trust score.
  - 9. A system according to claim 8, wherein said trust report further includes:
    - a client platform identity identifying the client platform; and
      
      a verification server identity identifying the verification server.
  - 10. A system according to claim 9, wherein said trust report further includes a reference to a TPM certificate of the client platform.
  - 11. A system according to claim 10, wherein said integrity/trust score is determined in part by said TPM certificate.
  - 12. A system according to claim 1, wherein the integrity authority is operative to harvest raw information of components, verify the correctness of said raw information, refine said raw information into refined information, and store said refined information.
  - 13. A system according to claim 1, wherein each of said plurality of integrity records includes at least one hash of a component.
  - 14. A system according to claim 1, wherein each of said plurality of integrity records includes information identifying the integrity authority.
  - 15. A system according to claim 1, wherein the client platform is drawn from a set consisting of a mobile phone, personal digital assistant, network element, router, switch, server, and personal computer.

16. A computer-implemented method for verifying the integrity of components on a client platform, comprising:
- receiving the client platform for deployment;
  
  installing at least one component on the client platform;
  
  generating an integrity report for the at least one component; and
  
  generating an integrity/trust score from the integrity report to verify the at least one component.
- View Dependent Claims (17, 18)
- - 17. A computer-implemented method according to claim 16, wherein installing the at least one component includes installing the at least one component onto the client platform from an image file.
  - 18. A computer-implemented method according to claim 17, further comprising verifying a set of components in the image file.

19. A computer-implemented method for verifying the integrity of components on a client platform, comprising:
- authenticating the client platform;
  
  receiving an integrity report from the client platform; and
  
  verifying components in the integrity report with an integrity authority.
- View Dependent Claims (20, 21)
- - 20. A computer-implemented method according to claim 19, further comprising:
    - generating a trust report including an integrity/trust score using integrity records stored in the integrity authority; and
      
      granting access of the client platform to a resource if the integrity/trust score exceeds a threshold.
  - 21. A computer-implemented method according to claim 19, further comprising:
    - generating a trust report including an integrity/trust score using integrity records stored in the integrity authority; and
      
      denying access of the client platform to a resource if the integrity/trust score does not exceed a threshold.

22. A computer-implemented method for verifying the integrity of components, comprising:
- generating an integrity report for at least one component; and
  
  generating a trust report including an integrity/trust score using the integrity report, the integrity/trust score being determined in part by a Trusted Platform Module (TPM) certificate used to sign the integrity report.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29)
- - 23. A computer-implemented method according to claim 22, further comprising verifying at least one component of a client platform, wherein verifying includes generating the integrity report and the trust report.
  - 24. A computer-implemented method according to claim 23, further comprising:
    - authenticating the client platform;
      
      receiving the integrity report from the client platform; and
      
      verifying components in the integrity report with an integrity authority.
  - 25. A computer-implemented method according to claim 24, further comprising:
    - generating the trust report including the integrity/trust score using integrity records stored in the integrity authority; and
      
      granting access of the client platform to a resource if the integrity/trust score exceeds a threshold.
  - 26. A computer-implemented method according to claim 24, further comprising:
    - generating the trust report including the integrity/trust score using integrity records stored in the integrity authority; and
      
      denying access of the client platform to a resource if the integrity/trust score does not exceed a threshold.
  - 27. A computer-implemented method according to claim 22, further comprising verifying at least one component of an image file, wherein verifying includes generating the integrity report and the trust report.
  - 28. A computer-implemented method according to claim 27, further comprising:
    - receiving a client platform for deployment; and
      
      installing the at least one component of the image file on the client platform prior to verifying the image file.
  - 29. A computer-implemented method according to claim 27, further comprising:
    - receiving a client platform for deployment; and
      
      installing the at least one component of the image file on the client platform after verifying the image file.

30. A computer-implemented method for verifying the integrity of components on a client platform, comprising:
- authenticating the client platform;
  
  generating an integrity report for at least one component of the client platform;
  
  signing the integrity report with a digital signature; and
  
  gaining access to a resource according to the integrity report.
- View Dependent Claims (31)
- - 31. A computer-implemented method according to claim 30, wherein generating the integrity report includes adding at least one hash of the at least one component of the client platform to the integrity report.

32. An article comprising a machine-accessible medium having associated data that, when accessed, results in a machine:
- receiving a client platform for deployment;
  
  installing at least one component on the client platform;
  
  generating an integrity report for the at least one component; and
  
  generating an integrity/trust score from the integrity report to verify the at least one component.
- View Dependent Claims (33, 34)
- - 33. An article according to claim 32, wherein installing the at least one component includes installing the at least one component onto the client platform from an image file.
  - 34. An article according to claim 33, further comprising verifying a set of components in the image file.

35. A system, comprising:
- an integrity authority capable of being connected to a network including a database to store a plurality of integrity records;
  
  an authentication server capable of being connected to the network to authenticate a client platform;
  
  a verification server capable of being connected to the network to receive an integrity report from said client platform, to compare said integrity report with said plurality of integrity records from the integrity authority, and to provide a trust report to the authentication server;
- View Dependent Claims (36)
- - 36. A system according to claim 35, further comprising:
    - a resource available on the network; and
      
      a policy server capable of being connected to the network to control access to the resource by said client platform according to an integrity/trust score.

37. A system, comprising:
- a client platform capable of being connected to a network, the client platform comprising;
  
  an integrity report generator to generate an integrity report of at least one component of the client platform including at least one hash of said at least one component;
  
  a digital signer to sign said integrity report; and
  
  means to receive access to a resource on the network according to said integrity report.
- View Dependent Claims (38)
- - 38. A system according to claim 37, wherein said integrity report is signed using a Trusted Platform Module (TPM) certificate.

39. An article comprising a machine-accessible medium having associated data that, when accessed, results in a machine:
- generating an integrity report for at least one component; and
  
  generating a trust report including an integrity/trust score using the integrity report, the integrity/trust score being determined in part by a Trusted Platform Module (TPM) certificate used to sign the integrity report.
- View Dependent Claims (40, 41, 42, 43, 44, 45, 46)
- - 40. An article according to claim 39, further comprising verifying at least one component of a client platform, wherein verifying includes generating the integrity report and the trust report.
  - 41. An article according to claim 40, further comprising:
    - authenticating the client platform;
      
      receiving the integrity report from the client platform; and
      
      verifying components in the integrity report with an integrity authority.
  - 42. An article according to claim 41, further comprising:
    - generating the trust report including the integrity/trust score using integrity records stored in the integrity authority; and
      
      granting access of the client platform to a resource if the integrity/trust score exceeds a threshold.
  - 43. An article according to claim 41, further comprising:
    - generating the trust report including the integrity/trust score using integrity records stored in the integrity authority; and
      
      denying access of the client platform to a resource if the integrity/trust score does not exceed a threshold.
  - 44. A computer-implemented method according to claim 39, further comprising verifying at least one component of an image file, wherein verifying includes generating the integrity report and the trust report.
  - 45. A computer-implemented method according to claim 44, further comprising:
    - receiving a client platform for deployment; and
      
      installing the at least one component of the image file on the client platform prior to verifying the image file.
  - 46. A computer-implemented method according to claim 44, further comprising:
    - receiving a client platform for deployment; and
      
      installing the at least one component of the image file on the client platform after verifying the image file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
KIP Sign P1 LP
Original Assignee
SignaCert, Inc. (L3Harris Technologies, Inc.)
Inventors
Andersen, Bradley, Hardjono, Thomas, Bleckmann, David, Starnes, William

Granted Patent

US 8,266,676 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/189
CPC Class Codes

H04L 63/0823   using certificates cryptogr...

H04L 63/0876   based on the identity of th...

H04L 63/1433   Vulnerability analysis

METHOD TO VERIFY THE INTEGRITY OF COMPONENTS ON A TRUSTED PLATFORM USING INTEGRITY DATABASE SERVICES

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

286 Citations

46 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD TO VERIFY THE INTEGRITY OF COMPONENTS ON A TRUSTED PLATFORM USING INTEGRITY DATABASE SERVICES

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

286 Citations

46 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links