PLATFORM VALIDATION AND MANAGEMENT OF WIRELESS DEVICES

US 20110010543A1
Filed: 03/05/2010
Published: 01/13/2011
Est. Priority Date: 03/06/2009
Status: Abandoned Application

First Claim

Patent Images

1. A method for platform validation and management (PVM), comprising:

receiving a PVM token in response to a validation message from a device, the PVM token including at least verification information from the device;

performing validation using predetermined information from the PVM token;

in response to failed components, sending a failure report to a device management system (DMS) to initiate remediation and revalidation; and

sending a modified PVM token with a validation result.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, components and apparatus for implementing platform validation and management (PVM) are disclosed. PVM provides the functionality and operations of a platform validation entity with remote management of devices by device management components and systems such as a home node-B management system or component. Example PVM operations bring devices into a secure target state before allowing connectivity and access to a core network.

275 Citations

48 Claims

1. A method for platform validation and management (PVM), comprising:
- receiving a PVM token in response to a validation message from a device, the PVM token including at least verification information from the device;
  
  performing validation using predetermined information from the PVM token;
  
  in response to failed components, sending a failure report to a device management system (DMS) to initiate remediation and revalidation; and
  
  sending a modified PVM token with a validation result.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 42)
- - 2. The method of claim 1, wherein performing validation includes determining applicability of at least one failure condition.
  - 3. The method of claim 1, wherein validation is performed using at least one of remote validation (RV), autonomous validation (AuV), semi-autonomous validation (SAV), full—
    - SAV (F-SAV), minimal validation or parametric validation.
  - 4. The method of claim 1, wherein the verification information includes at least one of a device identity, device information, trusted environment (TrE) information, verification data, verification binding, and an ordered component list of component indicators to components.
  - 5. The method of claim 1, wherein performing validation includes at least one of determining a TrE to be not trustworthy, determining an Integrity Measurement/Verification Data mismatch, determining a missing Reference Integrity Metrics (RIM) for a component, determining a list of loaded components policy failure, and determining an expired device or RIM certificate.
  - 6. The method of claim 1, wherein the PVM token is bound to an identity of a validating TrE and to a validation process.
  - 7. The method of claim 1, wherein validation freshness is controlled by time-stamping the PVM token and appending a time-ordered list by every entity passing the PVM token.
  - 8. The method of claim 1, further comprising establishing individualization by using a device identity in a RIM certificate.
  - 9. The method of claim 1, further comprising sending the PVM token to the DMS to determine quarantine, white list, black list and grey list applicability.
  - 10. The method of claim 9, wherein the grey list includes at least one of devices that are new to the network, devices that have not been connected for an extended period of time, devices with suspicious behavior, and devices for which security warnings exist.
  - 11. The method of claim 1, wherein operator RIM shielding replaces predetermined RIM certificates for device components coming from various external sources with operator RIM certificates.
  - 12. The method of claim 1, wherein a query is sent to a validation database to check information received in PVM token.
  - 13. The method of claim 1, wherein a query is sent to a configuration database to retrieve a configuration policy based on a predetermined identifier.
  - 14. The method of claim 13, wherein a retrieved configuration policy is evaluated.
  - 15. The method of claim 1, wherein a message is sent to a validation database manager in response to a failure condition.
  - 42. The method of claim 12, further comprising a trusted resource (TR) forming the validation message.

16. A method of performing validation of a device coupled to a platform validation and management (PVM), comprising:
- performing an integrity check of at least one pre-designated component of the device and storing integrity check results;
  
  performing a secure start-up check on the device and storing secure start-up check results;
  
  forming a validation message based on the integrity check results and the secure start-up check results; and
  
  forwarding the validation message to the PVM.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 43, 44)
- - 17. The method of claim 16, further comprising:
    - performing a secure start-up in stages, ensuring that each trusted environment (TrE) component is loaded on a condition that a local validation of the TrE component is successful;
      
      at a first stage, loading components of the TrE via a secure start-up relying on a Root of Trust (RoT);
      
      at a second stage, loading components outside the TrE to permit communications with the PVM; and
      
      loading remaining components of the device.
  - 18. The method of claim 16, wherein performing the integrity check is based on at least one trusted reference value and the TrE.
  - 19. The method of claim 16, wherein the validation message includes a local pass/fail indicator as a measurement of integrity established during the first and second stages.
  - 20. The method of claim 16, further comprising a fallback code base.
  - 21. The method of claim 20, wherein initiating the fallback code base includes triggering a software update of a main code base including RIMs.
  - 22. The method of claim 16, further comprising sending a distress signal on a condition that a fallback code base is loaded.
  - 23. The method of claim 16, wherein a fallback code (FBC) image facilitates the remediation of a device and is stored in secure memory.
  - 24. The method of claim 16, wherein the integrity check determines that only registered components are activated.
  - 25. The method of claim 24, wherein the registered components are activated by loading into a memory.
  - 26. The method of claim 24, wherein the registered components are activated by starting into an integrity-proven state.
  - 27. The method of claim 16, further comprising performing a second integrity check.
  - 28. The method of claim 16, further comprising performing a second integrity check on condition that the device has completed a successful network connection.
  - 29. The method of claim 27, wherein the second integrity check is initiated by one of the device or in response to a message.
  - 30. The method of claim 16, wherein storing integrity check results is in a protected storage location.
  - 31. The method of claim 16, wherein the validation message comprises a cryptographically signed statement.
  - 32. The method of claim 16, wherein the validation message comprises evidence of binding between the integrity check and a subsequent authentication procedure.
  - 33. The method of claim 16, wherein the validation message comprises evidence of binding between the secure start-up check and a subsequent authentication procedure.
  - 34. The method of claim 16, wherein the validation message comprises a time stamp.
  - 35. The method of claim 16, wherein the validation message comprises a first time stamp taken before the integrity check and the start-up check and a second time stamp taken after the integrity check and the start-up check.
  - 36. The method of claim 16, wherein the validation message comprises an indication of a device configuration.
  - 37. The method of claim 16, wherein the validation message comprises an indication of a security property of a device component.
  - 38. The method of claim 16, further comprising receiving a decision message from the PVM in response to the validation message.
  - 39. The method of claim 38, wherein the decision message comprises an indication of network privileges associated with the device.
  - 40. The method of claim 16, further comprising a trusted resource (TR) performing the integrity check.
  - 41. The method of claim 16, further comprising a trusted resource (TR) performing the secure start-up check.
  - 43. The method of claim 38, further comprising a trusted resource (TR) receiving the decision message from the PVM.
  - 44. The method of claim 24, wherein the FBC deletes or uninstalls a part of a normal code and reboots the device for revalidation.

45. A platform validation entity (PVE) for facilitating platform validation and management (PVM), comprising:
- the PVE configured to receive a PVM token in response to a validation message from a device, the PVM token including at least verification information from the device;
  
  the PVE configured to perform validation using predetermined information from the PVM token;
  
  the PVE configured to send a failure report to a device management system (DMS) to initiate remediation and revalidation in response to failed components; and
  
  the PVE configured to send a modified PVM token with a validation result.
- View Dependent Claims (46)
- - 46. The PVE of claim 45, wherein the verification information includes at least security policy attributes.

47. A device for performing validation via platform validation and management (PVM), comprising:
- a processor configured to perform an integrity check of at least one pre-designated component of the device and configured to store integrity check results in a memory;
  
  the processor configured to perform a secure start-up check on the device and to store secure start-up check results in the memory;
  
  the processor configured to form a validation message based on the integrity check results and the secure start-up check results; and
  
  a transmitter for transmitting the validation message to the PVM.

48. A device management system (DMS) for facilitating platform validation and management (PVM), comprising:
- the DMS configured to receive at least one of a failure report and a PVM token, in response to a validation message from a device, from a platform validation entity (PVE) to initiate remediation and revalidation in response to failed components, the PVM token including at least verification information from the device;
  
  the DMS configured to determine availability of updates for at least the failed components;
  
  the DMS configured to prepare over-the-air updates for available updates;
  
  the DMS configured to ensure existence of trusted reference values for the available updates in a validation database;
  
  the DMS configured to send a modified PVM token and a revalidation indication to a security gateway (SeGW); and
  
  the DMS configured to send a revalidation trigger to the device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
InterDigital Patent Holdings, Inc. (InterDigital, Inc.)
Original Assignee
InterDigital Patent Holdings, Inc. (InterDigital, Inc.)
Inventors
Pattar, Sudhir B., Cha, Inhyok, Guccione, Louis J., Meyerstein, Michael V., Howry, Dolores F., Greiner, David G., Schmidt, Andreas U., Leicher, Andreas, Case, Lawrence, Shah, Yogendra C.

Application Number

US12/718,480
Publication Number

US 20110010543A1
Time in Patent Office

Days
Field of Search
US Class Current

713/168
CPC Class Codes

G06F 21/44   Program or device authentic...

G06F 21/57   Certifying or maintaining t...

H04L 63/123   received data contents, e.g...

H04W 12/06   Authentication

H04W 12/08   Access security

H04W 12/10   Integrity

H04W 12/35   Protecting application or s...

H04W 12/61   Time-dependent

H04W 12/71   Hardware identity

PLATFORM VALIDATION AND MANAGEMENT OF WIRELESS DEVICES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

275 Citations

48 Claims

Specification

Use Cases

Quick Links

Others

PLATFORM VALIDATION AND MANAGEMENT OF WIRELESS DEVICES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

275 Citations

48 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others