PLATFORM AUTHENTICATION STRATEGY MANAGEMENT METHOD AND DEVICE FOR TRUSTED CONNECTION ARCHITECTURE

US 20130133030A1
Filed: 05/26/2011
Published: 05/23/2013
Est. Priority Date: 07/30/2010
Status: Active Grant

First Claim

Patent Images

1. A platform authentication policy management method applicable to a trusted connection architecture, comprising:

a step 1 of configuring, on a Trusted Network Connection, TNC, client, first platform authentication policies comprising a platform authentication management policy of an access requester, platform configuration protection policies of the access requester, platform evaluation policies for an access controller and a platform authentication action recommendation generation policy of the access requester; and

configuring, on a TNC access point or an evaluation policy server, second platform authentication policies comprising a platform authentication management policy of the access controller, platform configuration protection policies of the access controller, platform evaluation policies for the access requester and a platform authentication action recommendation generation policy of the access controller;

a step 2 of, if the second platform authentication policies are configured on the evaluation policy server, then the TNC access point requesting the evaluation policy server for the second platform authentication policies, and then the evaluation policy server transmitting the configured second platform authentication policies to the TNC access point;

a step 3 of the TNC access point generating and transmitting to the TNC client a first set of component measurement request parameters and platform evaluation policies for the access requester under the platform authentication management policy of the access controller and the platform evaluation policies for the access requester among the second platform authentication policies to initiate one round of a platform authentication protocol, wherein if the first set of component measurement request parameters are all of component measurement request parameters for the access requester, then the platform evaluation policies for the access requester comprise a component type-level convergence platform evaluation policy;

a step 4 of the TNC client, upon reception of the first set of component measurement request parameters and the platform evaluation policies for the access requester, obtaining a first set of component measurements corresponding to the first set of component measurement request parameters, generating protection policies of the access requester corresponding to the first set of component measurement request parameters and transmitting the first set of component measurements, the received platform evaluation policies for the access requester and the generated protection policies of the access requester to the TNC access point;

a step 5 of the TNC access point receiving and forwarding to the evaluation policy server the first set of component measurements, the platform evaluation policies for the access requester and the protection policies of the access requester transmitted from the TNC client;

a step 6 of the evaluation policy server, for each component type identifier, transmitting the following information corresponding to the component type identifier in the first set of component measurements to corresponding upper integrity measurement verifiers;

information a which is the component measurements;

information b which is a platform configuration protection policy corresponding to the component type identifier among the platform configuration protection policies of the access requester corresponding to the first set of component measurement request parameters; and

information c which is a platform evaluation policy corresponding to the component type identifier among the platform evaluation policies for the access requester corresponding to the first set of component measurement request parameters.then the integrity measurement verifiers returning component product-level platform evaluation results, a difference platform evaluation policy and component remediation information corresponding to the component type identifier;

if the first set of component measurement request parameters are all of the component measurement request parameters for the access requester, then the evaluation policy server converging difference platform evaluation policies and component remediation information corresponding to respective component type identifiers into difference platform evolution policies for the access requester and component remediation information for the access requester corresponding to the first set of component measurement request parameters; and

if the platform evaluation policies for the access requester corresponding to the first set of component measurement request parameters comprise a component type-level convergence platform evaluation policy, then the evaluation policy server converging component type-level platform evaluation results corresponding to the component type identifiers into a platform-level platform evaluation result for the access requester corresponding to the first set of component measurement request parameters under the component type-level convergence platform evaluation policy among the platform evaluation policies for the access requester corresponding to the first set of component measurement request parameters;

a step 7 of, if the first set of component measurement request parameters are all of the component measurement request parameters for the access requester and the platform evaluation policies for the access requester corresponding to the first set of component measurement request parameters do not comprise a component type-level convergence platform evaluation policy, then the TNC access point converging the component type-level platform evaluation results generated by the evaluation policy server in the current round of the platform authentication protocol into a platform-level platform evaluation result for the access requester corresponding to the first set of component measurement request parameters;

the TNC access point transmitting the component remediation information for the access requester corresponding to the first set of component measurement request parameters to respective corresponding integrity measurement collectors above the TNC access point per component type identifier; and

the TNC access point transmitting the platform-level platform evaluation result for the access requester and the information transmitted from the evaluation policy server in the step 6 to the TNC client;

a step 8 of the TNC client generating and transmitting to the TNC access point a platform action recommendation of the access requester;

a step 9 of the TNC access point transmitting the platform authentication action recommendation of the access requester to the respective corresponding upper integrity measurement collectors.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided are a platform authentication strategy management method for trusted connection architecture (TCA), and the trusted network connection (TNC) client, TNC access point and evaluation strategy service provider for implementing the method in the TCA. In the embodiments of the present invention, the platform authentication strategy for the access requester can be configured in the TNC access point or the evaluation strategy service provider, and the platform authentication strategy for the access requester configured in the evaluation strategy service provider can be delivered to the TNC access point. Moreover, a component-type-level convergence platform evaluation strategy can be executed in the TNC access point or the evaluation strategy service provider, to ensure that the realization of the TCA platform authentication has good application extensibility.

50 Citations

View as Search Results

24 Claims

1. A platform authentication policy management method applicable to a trusted connection architecture, comprising:
- a step 1 of configuring, on a Trusted Network Connection, TNC, client, first platform authentication policies comprising a platform authentication management policy of an access requester, platform configuration protection policies of the access requester, platform evaluation policies for an access controller and a platform authentication action recommendation generation policy of the access requester; and
  
  configuring, on a TNC access point or an evaluation policy server, second platform authentication policies comprising a platform authentication management policy of the access controller, platform configuration protection policies of the access controller, platform evaluation policies for the access requester and a platform authentication action recommendation generation policy of the access controller;
  
  a step 2 of, if the second platform authentication policies are configured on the evaluation policy server, then the TNC access point requesting the evaluation policy server for the second platform authentication policies, and then the evaluation policy server transmitting the configured second platform authentication policies to the TNC access point;
  
  a step 3 of the TNC access point generating and transmitting to the TNC client a first set of component measurement request parameters and platform evaluation policies for the access requester under the platform authentication management policy of the access controller and the platform evaluation policies for the access requester among the second platform authentication policies to initiate one round of a platform authentication protocol, wherein if the first set of component measurement request parameters are all of component measurement request parameters for the access requester, then the platform evaluation policies for the access requester comprise a component type-level convergence platform evaluation policy;
  
  a step 4 of the TNC client, upon reception of the first set of component measurement request parameters and the platform evaluation policies for the access requester, obtaining a first set of component measurements corresponding to the first set of component measurement request parameters, generating protection policies of the access requester corresponding to the first set of component measurement request parameters and transmitting the first set of component measurements, the received platform evaluation policies for the access requester and the generated protection policies of the access requester to the TNC access point;
  
  a step 5 of the TNC access point receiving and forwarding to the evaluation policy server the first set of component measurements, the platform evaluation policies for the access requester and the protection policies of the access requester transmitted from the TNC client;
  
  a step 6 of the evaluation policy server, for each component type identifier, transmitting the following information corresponding to the component type identifier in the first set of component measurements to corresponding upper integrity measurement verifiers;
  
  information a which is the component measurements;
  
  information b which is a platform configuration protection policy corresponding to the component type identifier among the platform configuration protection policies of the access requester corresponding to the first set of component measurement request parameters; and
  
  information c which is a platform evaluation policy corresponding to the component type identifier among the platform evaluation policies for the access requester corresponding to the first set of component measurement request parameters.then the integrity measurement verifiers returning component product-level platform evaluation results, a difference platform evaluation policy and component remediation information corresponding to the component type identifier;
  
  if the first set of component measurement request parameters are all of the component measurement request parameters for the access requester, then the evaluation policy server converging difference platform evaluation policies and component remediation information corresponding to respective component type identifiers into difference platform evolution policies for the access requester and component remediation information for the access requester corresponding to the first set of component measurement request parameters; and
  
  if the platform evaluation policies for the access requester corresponding to the first set of component measurement request parameters comprise a component type-level convergence platform evaluation policy, then the evaluation policy server converging component type-level platform evaluation results corresponding to the component type identifiers into a platform-level platform evaluation result for the access requester corresponding to the first set of component measurement request parameters under the component type-level convergence platform evaluation policy among the platform evaluation policies for the access requester corresponding to the first set of component measurement request parameters;
  
  a step 7 of, if the first set of component measurement request parameters are all of the component measurement request parameters for the access requester and the platform evaluation policies for the access requester corresponding to the first set of component measurement request parameters do not comprise a component type-level convergence platform evaluation policy, then the TNC access point converging the component type-level platform evaluation results generated by the evaluation policy server in the current round of the platform authentication protocol into a platform-level platform evaluation result for the access requester corresponding to the first set of component measurement request parameters;
  
  the TNC access point transmitting the component remediation information for the access requester corresponding to the first set of component measurement request parameters to respective corresponding integrity measurement collectors above the TNC access point per component type identifier; and
  
  the TNC access point transmitting the platform-level platform evaluation result for the access requester and the information transmitted from the evaluation policy server in the step 6 to the TNC client;
  
  a step 8 of the TNC client generating and transmitting to the TNC access point a platform action recommendation of the access requester;
  
  a step 9 of the TNC access point transmitting the platform authentication action recommendation of the access requester to the respective corresponding upper integrity measurement collectors.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 21, 22, 23, 24)
- - 2. The method of claim 1, wherein the TNC client obtaining a first set of component measurements corresponding to the first set of component measurement request parameters upon reception of the first set of component measurement request parameters in the step 4 comprises:
    - the TNC client transmitting a component measurement request parameter corresponding to each component type identifier in the first set of component measurement request parameters to respective integrity measurement collectors corresponding to the TNC client upon reception of the first set of component measurement request parameters, then the integrity measurement collectors returning component measurements corresponding to respective component type identifiers respectively to the TNC client, and the TNC client converging the received component measurements corresponding to the respective component type identifiers into the first set of component measurements corresponding to the first set of component measurement request parameters.
  - 3. The method of claim 1, wherein if the first set of component measurement request parameters are a part of the component measurement request parameters for the access requester, then:
    - the step 6 further comprises;
      
      the evaluation policy server converging the respective component product-level platform evaluation results corresponding to the component type identifier into a component type-level platform evaluation result under the platform evaluation policy corresponding to the component type identifier among the platform evaluation policies for the access requester corresponding to the first set of component measurement request parameters, wherein a component product-level platform evaluation result corresponding to each component product sequence number corresponding to the component type identifier is generated by the integrity measurement verifiers converging respective component attribute-level platform evaluation results corresponding to the component product sequence number under a component attribute-level convergence platform evaluation policy corresponding to the component product sequence number in the information c, and each component attribute-level platform evaluation result corresponding to the component product sequence number is generated by the integrity measurement verifiers under a platform evaluation policy corresponding to the component attribute identifier corresponding to the component product sequence number in the information c and a platform evaluation policy corresponding to the component attribute identifier of the component product sequence number in the information b; and
      
      the step 7 further comprises;
      
      if parts of the component measurement request parameters for the access requester generated in respective rounds of the platform authentication protocol constitute all of the component measurement request parameters for the access requester, then the TNC access point converging component type-level platform evaluation results generated by the evaluation policy server in the respective rounds of the platform authentication protocol and converging difference platform evaluation polices and component remediation information generated by the evaluation policy server in the respective rounds of the platform authentication protocol into difference platform evaluation polices and component remediation information for the access requester;
      
      otherwise, the TNC access point initiating another round of the platform authentication protocol at the end of the current round of the platform authentication protocol.
  - 4. The method of claim 3, wherein:
    - the step 4 further comprises;
      
      generating a second set of component measurement request parameters for the access controller under the first platform authentication management policy of the access requester and the second platform evaluation policies for the access controller; and
      
      if the second set of component measurement request parameters are all of component measurement request parameters for the access controller, then generating platform evaluation policies for the access controller corresponding to the second set of component measurement request parameters under the second platform evaluation policies, wherein the platform evaluation policies for the access controller corresponding to the second set of component measurement request parameters comprise a component type-level convergence platform evaluation policy, and transmitting the generated information together to the TNC access point;
      
      the step 5 further comprises;
      
      for a component measurement request parameter corresponding, to each component type identifier in the second set of component measurement request parameters, the TNC access point obtaining component measurements of the access controller corresponding to the second set of component measurement request parameters; and
      
      the TNC access point generating platform configuration protection polices of the access controller corresponding to the second set of component measurement request parameters under the second platform configuration protection polices and transmitting the generated information together to the evaluation policy server;
      
      the step 6 further comprises;
      
      for each component type identifier in the second set of component measurement request parameters, the evaluation policy server transmitting the following information to the corresponding upper integrity measurement verifiers;
      
      information d which is a second set of component measurements;
      
      information e which is a platform configuration protection policy corresponding to the component type identifier among the platform configuration protection policies of the access controller corresponding to the second set of component measurement request parameters; and
      
      information f which is a platform evaluation policy corresponding to the component type identifier among the platform evaluation policies for the access controller corresponding to the second set of component measurement request parameters;
      
      then the integrity measurement verifiers returning component product-level platform evaluation results, a difference platform evaluation policy and component remediation information corresponding to the component type identifier;
      
      next the evaluation policy server converging the respective component product-level platform evaluation results corresponding to the component type identifier into a component type-level platform evaluation result under the platform evaluation policy corresponding to the component type identifier among the platform evaluation policies for the access controller corresponding to the second set of component measurement request parameters, wherein a component product-level platform evaluation result corresponding to each component product sequence number corresponding to the component type identifier is generated by the integrity measurement verifiers converging respective component attribute-level platform evaluation results corresponding to the component product sequence number under a component attribute-level convergence platform evaluation policy corresponding to the component product sequence number in the information f, and each component attribute-level platform evaluation result corresponding to the component product sequence number is generated by the integrity measurement verifiers under a platform evaluation policy corresponding to the component attribute identifier corresponding to the component product sequence number in the information f and a platform evaluation policy corresponding to the component attribute identifier of the component product sequence number in the information e; and
      
      if the second set of component measurement request parameters are all of the component measurement request parameters for the access controller, then converging the difference platform evaluation policies corresponding to the component type identifiers into difference platform evaluation policies for the access controller corresponding to the second set of component measurement request parameters, and converging the component remediation information corresponding to the component type identifiers into component remediation information for the access controller corresponding to the second set of component measurement request parameters; and
      
      if the platform evaluation policies for the access controller corresponding to the second set of component measurement request parameters comprise a component type-level convergence platform evaluation policy, then the evaluation policy server converging the component type-level platform evaluation results corresponding to the component type identifiers into a platform-level platform evaluation result for the access controller corresponding to the second set of component measurement request parameters under the component type-level convergence platform evaluation policy among the platform evaluation policies for the access controller corresponding to the second set of component measurement request parameters and transmitting the generated information to the TNC access point;
      
      the step 7 further comprises;
      
      if the TNC access point is not required to initiate another round of the platform authentication protocol, then generating and transmitting to the TNC client a platform authentication action recommendation of the access controller; and
      
      the step 8 further comprises;
      
      if the second set of component measurement request parameters are all of the component measurement request parameters for the access controller and the platform evaluation policies for the access controller corresponding to the second set of component measurement request parameters do not comprise a component type-level convergence platform evaluation policy, then the TNC client converging the component type-level platform evaluation results corresponding to the respective component type identifiers generated by the evaluation policy server in the step
      
      6) in the current round of the platform authentication protocol into a platform-level platform evaluation result for the access controller corresponding to the second set of component measurement request parameters under the component type-level convergence platform evaluation policy among the platform evaluation policies for the access controller corresponding to the second set of component measurement request parameters;
      
      the TNC client transmitting the component remediation information for the access controller corresponding to the second set of component measurement request parameters to respective corresponding integrity measurement collectors above the TNC client per component type identifier; and
      
      if the information transmitted front the TNC access point in the step 7 comprises the platform authentication action recommendation of the access controller, then the TNC client transmitting the platform authentication action recommendation of the access controller to the respective corresponding integrity measurement collectors above the TNC client.
  - 5. The method of claim 4, wherein:
    - the TNC access point obtaining component measurements of the access controller corresponding to the second set of component measurement request parameters in the step 4 comprises;
      
      the TNC access point transmitting the component measurement request parameter corresponding to the component type identifier to the respective corresponding integrity measurement collectors above the TNC access point, then the integrity measurement collectors returning component measurements corresponding to the component type identifier to the TNC access point, and finally the TNC access point converging the received component measurements into component measurements of the access controller corresponding to the second set of component measurement request parameters.
  - 6. The method of claim 5, wherein if the second set of component measurement request parameters are a part of the component measurement request parameters for the access controller, then:
    - the step 8 further comprises;
      
      if parts of the component measurement request parameters for the access controller generated by the TNC client in the respective rounds of the platform authentication protocol constitute all of the component measurement request parameters for the access controller, then the TNC client converging the component type-level platform evaluation results corresponding to the respective component type identifiers generated by the evaluation policy server in the respective rounds of the platform authentication protocol and converging the difference platform evaluation polices and the component remediation information generated by the evaluation policy server in the respective rounds of the platform authentication protocol into difference platform evaluation polices and component remediation information for the access controller corresponding to the second set of component measurement request parameters;
      
      otherwise, the TNC client initiating another round of the platform authentication protocol at the end of the current round of the platform authentication protocol; and
      
      if another round of the platform authentication protocol initiated from the TNC access point has not been received in a specific period of time, then the TNC client initiating on its own initiative another round of the platform authentication protocol.
  - 7. The method of claim 1, wherein the step 4 further comprises:
    - the TNC client further transmitting a platform identity certificate of the access requester to the TNC access point;
      
      the step 5 further comprises;
      
      the TNC access point verifying a platform signature in the first set of component measurements against the platform identity certificate of the access requester, and the TNC access point further transmitting the platform identity certificate of the access requester and a platform identity certificate of the access controller to the evaluation policy server;
      
      the step 6 further comprises;
      
      the evaluation policy server verifying the platform identity certificate of the access requester and the platform identity certificate of the access controller, generating a platform identity certificate verification result of the access requester and a platform identity certificate verification result of the access controller, and transmitting the verification results to the TNC access point;
      
      the step 7 further comprises;
      
      the TNC access point determining whether the platform identity certificate of the access requester is valid according to the platform identity certificate verification result of the access requester, and transmitting the platform identity certificate and the platform identity certificate verification result of the access controller to the TNC client; and
      
      the step 8 further comprises;
      
      the TNC client verifying a platform signature in a second set of component measurements against the platform identity certificate of the access controller, and determining whether the platform identity certificate of the access controller is valid according to the platform identity certificate verification result of the access controller.
  - 21. The method of claim 2, wherein the step 4 further comprises:
    - the TNC client further transmitting a platform identity certificate of the access requester to the TNC access point;
      
      the step 5 further comprises;
      
      the TNC access point verifying a platform signature in the first set of component measurements against the platform identity certificate of the access requester, and the TNC access point further transmitting the platform identity certificate of the access requester and a platform identity certificate of the access controller to the evaluation policy server;
      
      the step 6 further comprises;
      
      the evaluation policy server verifying the platform identity certificate of the access requester and the platform identity certificate of the access controller, generating a platform identity certificate verification result of the access requester and a platform identity certificate verification result of the access controller, and transmitting the verification results to the TNC access point;
      
      the step 7 further comprises;
      
      the TNC access point determining whether the platform identity certificate of the access requester is valid according to the platform identity certificate verification result of the access requester, and transmitting the platform identity certificate and the platform identity certificate verification result of the access controller to the TNC client; and
      
      the step 8 further comprises;
      
      the TNC client verifying a platform signature in a second set of component measurements against the platform identity certificate of the access controller, and determining whether the platform identity certificate of the access controller is valid according to the platform identity certificate verification result of the access controller.
  - 22. The method of claim 3, wherein the step 4 further comprises:
    - the TNC client further transmitting a platform identity certificate of the access requester to the TNC access point;
      
      the step 5 further comprises;
      
      the TNC access point verifying a platform signature in the first set of component measurements against the platform identity certificate of the access requester, and the TNC access point further transmitting the platform identity certificate of the access requester and a platform identity certificate of the access controller to the evaluation policy server;
      
      the step 6 further comprises;
      
      the evaluation policy server verifying the platform identity certificate of the access requester and the platform identity certificate of the access controller, generating a platform identity certificate verification result of the access requester and a platform identity certificate verification result of the access controller, and transmitting the verification results to the TNC access point;
      
      the step 7 further comprises;
      
      the TNC access point determining whether the platform identity certificate of the access requester is valid according to the platform identity certificate verification result of the access requester, and transmitting the platform identity certificate and the platform identity certificate verification result of the access controller to the TNC client; and
      
      the step 8 further comprises;
      
      the TNC client verifying a platform signature in a second set of component measurements against the platform identity certificate of the access controller, and determining whether the platform identity certificate of the access controller is valid according to the platform identity certificate verification result of the access controller.
  - 23. The method of claim 4, wherein the step 4 further comprises:
    - the TNC client further transmitting a platform identity certificate of the access requester to the TNC access point;
      
      the step 5 further comprises;
      
      the TNC access point verifying a platform signature in the first set of component measurements against the platform identity certificate of the access requester, and the TNC access point further transmitting the platform identity certificate of the access requester and a platform identity certificate of the access controller to the evaluation policy server;
      
      the step 6 further comprises;
      
      the evaluation policy server verifying the platform identity certificate of the access requester and the platform identity certificate of the access controller, generating a platform identity certificate verification result of the access requester and a platform identity certificate verification result of the access controller, and transmitting the verification results to the TNC access point;
      
      the step 7 further comprises;
      
      the TNC access point determining whether the platform identity certificate of the access requester is valid according to the platform identity certificate verification result of the access requester, and transmitting the platform identity certificate and the platform identity certificate verification result of the access controller to the TNC client; and
      
      the step 8 further comprises;
      
      the TNC client verifying a platform signature;
      
      in a second set of component measurements against the platform identity certificate of the access controller, and determining whether the platform identity certificate of the access controller is valid according to the platform identity certificate verification result of the access controller.
  - 24. The method of claim 5, wherein the step 4 further comprises:
    - the TNC client further transmitting a platform identity certificate of the access requester to the TNC access point;
      
      the step 5 further comprises;
      
      the TNC access point verifying a platform signature in the first set of component measurements against the platform identity certificate of the access requester, and the TNC access point further transmitting the platform identity certificate of the access requester and a platform identity certificate of the access controller to the evaluation policy server;
      
      the step 6 further comprises;
      
      the evaluation policy server verifying the platform identity certificate of the access requester and the platform identity certificate of the access controller, generating a platform identity certificate verification result of the access requester and a platform identity certificate verification result of the access controller, and transmitting the verification results to the TNC access point;
      
      the step 7 further comprises;
      
      the TNC access point determining whether the platform identity certificate of the access requester is valid according to the platform identity certificate verification result of the access requester, and transmitting the platform identity certificate and the platform identity certificate verification result of the access controller to the TNC client; and
      
      the step 8 further comprises;
      
      the TNC client verifying a platform signature in a second set of component measurements against the platform identity certificate of the access controller, and determining whether the platform identity certificate of the access controller is valid according to the platform identity certificate verification result of the access controller.

8-10. -10. (canceled)

11. A client in a trusted connection architecture TNC, comprising:
- a first configuring unit configured to receive configured first platform authentication policies comprising a platform authentication management policy of an access requester, platform configuration protection policies of the access requester, platform evaluation policies for an access controller and a platform authentication action recommendation generation policy of the access requester;
  
  a first obtaining unit configured, upon reception of a first set of component measurement request parameters and platform evaluation policies for the access requester, to obtain a first set of component measurements corresponding to the first set of component measurement request parameters, to generate protection policies of the access requester corresponding to the first set of component measurement request parameters and to transmit the first set of component measurements, the received platform evaluation policies of the access requester and the generated protection policies of the access requester to a TNC access point; and
  
  a first generating unit configured to generate and transmit to the TNC access point a platform action recommendation of the access requester.
- View Dependent Claims (12, 13)
- - 12. The client of claim 11, wherein the first obtaining unit is further configured to transmit the component measurement request parameter corresponding to each component type identifier in the first set of component measurement request parameters to respective integrity measurement collectors corresponding to the TNC client upon reception of the first set of component measurement request parameters so that these integrity measurement collectors then return component measurements corresponding to the respective component type identifiers respectively to the TNC client, and the TNC client converges the received component measurements corresponding to the respective component type identifiers into a first set of component measurements corresponding to the first set of component measurement request parameters.
  - 13. The client of claim 11, wherein the first generating unit is further configured to generate second set of component measurement request parameters for the access controller under the first platform authentication polices of the access requester and second platform authentication polices of the access controller.

14. A TNC access point in a trusted connection architecture TNC, comprising:
- a second configuring unit configured to receive configured second platform authentication policies comprising a platform authentication management policy of an access controller, platform configuration protection policies of the access controller, platform evaluation policies for an access requester and a platform authentication action recommendation generation policy of the access controller;
  
  or, when the second platform authentication policies are configured on an evaluation policy server, to request the evaluation policy server for the second platform authentication policies and to receive the second platform authentication policies transmitted from the e valuation policy server;
  
  a second generating unit configured to generate and transmit to a TNC client a first set of component measurement request parameters and platform evaluation policies for the access requester under the platform configuration protection policies of the access controller and the platform evaluation policies for the access requester;
  
  among the second platform authentication policies to initiate one round a platform authentication protocol, wherein if the first set of component measurement request parameters is all of component measurement request parameters for the access requester, then the platform evaluation policies for the access requester comprise a component type-level convergence platform evaluation policy;
  
  a forwarding unit configured to receive and forward, to the evaluation policy server, a first set of component measurements, the platform evaluation policies of the access requester and protection policies of the access requester transmitted from the TNC client; and
  
  a second obtaining unit configured, when the first set of component measurement request parameters are all of the component measurement request parameters for the access requester and the platform evaluation policies for the access requester corresponding to the first set of component measurement request parameters do not comprise a component type-level convergence platform evaluation policy, for the TNC access point to converge component type-level platform evaluation results generated by the evaluation policy server n the current round of the platform authentication protocol into a platform-level platform evaluation result for access requester corresponding to the first set of component measurement request parameters;
  
  to transmit component remediation information for the access requester corresponding to the first set of component measurement request parameters to respective corresponding integrity measurement collectors above the TNC access point per component type identifier; and
  
  to transmit the platform-level platform evaluation result for the access requester and the information transmitted from the evaluation policy server to the TNC client.
- View Dependent Claims (15, 16)
- - 15. The access point of claim 14, wherein the second obtaining unit is further configured to obtain component measurements of the access controller corresponding to a second set of component measurement request parameters;
    - and for the TNC access point to generate platform configuration protection policies of the access controller correspond to the second set of component measurement request parameters under the second platform configuration protection policies and to transmit the generated information together to the evaluation policy server.
  - 16. The access point of claim 15, wherein the second obtaining unit is further configured to transmit a component measurement request parameter corresponding to the component type identifier to the respective corresponding integrity measurement collectors above the TNC access point so that these integrity measurement collectors then return component measurements corresponding to the component type identifier to the TNC access point, and finally the TNC access point converges the received component measurements into component measurements of the access controller corresponding to the second set of component measurement request parameters.

17. A platform evaluation server in a trusted connection architecture TNC, comprising:
- a receiving unit configured to receive a first set of component measurements; and
  
  a third obtaining unit configured, for each component type identifier, to transmit the following information corresponding to the component type identifier in the first set of component measurements to corresponding upper integrity measurement verifiers;
  
  information a which is the component measurements;
  
  information b which is a platform configuration protection policy corresponding to the component type identifier among platform configuration protection policies of an access requester corresponding to a first set of component measurement request parameters; and
  
  information c which is a platform evaluation policy corresponding to the component type identifier among platform evaluation policies for the access requester corresponding to the first set of component measurement request parameters.then these integrity measurement verifiers return component product-level platform evaluation results, a difference platform evaluation policy and component remediation information corresponding to the component type identifier;
  
  if the first set of component measurement request parameters are all of component measurement request parameters for the access requester, then the difference platform evaluation policies and the component remediation information corresponding to these component type identifiers are converged into difference platform evaluation policies for the access requester and component remediation information for the access requester corresponding to the first set of component measurement request parameters and if the platform evaluation policies for the access requester corresponding to the first set of component measurement request parameters comprise a component type-level convergence platform evaluation policy, then component type-level platform evaluation results corresponding to these component type identifiers are converged into a platform-level platform evaluation result for the access requester corresponding to the first set of component measurement request parameters under the component type-level convergence platform evaluation policy among the platform evaluation policies for the access requester corresponding to the first set of component measurement request parameters; and
  
  if the first set of component measurement request parameters are all of the component measurement request parameters for the access requester and the platform evaluation policies for the access requester corresponding to the first set of component measurement request parameters do not comprise a component type-level convergence platform evaluation policy, then a TNC access point converges component type-level platform evaluation results generated by an evaluation policy server in the current round of a platform authentication protocol into a platform-level platform evaluation result for the access requester corresponding to the first set of component measurement request parameters.
- View Dependent Claims (18, 19)
- - 18. The platform evaluation server of claim 17, further comprising:
    - a third configuring unit configured to receive configured second platform authentication policies and to transmit the configured second platform authentication policies to the TNC access point when the TNC access point requests for the second platform authentication policies
  - 19. The platform evaluation server according to claim 17, wherein:
    - the receiving unit is further configured to receive a second set of component measurements; and
      
      the third obtaining unit is further configured, for each component type identifier in second set of component measurement request parameters, to transmit the following information to corresponding upper integrity measurement verifiers;
      
      information d which is the second set of component measurements;
      
      information e which is a platform configuration protection policy corresponding to the component type identifier among platform configuration protection policies of the access controller corresponding to the second set of component measurement request parameters; and
      
      information f which is a platform evaluation policy corresponding to the component type identifier among platform evaluation policies of the access controller corresponding to the second set of component measurement request parameters;
      
      then these integrity measurement verifiers return component product-level platform evaluation results, a difference platform evaluation policy and component remediation information corresponding to the component type identifier;
      
      next the respective component product-level platform evaluation results corresponding to the component type identifier are converged into a component type-level platform evaluation result under the platform evaluation policy corresponding to the component type identifier among the platform evaluation policies for the access controller corresponding to the second set of component measurement request parameters, wherein a component product-level platform evaluation result corresponding to each component product sequence number corresponding to the component type identifier is generated by the integrity measurement verifiers converging respective component attribute-level platform evaluation results corresponding to the component product sequence number under a component attribute-level convergence platform evaluation policy corresponding to the component product sequence number in the information f, and each component attribute-level platform evaluation result corresponding to the component product sequence number is generated by the integrity measurement verifiers under a platform evaluation policy corresponding to the component attribute identifier corresponding to the component product sequence number in the information f and a platform evaluation policy corresponding to the component attribute identifier of the component product sequence number in the information e; and
      
      if the second set of component measurement request parameters are all of component measurement request parameters for the access controller, then the difference platform evaluation policies corresponding to these component type identifiers are converged into difference platform evaluation policies for the access controller corresponding to the second set of component measurement request parameters, and the component remediation information corresponding to these component type identifiers is converged into component remediation information for the access controller corresponding to the second set of component measurement request parameters; and
      
      if the platform evaluation policies for the access controller corresponding to the second. set of component measurement request parameters comprise a component type-level convergence platform evaluation policy, then the evaluation policy server converges the component type-level platform evaluation results corresponding to these component type identifiers into a platform-level platform evaluation result for the access controller corresponding to the second set of component measurement request parameters under the component type-level convergence platform evaluation policy among the platform evaluation policies for the access controller corresponding to the second set of component measurement request parameters and transmits the generated information to the TNC access point.

20. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
China Iwncomm Co., Ltd, Radiosky Testing Servicesltd
Original Assignee
China Iwncomm Co., Ltd
Inventors
Xiao, Yuelei, Cao, Jun, Huang, Zhenhai, Xue, Yonggang, Kan, Runtian, Wang, Ke, Zhang, Guoqiang, Yuan, Kelong, Zhu, Lin, Liu, Xiaoyong

Granted Patent

US 9,246,942 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/57   Certifying or maintaining t...

H04L 63/0876   based on the identity of th...

H04L 63/10   for controlling access to d...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

PLATFORM AUTHENTICATION STRATEGY MANAGEMENT METHOD AND DEVICE FOR TRUSTED CONNECTION ARCHITECTURE

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

50 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

PLATFORM AUTHENTICATION STRATEGY MANAGEMENT METHOD AND DEVICE FOR TRUSTED CONNECTION ARCHITECTURE

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

50 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links