PLATFORM AUTHENTICATION STRATEGY MANAGEMENT METHOD AND DEVICE FOR TRUSTED CONNECTION ARCHITECTURE
First Claim
1. A platform authentication policy management method applicable to a trusted connection architecture, comprising:
- a step 1 of configuring, on a Trusted Network Connection, TNC, client, first platform authentication policies comprising a platform authentication management policy of an access requester, platform configuration protection policies of the access requester, platform evaluation policies for an access controller and a platform authentication action recommendation generation policy of the access requester; and
configuring, on a TNC access point or an evaluation policy server, second platform authentication policies comprising a platform authentication management policy of the access controller, platform configuration protection policies of the access controller, platform evaluation policies for the access requester and a platform authentication action recommendation generation policy of the access controller;
a step 2 of, if the second platform authentication policies are configured on the evaluation policy server, then the TNC access point requesting the evaluation policy server for the second platform authentication policies, and then the evaluation policy server transmitting the configured second platform authentication policies to the TNC access point;
a step 3 of the TNC access point generating and transmitting to the TNC client a first set of component measurement request parameters and platform evaluation policies for the access requester under the platform authentication management policy of the access controller and the platform evaluation policies for the access requester among the second platform authentication policies to initiate one round of a platform authentication protocol, wherein if the first set of component measurement request parameters are all of component measurement request parameters for the access requester, then the platform evaluation policies for the access requester comprise a component type-level convergence platform evaluation policy;
a step 4 of the TNC client, upon reception of the first set of component measurement request parameters and the platform evaluation policies for the access requester, obtaining a first set of component measurements corresponding to the first set of component measurement request parameters, generating protection policies of the access requester corresponding to the first set of component measurement request parameters and transmitting the first set of component measurements, the received platform evaluation policies for the access requester and the generated protection policies of the access requester to the TNC access point;
a step 5 of the TNC access point receiving and forwarding to the evaluation policy server the first set of component measurements, the platform evaluation policies for the access requester and the protection policies of the access requester transmitted from the TNC client;
a step 6 of the evaluation policy server, for each component type identifier, transmitting the following information corresponding to the component type identifier in the first set of component measurements to corresponding upper integrity measurement verifiers;
information a which is the component measurements;
information b which is a platform configuration protection policy corresponding to the component type identifier among the platform configuration protection policies of the access requester corresponding to the first set of component measurement request parameters; and
information c which is a platform evaluation policy corresponding to the component type identifier among the platform evaluation policies for the access requester corresponding to the first set of component measurement request parameters.then the integrity measurement verifiers returning component product-level platform evaluation results, a difference platform evaluation policy and component remediation information corresponding to the component type identifier;
if the first set of component measurement request parameters are all of the component measurement request parameters for the access requester, then the evaluation policy server converging difference platform evaluation policies and component remediation information corresponding to respective component type identifiers into difference platform evolution policies for the access requester and component remediation information for the access requester corresponding to the first set of component measurement request parameters; and
if the platform evaluation policies for the access requester corresponding to the first set of component measurement request parameters comprise a component type-level convergence platform evaluation policy, then the evaluation policy server converging component type-level platform evaluation results corresponding to the component type identifiers into a platform-level platform evaluation result for the access requester corresponding to the first set of component measurement request parameters under the component type-level convergence platform evaluation policy among the platform evaluation policies for the access requester corresponding to the first set of component measurement request parameters;
a step 7 of, if the first set of component measurement request parameters are all of the component measurement request parameters for the access requester and the platform evaluation policies for the access requester corresponding to the first set of component measurement request parameters do not comprise a component type-level convergence platform evaluation policy, then the TNC access point converging the component type-level platform evaluation results generated by the evaluation policy server in the current round of the platform authentication protocol into a platform-level platform evaluation result for the access requester corresponding to the first set of component measurement request parameters;
the TNC access point transmitting the component remediation information for the access requester corresponding to the first set of component measurement request parameters to respective corresponding integrity measurement collectors above the TNC access point per component type identifier; and
the TNC access point transmitting the platform-level platform evaluation result for the access requester and the information transmitted from the evaluation policy server in the step 6 to the TNC client;
a step 8 of the TNC client generating and transmitting to the TNC access point a platform action recommendation of the access requester;
a step 9 of the TNC access point transmitting the platform authentication action recommendation of the access requester to the respective corresponding upper integrity measurement collectors.
2 Assignments
0 Petitions
Accused Products
Abstract
Provided are a platform authentication strategy management method for trusted connection architecture (TCA), and the trusted network connection (TNC) client, TNC access point and evaluation strategy service provider for implementing the method in the TCA. In the embodiments of the present invention, the platform authentication strategy for the access requester can be configured in the TNC access point or the evaluation strategy service provider, and the platform authentication strategy for the access requester configured in the evaluation strategy service provider can be delivered to the TNC access point. Moreover, a component-type-level convergence platform evaluation strategy can be executed in the TNC access point or the evaluation strategy service provider, to ensure that the realization of the TCA platform authentication has good application extensibility.
50 Citations
24 Claims
-
1. A platform authentication policy management method applicable to a trusted connection architecture, comprising:
-
a step 1 of configuring, on a Trusted Network Connection, TNC, client, first platform authentication policies comprising a platform authentication management policy of an access requester, platform configuration protection policies of the access requester, platform evaluation policies for an access controller and a platform authentication action recommendation generation policy of the access requester; and configuring, on a TNC access point or an evaluation policy server, second platform authentication policies comprising a platform authentication management policy of the access controller, platform configuration protection policies of the access controller, platform evaluation policies for the access requester and a platform authentication action recommendation generation policy of the access controller; a step 2 of, if the second platform authentication policies are configured on the evaluation policy server, then the TNC access point requesting the evaluation policy server for the second platform authentication policies, and then the evaluation policy server transmitting the configured second platform authentication policies to the TNC access point; a step 3 of the TNC access point generating and transmitting to the TNC client a first set of component measurement request parameters and platform evaluation policies for the access requester under the platform authentication management policy of the access controller and the platform evaluation policies for the access requester among the second platform authentication policies to initiate one round of a platform authentication protocol, wherein if the first set of component measurement request parameters are all of component measurement request parameters for the access requester, then the platform evaluation policies for the access requester comprise a component type-level convergence platform evaluation policy; a step 4 of the TNC client, upon reception of the first set of component measurement request parameters and the platform evaluation policies for the access requester, obtaining a first set of component measurements corresponding to the first set of component measurement request parameters, generating protection policies of the access requester corresponding to the first set of component measurement request parameters and transmitting the first set of component measurements, the received platform evaluation policies for the access requester and the generated protection policies of the access requester to the TNC access point; a step 5 of the TNC access point receiving and forwarding to the evaluation policy server the first set of component measurements, the platform evaluation policies for the access requester and the protection policies of the access requester transmitted from the TNC client; a step 6 of the evaluation policy server, for each component type identifier, transmitting the following information corresponding to the component type identifier in the first set of component measurements to corresponding upper integrity measurement verifiers; information a which is the component measurements; information b which is a platform configuration protection policy corresponding to the component type identifier among the platform configuration protection policies of the access requester corresponding to the first set of component measurement request parameters; and information c which is a platform evaluation policy corresponding to the component type identifier among the platform evaluation policies for the access requester corresponding to the first set of component measurement request parameters. then the integrity measurement verifiers returning component product-level platform evaluation results, a difference platform evaluation policy and component remediation information corresponding to the component type identifier; if the first set of component measurement request parameters are all of the component measurement request parameters for the access requester, then the evaluation policy server converging difference platform evaluation policies and component remediation information corresponding to respective component type identifiers into difference platform evolution policies for the access requester and component remediation information for the access requester corresponding to the first set of component measurement request parameters; and
if the platform evaluation policies for the access requester corresponding to the first set of component measurement request parameters comprise a component type-level convergence platform evaluation policy, then the evaluation policy server converging component type-level platform evaluation results corresponding to the component type identifiers into a platform-level platform evaluation result for the access requester corresponding to the first set of component measurement request parameters under the component type-level convergence platform evaluation policy among the platform evaluation policies for the access requester corresponding to the first set of component measurement request parameters;a step 7 of, if the first set of component measurement request parameters are all of the component measurement request parameters for the access requester and the platform evaluation policies for the access requester corresponding to the first set of component measurement request parameters do not comprise a component type-level convergence platform evaluation policy, then the TNC access point converging the component type-level platform evaluation results generated by the evaluation policy server in the current round of the platform authentication protocol into a platform-level platform evaluation result for the access requester corresponding to the first set of component measurement request parameters; the TNC access point transmitting the component remediation information for the access requester corresponding to the first set of component measurement request parameters to respective corresponding integrity measurement collectors above the TNC access point per component type identifier; and the TNC access point transmitting the platform-level platform evaluation result for the access requester and the information transmitted from the evaluation policy server in the step 6 to the TNC client; a step 8 of the TNC client generating and transmitting to the TNC access point a platform action recommendation of the access requester; a step 9 of the TNC access point transmitting the platform authentication action recommendation of the access requester to the respective corresponding upper integrity measurement collectors. - View Dependent Claims (2, 3, 4, 5, 6, 7, 21, 22, 23, 24)
-
-
8-10. -10. (canceled)
-
11. A client in a trusted connection architecture TNC, comprising:
-
a first configuring unit configured to receive configured first platform authentication policies comprising a platform authentication management policy of an access requester, platform configuration protection policies of the access requester, platform evaluation policies for an access controller and a platform authentication action recommendation generation policy of the access requester; a first obtaining unit configured, upon reception of a first set of component measurement request parameters and platform evaluation policies for the access requester, to obtain a first set of component measurements corresponding to the first set of component measurement request parameters, to generate protection policies of the access requester corresponding to the first set of component measurement request parameters and to transmit the first set of component measurements, the received platform evaluation policies of the access requester and the generated protection policies of the access requester to a TNC access point; and a first generating unit configured to generate and transmit to the TNC access point a platform action recommendation of the access requester. - View Dependent Claims (12, 13)
-
-
14. A TNC access point in a trusted connection architecture TNC, comprising:
-
a second configuring unit configured to receive configured second platform authentication policies comprising a platform authentication management policy of an access controller, platform configuration protection policies of the access controller, platform evaluation policies for an access requester and a platform authentication action recommendation generation policy of the access controller;
or, when the second platform authentication policies are configured on an evaluation policy server, to request the evaluation policy server for the second platform authentication policies and to receive the second platform authentication policies transmitted from the e valuation policy server;a second generating unit configured to generate and transmit to a TNC client a first set of component measurement request parameters and platform evaluation policies for the access requester under the platform configuration protection policies of the access controller and the platform evaluation policies for the access requester;
among the second platform authentication policies to initiate one round a platform authentication protocol, wherein if the first set of component measurement request parameters is all of component measurement request parameters for the access requester, then the platform evaluation policies for the access requester comprise a component type-level convergence platform evaluation policy;a forwarding unit configured to receive and forward, to the evaluation policy server, a first set of component measurements, the platform evaluation policies of the access requester and protection policies of the access requester transmitted from the TNC client; and a second obtaining unit configured, when the first set of component measurement request parameters are all of the component measurement request parameters for the access requester and the platform evaluation policies for the access requester corresponding to the first set of component measurement request parameters do not comprise a component type-level convergence platform evaluation policy, for the TNC access point to converge component type-level platform evaluation results generated by the evaluation policy server n the current round of the platform authentication protocol into a platform-level platform evaluation result for access requester corresponding to the first set of component measurement request parameters;
to transmit component remediation information for the access requester corresponding to the first set of component measurement request parameters to respective corresponding integrity measurement collectors above the TNC access point per component type identifier; and
to transmit the platform-level platform evaluation result for the access requester and the information transmitted from the evaluation policy server to the TNC client. - View Dependent Claims (15, 16)
-
-
17. A platform evaluation server in a trusted connection architecture TNC, comprising:
-
a receiving unit configured to receive a first set of component measurements; and a third obtaining unit configured, for each component type identifier, to transmit the following information corresponding to the component type identifier in the first set of component measurements to corresponding upper integrity measurement verifiers; information a which is the component measurements; information b which is a platform configuration protection policy corresponding to the component type identifier among platform configuration protection policies of an access requester corresponding to a first set of component measurement request parameters; and information c which is a platform evaluation policy corresponding to the component type identifier among platform evaluation policies for the access requester corresponding to the first set of component measurement request parameters. then these integrity measurement verifiers return component product-level platform evaluation results, a difference platform evaluation policy and component remediation information corresponding to the component type identifier; if the first set of component measurement request parameters are all of component measurement request parameters for the access requester, then the difference platform evaluation policies and the component remediation information corresponding to these component type identifiers are converged into difference platform evaluation policies for the access requester and component remediation information for the access requester corresponding to the first set of component measurement request parameters and if the platform evaluation policies for the access requester corresponding to the first set of component measurement request parameters comprise a component type-level convergence platform evaluation policy, then component type-level platform evaluation results corresponding to these component type identifiers are converged into a platform-level platform evaluation result for the access requester corresponding to the first set of component measurement request parameters under the component type-level convergence platform evaluation policy among the platform evaluation policies for the access requester corresponding to the first set of component measurement request parameters; and if the first set of component measurement request parameters are all of the component measurement request parameters for the access requester and the platform evaluation policies for the access requester corresponding to the first set of component measurement request parameters do not comprise a component type-level convergence platform evaluation policy, then a TNC access point converges component type-level platform evaluation results generated by an evaluation policy server in the current round of a platform authentication protocol into a platform-level platform evaluation result for the access requester corresponding to the first set of component measurement request parameters. - View Dependent Claims (18, 19)
-
-
20. (canceled)
Specification