System and method for authenticating an operating system to a central processing unit, providing the CPU/OS with secure storage, and authenticating the CPU/OS to a third party
First Claim
1. A method implemented in a subscriber unit for establishing a chain of trust between the subscriber unit and a content provider, the subscriber unit having a central processing unit (CPU) and an operating system (OS), the CPU having a pair of private and public keys, a manufacturer certificate supplied by a manufacturer of the CPU, and a software identity register that holds an identity of the operating system, the method comprising:
- submitting a request to the content provider, the request specifying a particular content;
receiving, from the content provider, a challenge nonce generated at the content provider;
forming an OS certificate containing the identity from the software identity register, information describing the operating system, the challenge nonce, and the CPU public key and signing the OS certificate using the CPU private key, wherein the forming comprises forming the OS certificate with one or more items from a boot log containing identities of software components that are executing on the CPU;
passing the OS certificate and the CPU manufacturer certificate to the content provider for the content provider to evaluate the OS certificate and the CPU manufacturer to determine whether to reject or fulfill the request.
1 Assignment
0 Petitions
Accused Products
Abstract
In accordance with certain aspects, a chain of trust is established between a subscriber unit and a content provider. A request is submitted from the subscriber unit to the content provider. A challenge nonce is generated at the content provider and returned to the subscriber unit. At the subscriber unit, an operating system (OS) certificate containing an identity of the operating system from the software identity register, information describing the operating system, the challenge nonce, and a CPU public key is formed, and the OS certificate is signed using a CPU private key. The OS certificate and a CPU manufacturer certificate supplied by a manufacturer of the CPU are passed from the subscriber unit to the content provider, and are evaluated at the content provider to determine whether to reject or fulfill the request.
131 Citations
22 Claims
-
1. A method implemented in a subscriber unit for establishing a chain of trust between the subscriber unit and a content provider, the subscriber unit having a central processing unit (CPU) and an operating system (OS), the CPU having a pair of private and public keys, a manufacturer certificate supplied by a manufacturer of the CPU, and a software identity register that holds an identity of the operating system, the method comprising:
-
submitting a request to the content provider, the request specifying a particular content; receiving, from the content provider, a challenge nonce generated at the content provider; forming an OS certificate containing the identity from the software identity register, information describing the operating system, the challenge nonce, and the CPU public key and signing the OS certificate using the CPU private key, wherein the forming comprises forming the OS certificate with one or more items from a boot log containing identities of software components that are executing on the CPU; passing the OS certificate and the CPU manufacturer certificate to the content provider for the content provider to evaluate the OS certificate and the CPU manufacturer to determine whether to reject or fulfill the request. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method implemented in a content provider for establishing a chain of trust between the content provider and a subscriber unit, in which the subscriber unit has a central processing unit (CPU) and an operating system (OS) and the CPU further includes a pair of private and public keys, a manufacturer certificate supplied by a manufacturer of the CPU, and a software identity register that holds an identity of the operating system, the method comprising:
-
receiving a request from the subscriber unit, the request specifying a particular content; generating a challenge nonce; returning the challenge nonce to the subscriber unit; receiving, from the subscriber unit, the CPU manufacturer certificate and an OS certificate containing the identity from the software identity register, information describing the operating system, the challenge nonce, and the CPU public key, the OS certificate having been signed using the CPU private key, wherein the identity from the software identity register comprises one or more items from a boot log containing identities of software components executing on the CPU; and evaluating the OS certificate and the CPU manufacturer certificate at the content provider to determine whether to reject or fulfill the request.
-
-
11. A method implemented by a third party for associating a level of trust with a user computer, the user computer having a central processing unit (CPU) and an operating system (OS), the CPU having a pair of private and public keys, a manufacturer certificate supplied by a manufacturer of the CPU, and a software identity register that holds an identity of an operating system executing on the CPU, the method comprising:
-
establishing a secure connection between the user computer and the third party; generating a challenge nonce; transmitting the challenge nonce to the user computer over the secure connection; receiving, from the user computer, an OS certificate and the challenge nonce, wherein the OS certificate comprises one or more items from a boot log containing identities of software components executing on the CPU, and wherein the OS certificate and the challenge nonce are signed by the user computer using the CPU private key; associating the level of trust for the user computer using the signed OS certificate. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
Specification