System and method for authenticating an operating system to a central processing unit, providing the CPU/OS with secure storage, and authenticating the CPU/OS to a third party

US 7,457,412 B2
Filed: 12/22/2006
Issued: 11/25/2008
Est. Priority Date: 10/26/1998
Status: Expired due to Fees

First Claim

Patent Images

1. In a computer system having a central processing unit (CPU) and an operating system (OS), the computer system maintaining a boot log that holds identities of software components that are currently executing, and the CPU having a pair of private and public keys and a software identity register that holds an identity of the operating system, a method comprising:

creating an OS certificate including the identity from the software identity register, information describing the operating system, and the CPU public key;

signing the OS certificate using the CPU private key;

forming a generator seed from a CPU-specific secret, a user-supplied seed, and OS-specific data from the boot log; and

generating a storage key based on a function of the generator seed.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In accordance with certain aspects, a computer system has a central processing unit (CPU) and an operating system (OS), the CPU having a pair of private and public keys and a software identity register that holds an identity of the operating system. An OS certificate is created including the identity from the software identity register, information describing the operating system, and the CPU public key. The created OS certificate is signed using the CPU private key.

142 Citations

23 Claims

1. In a computer system having a central processing unit (CPU) and an operating system (OS), the computer system maintaining a boot log that holds identities of software components that are currently executing, and the CPU having a pair of private and public keys and a software identity register that holds an identity of the operating system, a method comprising:
- creating an OS certificate including the identity from the software identity register, information describing the operating system, and the CPU public key;
  
  signing the OS certificate using the CPU private key;
  
  forming a generator seed from a CPU-specific secret, a user-supplied seed, and OS-specific data from the boot log; and
  
  generating a storage key based on a function of the generator seed.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method as recited in claim 1, further comprising submitting the signed OS certificate over a network to a third party to prove an identity of the operating system to the third party.
  - 3. The method as recited in claim 1, wherein creating the OS certificate comprises forming the OS certificate with one or more items from the boot log.
  - 4. The method as recited in claim 1, wherein the software identity register holds, as the identity of the operating system, a public key of a boot block of the operating system.
  - 5. The method as recited in claim 1, wherein the software identity register holds, as the identity of the operating system, a cryptographic hash of code and one or more constants included in a boot block of the operating system.
  - 6. The method as recited in claim 1, wherein the software identity register holds the identity of the operating system if a boot block of the operating system was executed atomically, and holds a fake value if the boot block of the operating system was not executed atomically.
  - 7. The method as recited in claim 1, wherein the software identity register holds, as the identity of the operating system, a cryptographic digest of a data structure comprising a boot block of the operating system and contents of the boot log.

8. In a computer system having a central processing unit (CPU) and an operating system (OS), the CPU having a pair of private and public keys and a software identity register that holds an identity of the operating system, the computer system further maintaining a boot log that holds identities of software components that are currently executing, a method comprising:
- forming a generator seed from a CPU-specific secret, a user-supplied seed, and OS-specific data from the boot log; and
  
  generating a storage key based on a function of the generator seed;
  
  the forming and generating comprising creating a storage key SK as follows;
  
  SK=SHA(CPU-specific secret, OS-specific data, seed).
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method as recited in claim 8, further comprising encrypting data using the storage key.
  - 10. The method as recited in claim 8, wherein the boot log includes both a public key of a boot block of the operating system and an identity for each software component that is loaded by the boot block.
  - 11. The method as recited in claim 8, wherein the boot log includes both a digest of a boot block of the operating system and an identity for each software component that is loaded by the boot block.
  - 12. The method as recited in claim 8, wherein the CPU-specific secret comprises a secret CPU-internal key.
  - 13. The method as recited in claim 8, wherein the OS-specific data comprises OS-specific data from the boot log and the identity of the operating system from the software identity register.
  - 14. The method as recited in claim 8, wherein the OS-specific data comprises both a public key of a boot block of the operating system and a version number.

15. For execution on a computer system having a central processing unit (CPU) and an operating system (OS), the CPU having a pair of private and public keys and a software identity register that holds an identity of the operating system, a computer program stored on one or more computer-readable storage media of the computer system, the program causing the CPU to, when executing the program:
- form an OS certificate containing the identity from the software identity register, information describing the operating system, and the CPU public key;
  
  sign the OS certificate using the CPU private key;
  
  form a generator seed from a CPU-specific secret, a user-supplied seed, and the identity of the operating system from the software identity register; and
  
  generate a storage key based on a function of the generator seed.

16. In a computer system having a central processing unit (CPU) and an operating system (OS), the CPU having a pair of private and public keys and a software identity register that holds an identity of the operating system, a method comprising:
- creating an OS certificate including the identity from the software identity register, information describing the operating system, and the CPU public key;
  
  signing the OS certificate using the CPU private key;
  
  forming a generator seed from a CPU-specific secret, a user-supplied seed, and the identity of the operating system from the software identity register; and
  
  generating a storage key based on a function of the generator seed.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The method as recited in claim 16, further comprising submitting the signed OS certificate over a network to a third party to prove an identity of the operating system to the third party.
  - 18. The method as recited in claim 16, wherein creating the OS certificate comprises forming the OS certificate with one or more items from a boot log containing identities of software components that are executing on the CPU.
  - 19. The method as recited in claim 16, wherein the software identity register holds, as the identity of the operating system, a public key of a boot block of the operating system.
  - 20. The method as recited in claim 16, wherein the software identity register holds, as the identity of the operating system, a cryptographic hash of code and one or more constants included in a boot block of the operating system
  - 21. The method as recited in claim 16, wherein the software identity register holds the identity of the operating system a boot block of the operating system WM executed atomically, and holds a fake value if the boot block of the operating system was not executed atomically.
  - 22. The method as recited in claim 16, wherein the software identity register holds, as the identity of the operating system, a cryptographic digest of a data structure comprising a boot block of the operating system and contents of a boot log containing identities of software components that are executing on the CPU.

23. For execution on a computer system having a central processing unit (CPU) and an operating system (OS), the CPU having a pair of private and public keys and a software identity register that holds an identity of the operating system, the computer system further maintaining a boot log that holds identities of software components that are currently executing, a computer program stored on one or more computer-readable storage media of the computer system, the program causing the CPU to, when executing the program:
- form an OS certificate containing the identity from the software identity register, information describing the operating system, and the CPU public key;
  
  sign the OS certificate using the CPU private key;
  
  form a generator seed from a CPU-specific secret, a user-supplied seed, and OS-specific data from the boot log; and
  
  generate a storage key based on a function of the generator seed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
England, Paul, Lampson, Butler W., DeTreville, John D.
Primary Examiner(s)
Vu; Kim
Assistant Examiner(s)
Dada; Beemnet W

Application Number

US11/615,266
Publication Number

US 20070118738A1
Time in Patent Office

704 Days
Field of Search

713164-167, 713/176, 713/193, 713/156, 713/175, 713/168, 380/44, 380/282, 380/286
US Class Current

380/44
CPC Class Codes

G06F 21/1011   to devices

G06F 21/445   by mutual authentication, e...

G06F 21/57   Certifying or maintaining t...

G06F 21/575   Secure boot

G06F 2221/2103   Challenge-response

G06F 2221/2113   Multi-level security, e.g. ...

G06F 2221/2129   Authenticate client device ...

G06F 9/4406   Loading of operating system

G06F 9/468   Specific access rights for ...

System and method for authenticating an operating system to a central processing unit, providing the CPU/OS with secure storage, and authenticating the CPU/OS to a third party

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

142 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for authenticating an operating system to a central processing unit, providing the CPU/OS with secure storage, and authenticating the CPU/OS to a third party

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

142 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links