Reliability platform configuration measurement, authentication, attestation and disclosure

US 7,930,563 B2
Filed: 07/01/2008
Issued: 04/19/2011
Est. Priority Date: 04/09/2004
Status: Expired due to Fees

First Claim

Patent Images

1. A platform configuration measurement device which comprises:

a platform configuration register (PCR) specified in a Trusted Computing Group specification, said PCR register configured for storing content relating to configuration information;

at least one processor configured to;

perform execution extension processing in which a predetermined operation of concatenation of an additional value to a content of the PRC register is performed on a content of the register by using a given additional value, a hash value is obtained by applying a predetermined hash function to a value obtained by the predetermined operation, and the hash value is set for anew content of the register;

obtain measured values, corresponding to predetermined components constituting a platform, by sequentially making predetermined measurement on the predetermined components, and for allowing the means for executing extension processing to execute the extension processing using the measured values as the additional values; and

executing extension processing using a random value as the additional value repeatedly at a predetermined time;

store a history of each extension processing in a log; and

memory for storing a platform configuration measurement program causing the processor to function to constitute the platform configuration measurement device.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A platform configuration measurement device including: a configuration register; means for executing extension processing in which a predetermined operation is performed on a content of the configuration register by using a given additional value, a hash value is obtained by applying a predetermined hash function to a value obtained by the predetermined operation, and the hash value is set for a new content of the configuration register; and measurement extension means for obtaining measured values, corresponding to predetermined components constituting a platform, by sequentially making predetermined measurement on the predetermined components, and for allowing the means for executing extension processing to execute the extension processing using the measured values as the additional values, random extension means is provided for allowing the means for executing extension processing to execute the extension processing using a random value as the additional value.

8 Citations

View as Search Results

16 Claims

1. A platform configuration measurement device which comprises:
- a platform configuration register (PCR) specified in a Trusted Computing Group specification, said PCR register configured for storing content relating to configuration information;
  
  at least one processor configured to;
  
  perform execution extension processing in which a predetermined operation of concatenation of an additional value to a content of the PRC register is performed on a content of the register by using a given additional value, a hash value is obtained by applying a predetermined hash function to a value obtained by the predetermined operation, and the hash value is set for anew content of the register;
  
  obtain measured values, corresponding to predetermined components constituting a platform, by sequentially making predetermined measurement on the predetermined components, and for allowing the means for executing extension processing to execute the extension processing using the measured values as the additional values; and
  
  executing extension processing using a random value as the additional value repeatedly at a predetermined time;
  
  store a history of each extension processing in a log; and
  
  memory for storing a platform configuration measurement program causing the processor to function to constitute the platform configuration measurement device.
- View Dependent Claims (2, 3, 6, 7, 8, 9, 10, 11, 12, 14, 15, 16)
- - 2. The platform configuration measurement device according to claim 1, wherein following the extension processing using the measured value as an additional value, extension processing is executed using the random value as an additional value.
  - 3. The platform configuration measurement device according to claim 1, wherein the register and the extension processing using measured value are a PCR register and extension processing specified in the TCG specification respectively.
  - 6. A platform configuration authentication device comprising:
    - the platform configuration measurement device of claim 1;
      
      means for sending a third party a content of the register of the device together with a log storing records of extension processes executed in the device, the content of the register and the log being digitally signed, in response to an authentication request including a nonce from a client;
      
      means for receiving a digitally signed credential sent from the third party in response to the sending action, the credential vouching for trustworthiness of a platform configuration according to the content of the register to be appended; and
      
      means for sending the client the received credential together with the digitally signed nonce and content of the register.
  - 7. A method of authenticating a platform configuration, comprising the steps of:
    - sending a third party a content of the register of the platform configuration measurement device of claim 6 together with a log storing records of extension processes executed in the device, the content of the register and the log being digitally signed, in response to an authentication request including a nonce from a client;
      
      receiving digitally signed credential sent from the third party in response to the sending action, the credential vouching for trustworthiness of a platform configuration according to the content of the register to be appended; and
      
      sending the client the received credential together with the digitally signed nonce and content of the register.
  - 8. A platform configuration attestation device comprising:
    - means for receiving a content of a register and a log sent from the platform configuration authentication device of claim 6;
      
      means for checking trustworthiness of a platform configuration according to the content of the register, based on the received content of the register and the received log; and
      
      means for sending the platform configuration authentication device a digitally signed credential which vouches for the trustworthiness of the platform configuration according to the content of the register to be appended to the credential.
  - 9. The platform configuration attestation device according to claim 8, wherein the checking means executes the checking on the basis of whether platform configuration stored in the log is reliable or not, and further whether a register value obtained by reproduction of each extension processing stored in the log is equal to a content of the register or not.
  - 10. A method of attesting a platform configuration, comprising the steps of:
    - by receiving means, receiving a content of the register and a log sent from the platform configuration authentication device of claim 6;
      
      by checking means, checking trustworthiness of a platform configuration according to the content of the register, based on the received content of the register and the received log; and
      
      by sending means, sending the platform configuration authentication device a digitally signed credential which vouches for the trustworthiness of the platform configuration according to the content of the register to be appended to the credential.
  - 11. A platform configuration disclosure device comprising:
    - the platform configuration measurement device of claim 1;
      
      means for sending a requester a content of the register of the device, in response to a request; and
      
      means for sending the requester a log storing records of extension processes executed in the device, with addition of a restriction depending on an attribute of the requester.
  - 12. A method of disclosing a platform configuration, comprising the steps of:
    - sending a requester a content of the register of the platform configuration measurement device of claim 1, in response to a request; and
      
      sending the requester a log storing records of extension processes executed in the device, with addition of a restriction on the contents depending on an attribute of the requester.
  - 14. A non-transitory program storage device readable by machine, tangibly embodying a program of instructions executable by the machine to perform method steps for authenticating a platform configuration, said method steps comprising the steps of claim 7.
  - 15. A non-transitory program storage device readable by machine, tangibly embodying a program of instructions executable by the machine to perform method steps for attesting a platform configuration, said method steps comprising the steps of claim 10.
  - 16. A non-transitory program storage device readable by machine, tangibly embodying a program of instructions executable by the machine to perform method steps for disclosing a platform configuration, said method steps comprising the steps of claim 12.

4. A non-transitory computer program product comprising a computer usable medium having computer readable program code means embodied therein for causing functions of a platform configuration measurement device, the computer readable program code means in said computer program product comprising computer readable program code means for causing a computer processor to perform steps of:
- using a platform configuration register (PCR register) specified in a Trusted Computing Group specification, the PCR register storing content relating to configuration information of a computing platform;
  
  using at least one processor configured to;
  
  execute extension processing in which a predetermined operation of concatenation of an additional value to the content of the PRC register is performed on the content of the register by using a given random value, a hash value is obtained by applying a predetermined hash function to a value obtained by the predetermined operation, and the hash value is set for a new content of the PRC register;
  
  store a history of each extension processing in a log;
  
  obtain measured values, corresponding to predetermined components constituting a platform, by sequentially making predetermined measurement on the predetermined components, and for executing the extension processing using the measured values as the additional values;
  
  perform random extension for executing extension processing to execute the extension processing using a random value as the additional value repeatedly at a predetermined time;
  
  send a third party content of the register together with a log storing records of extension processes executed in the device, the content of the register and the log being digitally signed, in response to an authentication request including a nonce from a client;
  
  receive a digitally signed credential sent from the third party in response to the send a third party content action, the credential vouching for trustworthiness of a platform configuration according to the content of the register to be appended;
  
  send to the client the received digitally signed credential with the digitally signed nonce and content of the register; and
  
  operate functioning for constituting the platform configuration measurement device.

5. A method for measuring a platform configuration, comprising the steps of:
- executing extension processing in which a predetermined operation is performed on a content of a register by using a given additional value, a hash value is obtained by applying a predetermined Hash function to a value obtained by the predetermined operation, and the hash value is set for a new content of the register;
  
  obtaining measured values, corresponding to predetermined components constituting a platform, by sequentially making predetermined measurement on the predetermined components, and executing the extension processing steps using the measured values as the additional values;
  
  storing a history of each extension processing in a log; and
  
  executing the extension processing step using a random value as the additional value repeatedly at a predetermined time.
- View Dependent Claims (13)
- - 13. An article of manufacture comprising a non-transitory computer usable medium having computer readable program code means embodied therein for causing measurement of a platform configuration, the computer readable program code means in said article of manufacture comprising computer readable program code means for causing a computer to perform the steps of claim 5.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Ebringer, Timothy David, Maruyama, Hiroshi, Munetoh, Seiji, Yoshihama, Sachiko
Primary Examiner(s)
Kim; Jung
Assistant Examiner(s)
Okeke; Izunna

Application Number

US12/165,908
Publication Number

US 20090070573A1
Time in Patent Office

1,022 Days
Field of Search

713/2, 713/193, 713/194, 713/169, 713/187, 713/175
US Class Current

713/194
CPC Class Codes

G06F 21/445   by mutual authentication, e...

G06F 21/57   Certifying or maintaining t...

G06F 21/645   using a third party

G06F 2221/2103   Challenge-response

G06F 2221/2115   Third party

G06F 2221/2129   Authenticate client device ...

G06F 2221/2153   Using hardware token as a s...

Reliability platform configuration measurement, authentication, attestation and disclosure

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

8 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Reliability platform configuration measurement, authentication, attestation and disclosure

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

8 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links