Self regulation of the subject of attestation
First Claim
1. A method implemented within a self-regulating attestation client computing system and that includes one or more processors and memory storing instructions which, when executed by the one or more processors, implement the method for using a certificate of health from an attestation service to authenticate that the self-regulating attestation client computing system is currently healthy upon request, the method comprising the acts of:
- the computing system of the attestation client requesting a credential of health from an attestation service, the credential of health from the attestation service comprising a digital certificate or token that is signed by a public cryptographic key provided by the computing system, the request comprising an ordered attestation log as well as a proof of integrity and freshness of the ordered attestation log, the proof of integrity and freshness being implemented by the attestation service to verify the integrity and freshness of the log itself;
the computing system receiving the credential of health from the attestation service, the credential of health uniquely identifying the computing system and certifying that the computing system was healthy when the computing system requested the credential of health and that the attestation service trusts the computing system to be healthy each time the computing system authenticates using the credential of health, such that the credential of health is only sent to and received by the computing system in response to the attestation service having verified the past health attestation of the computing system and, upon verifying the past health attestation of the computing system, the ability for the computing system to verify that the computing system will only use the credential of health when the computing system is currently in a healthy state and when the credential of health is not expired;
the computing system receiving a request to use the credential of health to authenticate that it is currently healthy;
the computing system verifying that it is currently healthy; and
the computing system using the credential of health to authenticate that it currently healthy.
2 Assignments
0 Petitions
Accused Products
Abstract
Attestation by a self-regulating attestation client. The attestation client requests a credential of health from an attestation service, which includes an ordered attestation log and proof of integrity and freshness of the log. The attestation client receives the requested credential of health, which certifies the attestation client was healthy when it requested the credential of health and that the attestation service trusts the attestation client to be healthy each time the attestation client authenticates using the credential of health. The attestation client receives a request to authenticate that it is healthy using the credential of health, verifies that it is currently healthy, and performs the requested authentication.
-
Citations
22 Claims
-
1. A method implemented within a self-regulating attestation client computing system and that includes one or more processors and memory storing instructions which, when executed by the one or more processors, implement the method for using a certificate of health from an attestation service to authenticate that the self-regulating attestation client computing system is currently healthy upon request, the method comprising the acts of:
- the computing system of the attestation client requesting a credential of health from an attestation service, the credential of health from the attestation service comprising a digital certificate or token that is signed by a public cryptographic key provided by the computing system, the request comprising an ordered attestation log as well as a proof of integrity and freshness of the ordered attestation log, the proof of integrity and freshness being implemented by the attestation service to verify the integrity and freshness of the log itself;
the computing system receiving the credential of health from the attestation service, the credential of health uniquely identifying the computing system and certifying that the computing system was healthy when the computing system requested the credential of health and that the attestation service trusts the computing system to be healthy each time the computing system authenticates using the credential of health, such that the credential of health is only sent to and received by the computing system in response to the attestation service having verified the past health attestation of the computing system and, upon verifying the past health attestation of the computing system, the ability for the computing system to verify that the computing system will only use the credential of health when the computing system is currently in a healthy state and when the credential of health is not expired;
the computing system receiving a request to use the credential of health to authenticate that it is currently healthy;
the computing system verifying that it is currently healthy; and
the computing system using the credential of health to authenticate that it currently healthy. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- the computing system of the attestation client requesting a credential of health from an attestation service, the credential of health from the attestation service comprising a digital certificate or token that is signed by a public cryptographic key provided by the computing system, the request comprising an ordered attestation log as well as a proof of integrity and freshness of the ordered attestation log, the proof of integrity and freshness being implemented by the attestation service to verify the integrity and freshness of the log itself;
-
13. A method implemented within a computing system that includes one or more processors and memory storing instructions which, when executed by the one or more processors, implement the method for generating a credential of health for a self-regulating attestation client, the method comprising the acts of:
- the computing system receiving a request from a self-regulating attestation client for a credential of health, the credential of health from the attestation service comprising a digital certificate or token that is signed by a public cryptographic key provided by the computing system, the request comprising an ordered attestation log as well as a proof of integrity and freshness of the ordered attestation log, the proof of integrity and freshness being implemented by the attestation service to verify the integrity and freshness of the log itself;
the computing system verifying that the self-regulating attestation client was healthy when the self-regulating attestation client requested the credential of health, based on the ordered attestation log and the proof of integrity and freshness of the ordered attestation log;
the computing system verifying that the self-regulating attestation client is trusted to be healthy, each time the self-regulating attestation client authenticates using the credential of health, based on the ordered attestation log having information that verifies that the computing system is a self-regulating client that actively defends itself against malware and other untrusted code and verifies that the computing system will only use the credential of health when the computing system is currently in a healthy state and when the credential of health is not expired, and based on the proof of integrity and freshness of the ordered attestation log;
the computing system generating the credential of health, the generated credential of health uniquely identifying the self-regulating attestation client and certifying both that the self-regulating attestation client was healthy when the self-regulating attestation client requested the credential of health and also that the attestation service trusts the self-regulating attestation client to be healthy each time in the future that the self-regulating attestation client authenticates using the credential of health; and
the computing system sending the generated credential of health to the self-regulating attestation client. - View Dependent Claims (14, 15, 16, 17, 18, 19)
- the computing system receiving a request from a self-regulating attestation client for a credential of health, the credential of health from the attestation service comprising a digital certificate or token that is signed by a public cryptographic key provided by the computing system, the request comprising an ordered attestation log as well as a proof of integrity and freshness of the ordered attestation log, the proof of integrity and freshness being implemented by the attestation service to verify the integrity and freshness of the log itself;
-
20. A hardware storage device having stored thereon computing executable instructions that, when executed by one or more processors of a self-regulating attestation client computing system, implement a method for the computing system performing a self-regulated attestation of health, the method comprising the acts of:
- performing a measured boot of the computing system by loading one or more trusted boot-time components while recording information about the busted boot-time components in an ordered attestation log;
loading one or more trusted internal monitoring agents that enforce one or more security policies at the computing system and that protect the integrity of the computing system through enforcement of the security policies, while recording information about the identity of the trusted internal monitoring agents and the security policies in the ordered attestation log;
generating a public cryptographic key and a private cryptographic key unique to the computing system and sending the public cryptographic key to an attestation service;
sending a request for a credential of health to the attestation service, the credential of health from the attestation service comprising a digital certificate or token that is signed by the public cryptographic key provided by the computing system, the request including the ordered attestation log and proof of integrity and freshness of the ordered attestation log, the proof of integrity and freshness being implemented by the attestation service to verify the integrity and freshness of the log itself;
receiving the credential of health from the attestation service, the credential of health indicating that the attestation service trusts the integrity of the measured boot of the computing system, that the attestation service trusts the computing system to defend itself to maintain a healthy state using the internal monitoring agents and the security policies, and that the attestation service trusts the computing system to use the credential of health to authenticate that is it currently healthy only when the computing system is in a healthy state, such that the credential of health is only sent to and received by the computing system in response to the attestation service having verified the past health attestation of the computing system and, upon verifying the past health attestation of the computing system, the ability for the computing system to verify that the computing system will only use the credential of health when the computing system is currently in a healthy state and when the credential of health is not expired;
receiving a request to verify the health of the computing system;
verifying that the computing system is currently healthy based on at least whether the computing system has violated any of the security policies; and
using the credential of health and the private cryptographic key to authenticate that the computing system is currently healthy. - View Dependent Claims (21, 22)
- performing a measured boot of the computing system by loading one or more trusted boot-time components while recording information about the busted boot-time components in an ordered attestation log;
Specification