×

Platform authentication strategy management method and device for trusted connection architecture

  • US 9,246,942 B2
  • Filed: 05/26/2011
  • Issued: 01/26/2016
  • Est. Priority Date: 07/30/2010
  • Status: Active Grant
First Claim
Patent Images

1. A platform authentication policy management method applicable to a trusted connection architecture, comprising:

  • step 1, configuring, on a Trusted Network Connection, TNC, client, first platform authentication policies comprising a platform authentication management policy of an access requester, platform configuration protection policies of the access requester, platform evaluation policies for an access controller and a platform authentication action recommendation generation policy of the access requester; and

    configuring, on a TNC access point or an evaluation policy server, second platform authentication policies comprising a platform authentication management policy of the access controller, platform configuration protection policies of the access controller, platform evaluation policies for the access requester and a platform authentication action recommendation generation policy of the access controller;

    step 2, if the second platform authentication policies are configured on the evaluation policy server, then the TNC access point requesting the evaluation policy server for the second platform authentication policies, and then the evaluation policy server transmitting the configured second platform authentication policies to the TNC access point;

    step 3, the TNC access point generating and transmitting to the TNC client a first set of component measurement request parameters and platform evaluation policies for the access requester under the platform authentication management policy of the access controller and the platform evaluation policies for the access requester among the second platform authentication policies to initiate one round of a platform authentication protocol, wherein if the first set of component measurement request parameters are all of component measurement request parameters for the access requester, then the platform evaluation policies for the access requester comprise a component type-level convergence platform evaluation policy;

    step 4, the TNC client, upon reception of the first set of component measurement request parameters and the platform evaluation policies for the access requester, obtaining a first set of component measurements corresponding to the first set of component measurement request parameters, generating protection policies of the access requester corresponding to the first set of component measurement request parameters and transmitting the first set of component measurements, the received platform evaluation policies for the access requester and the generated protection policies of the access requester to the TNC access point;

    step 5, the TNC access point receiving and forwarding to the evaluation policy server the first set of component measurements, the platform evaluation policies for the access requester and the protection policies of the access requester transmitted from the TNC client;

    step 6, the evaluation policy server, for each component type identifier, transmitting the following information corresponding to the component type identifier in the first set of component measurements to corresponding upper integrity measurement verifiers;

    information a which is the component measurements;

    information b which is a platform configuration protection policy corresponding to the component type identifier among the platform configuration protection policies of the access requester corresponding to the first set of component measurement request parameters; and

    information c which is a platform evaluation policy corresponding to the component type identifier among the platform evaluation policies for the access requester corresponding to the first set of component measurement request parameters;

    then the integrity measurement verifiers returning component product-level platform evaluation results, a difference platform evaluation policy and component remediation information corresponding to the component type identifier;

    if the first set of component measurement request parameters are all of the component measurement request parameters for the access requester, then the evaluation policy server converging difference platform evaluation policies and component remediation information corresponding to respective component type identifiers into difference platform evaluation policies for the access requester and component remediation information for the access requester corresponding to the first set of component measurement request parameters; and

    if the platform evaluation policies for the access requester corresponding to the first set of component measurement request parameters comprise a component type-level convergence platform evaluation policy, then the evaluation policy server converging component type-level platform evaluation results corresponding to the component type identifiers into a platform-level platform evaluation result for the access requester corresponding to the first set of component measurement request parameters under the component type-level convergence platform evaluation policy among the platform evaluation policies for the access requester corresponding to the first set of component measurement request parameters;

    step 7, if the first set of component measurement request parameters are all of the component measurement request parameters for the access requester and the platform evaluation policies for the access requester corresponding to the first set of component measurement request parameters do not comprise a component type-level convergence platform evaluation policy, then the TNC access point converging the component type-level platform evaluation results generated by the evaluation policy server in the current round of the platform authentication protocol into a platform-level platform evaluation result for the access requester corresponding to the first set of component measurement request parameters;

    the TNC access point transmitting the component remediation information for the access requester corresponding to the first set of component measurement request parameters to respective corresponding integrity measurement collectors above the TNC access point per component type identifier; and

    the TNC access point transmitting the platform-level platform evaluation result for the access requester and the information transmitted from the evaluation policy server in step 6 to the TNC client;

    step 8, the TNC client generating and transmitting to the TNC access point a platform action recommendation of the access requester;

    step 9, the TNC access point transmitting the platform authentication action recommendation of the access requester to the respective corresponding upper integrity measurement collectors;

    wherein if the first set of component measurement request parameters are a part of the component measurement request parameters for the access requester, then;

    step 6 further comprises;

    the evaluation policy server converging the respective component product-level platform evaluation results corresponding to the component type identifier into a component type-level platform evaluation result under the platform evaluation policy corresponding to the component type identifier among the platform evaluation policies for the access requester corresponding to the first set of component measurement request parameters, wherein a component product-level platform evaluation result corresponding to each component product sequence number corresponding to the component type identifier is generated by the integrity measurement verifiers converging respective component attribute-level platform evaluation results corresponding to the component product sequence number under a component attribute-level convergence platform evaluation policy corresponding to the component product sequence number in the information c, and each component attribute-level platform evaluation result corresponding to the component product sequence number is generated by the integrity measurement verifiers under a platform evaluation policy corresponding to the component attribute identifier corresponding to the component product sequence number in the information c and a platform evaluation policy corresponding to the component attribute identifier of the component product sequence number in the information b; and

    step 7 further comprises;

    if parts of the component measurement request parameters for the access requester generated in respective rounds of the platform authentication protocol constitute all of the component measurement request parameters for the access requester, then the TNC access point converging component type-level platform evaluation results generated by the evaluation policy server in the respective rounds of the platform authentication protocol and converging difference platform evaluation polices and component remediation information generated by the evaluation policy server in the respective rounds of the platform authentication protocol into difference platform evaluation polices and component remediation information for the access requester;

    otherwise, the TNC access point initiating another round of the platform authentication protocol at the end of the current round of the platform authentication protocol;

    wherein;

    step 4 further comprises;

    generating a second set of component measurement request parameters for the access controller under the first platform authentication management policy of the access requester and the second platform evaluation policies for the access controller; and

    if the second set of component measurement request parameters are all of component measurement request parameters for the access controller, then generating platform evaluation policies for the access controller corresponding to the second set of component measurement request parameters under the second platform evaluation policies, wherein the platform evaluation policies for the access controller corresponding to the second set of component measurement request parameters comprise a component type-level convergence platform evaluation policy, and transmitting the generated information together to the TNC access point;

    step 5 further comprises;

    for a component measurement request parameter corresponding to each component type identifier in the second set of component measurement request parameters, the TNC access point obtaining component measurements of the access controller corresponding to the second set of component measurement request parameters; and

    the TNC access point generating platform configuration protection polices of the access controller corresponding to the second set of component measurement request parameters under the second platform configuration protection polices and transmitting the generated information together to the evaluation policy server;

    step 6 further comprises;

    for each component type identifier in the second set of component measurement request parameters, the evaluation policy server transmitting the following information to the corresponding upper integrity measurement verifiers;

    information d which is a second set of component measurements;

    information e which is a platform configuration protection policy corresponding to the component type identifier among the platform configuration protection policies of the access controller corresponding to the second set of component measurement request parameters; and

    information f which is a platform evaluation policy corresponding to the component type identifier among the platform evaluation policies for the access controller corresponding to the second set of component measurement request parameters;

    then the integrity measurement verifiers returning component product-level platform evaluation results, a difference platform evaluation policy and component remediation information corresponding to the component type identifier;

    next the evaluation policy server converging the respective component product-level platform evaluation results corresponding to the component type identifier into a component type-level platform evaluation result under the platform evaluation policy corresponding to the component type identifier among the platform evaluation policies for the access controller corresponding to the second set of component measurement request parameters, wherein a component product-level platform evaluation result corresponding to each component product sequence number corresponding to the component type identifier is generated by the integrity measurement verifiers converging respective component attribute-level platform evaluation results corresponding to the component product sequence number under a component attribute-level convergence platform evaluation policy corresponding to the component product sequence number in the information f, and each component attribute-level platform evaluation result corresponding to the component product sequence number is generated by the integrity measurement verifiers under a platform evaluation policy corresponding to the component attribute identifier corresponding to the component product sequence number in the information f and a platform evaluation policy corresponding to the component attribute identifier of the component product sequence number in the information e; and

    if the second set of component measurement request parameters are all of the component measurement request parameters for the access controller, then converging the difference platform evaluation policies corresponding to the component type identifiers into difference platform evaluation policies for the access controller corresponding to the second set of component measurement request parameters, and converging the component remediation information corresponding to the component type identifiers into component remediation information for the access controller corresponding to the second set of component measurement request parameters; and

    if the platform evaluation policies for the access controller corresponding to the second set of component measurement request parameters comprise a component type-level convergence platform evaluation policy, then the evaluation policy server converging the component type-level platform evaluation results corresponding to the component type identifiers into a platform-level platform evaluation result for the access controller corresponding to the second set of component measurement request parameters under the component type-level convergence platform evaluation policy among the platform evaluation policies for the access controller corresponding to the second set of component measurement request parameters and transmitting the generated information to the TNC access point;

    step 7 further comprises;

    if the TNC access point is not required to initiate another round of the platform authentication protocol, then generating and transmitting to the TNC client a platform authentication action recommendation of the access controller; and

    step 8 further comprises;

    if the second set of component measurement request parameters are all of the component measurement request parameters for the access controller and the platform evaluation policies for the access controller corresponding to the second set of component measurement request parameters do not comprise a component type-level convergence platform evaluation policy, then the TNC client converging the component type-level platform evaluation results corresponding to the respective component type identifiers generated by the evaluation policy server in step 6 in the current round of the platform authentication protocol into a platform-level platform evaluation result for the access controller corresponding to the second set of component measurement request parameters under the component type-level convergence platform evaluation policy among the platform evaluation policies for the access controller corresponding to the second set of component measurement request parameters;

    the TNC client transmitting the component remediation information for the access controller corresponding to the second set of component measurement request parameters to respective corresponding integrity measurement collectors above the TNC client per component type identifier; and

    if the information transmitted from the TNC access point in step 7 comprises the platform authentication action recommendation of the access controller, then the TNC client transmitting the platform authentication action recommendation of the access controller to the respective corresponding integrity measurement collectors above the TNC client.

View all claims
  • 2 Assignments
Timeline View
Assignment View
    ×
    ×