Platform authentication strategy management method and device for trusted connection architecture
First Claim
1. A platform authentication policy management method applicable to a trusted connection architecture, comprising:
- step 1, configuring, on a Trusted Network Connection, TNC, client, first platform authentication policies comprising a platform authentication management policy of an access requester, platform configuration protection policies of the access requester, platform evaluation policies for an access controller and a platform authentication action recommendation generation policy of the access requester; and
configuring, on a TNC access point or an evaluation policy server, second platform authentication policies comprising a platform authentication management policy of the access controller, platform configuration protection policies of the access controller, platform evaluation policies for the access requester and a platform authentication action recommendation generation policy of the access controller;
step 2, if the second platform authentication policies are configured on the evaluation policy server, then the TNC access point requesting the evaluation policy server for the second platform authentication policies, and then the evaluation policy server transmitting the configured second platform authentication policies to the TNC access point;
step 3, the TNC access point generating and transmitting to the TNC client a first set of component measurement request parameters and platform evaluation policies for the access requester under the platform authentication management policy of the access controller and the platform evaluation policies for the access requester among the second platform authentication policies to initiate one round of a platform authentication protocol, wherein if the first set of component measurement request parameters are all of component measurement request parameters for the access requester, then the platform evaluation policies for the access requester comprise a component type-level convergence platform evaluation policy;
step 4, the TNC client, upon reception of the first set of component measurement request parameters and the platform evaluation policies for the access requester, obtaining a first set of component measurements corresponding to the first set of component measurement request parameters, generating protection policies of the access requester corresponding to the first set of component measurement request parameters and transmitting the first set of component measurements, the received platform evaluation policies for the access requester and the generated protection policies of the access requester to the TNC access point;
step 5, the TNC access point receiving and forwarding to the evaluation policy server the first set of component measurements, the platform evaluation policies for the access requester and the protection policies of the access requester transmitted from the TNC client;
step 6, the evaluation policy server, for each component type identifier, transmitting the following information corresponding to the component type identifier in the first set of component measurements to corresponding upper integrity measurement verifiers;
information a which is the component measurements;
information b which is a platform configuration protection policy corresponding to the component type identifier among the platform configuration protection policies of the access requester corresponding to the first set of component measurement request parameters; and
information c which is a platform evaluation policy corresponding to the component type identifier among the platform evaluation policies for the access requester corresponding to the first set of component measurement request parameters;
then the integrity measurement verifiers returning component product-level platform evaluation results, a difference platform evaluation policy and component remediation information corresponding to the component type identifier;
if the first set of component measurement request parameters are all of the component measurement request parameters for the access requester, then the evaluation policy server converging difference platform evaluation policies and component remediation information corresponding to respective component type identifiers into difference platform evaluation policies for the access requester and component remediation information for the access requester corresponding to the first set of component measurement request parameters; and
if the platform evaluation policies for the access requester corresponding to the first set of component measurement request parameters comprise a component type-level convergence platform evaluation policy, then the evaluation policy server converging component type-level platform evaluation results corresponding to the component type identifiers into a platform-level platform evaluation result for the access requester corresponding to the first set of component measurement request parameters under the component type-level convergence platform evaluation policy among the platform evaluation policies for the access requester corresponding to the first set of component measurement request parameters;
step 7, if the first set of component measurement request parameters are all of the component measurement request parameters for the access requester and the platform evaluation policies for the access requester corresponding to the first set of component measurement request parameters do not comprise a component type-level convergence platform evaluation policy, then the TNC access point converging the component type-level platform evaluation results generated by the evaluation policy server in the current round of the platform authentication protocol into a platform-level platform evaluation result for the access requester corresponding to the first set of component measurement request parameters;
the TNC access point transmitting the component remediation information for the access requester corresponding to the first set of component measurement request parameters to respective corresponding integrity measurement collectors above the TNC access point per component type identifier; and
the TNC access point transmitting the platform-level platform evaluation result for the access requester and the information transmitted from the evaluation policy server in step 6 to the TNC client;
step 8, the TNC client generating and transmitting to the TNC access point a platform action recommendation of the access requester;
step 9, the TNC access point transmitting the platform authentication action recommendation of the access requester to the respective corresponding upper integrity measurement collectors;
wherein if the first set of component measurement request parameters are a part of the component measurement request parameters for the access requester, then;
step 6 further comprises;
the evaluation policy server converging the respective component product-level platform evaluation results corresponding to the component type identifier into a component type-level platform evaluation result under the platform evaluation policy corresponding to the component type identifier among the platform evaluation policies for the access requester corresponding to the first set of component measurement request parameters, wherein a component product-level platform evaluation result corresponding to each component product sequence number corresponding to the component type identifier is generated by the integrity measurement verifiers converging respective component attribute-level platform evaluation results corresponding to the component product sequence number under a component attribute-level convergence platform evaluation policy corresponding to the component product sequence number in the information c, and each component attribute-level platform evaluation result corresponding to the component product sequence number is generated by the integrity measurement verifiers under a platform evaluation policy corresponding to the component attribute identifier corresponding to the component product sequence number in the information c and a platform evaluation policy corresponding to the component attribute identifier of the component product sequence number in the information b; and
step 7 further comprises;
if parts of the component measurement request parameters for the access requester generated in respective rounds of the platform authentication protocol constitute all of the component measurement request parameters for the access requester, then the TNC access point converging component type-level platform evaluation results generated by the evaluation policy server in the respective rounds of the platform authentication protocol and converging difference platform evaluation polices and component remediation information generated by the evaluation policy server in the respective rounds of the platform authentication protocol into difference platform evaluation polices and component remediation information for the access requester;
otherwise, the TNC access point initiating another round of the platform authentication protocol at the end of the current round of the platform authentication protocol;
wherein;
step 4 further comprises;
generating a second set of component measurement request parameters for the access controller under the first platform authentication management policy of the access requester and the second platform evaluation policies for the access controller; and
if the second set of component measurement request parameters are all of component measurement request parameters for the access controller, then generating platform evaluation policies for the access controller corresponding to the second set of component measurement request parameters under the second platform evaluation policies, wherein the platform evaluation policies for the access controller corresponding to the second set of component measurement request parameters comprise a component type-level convergence platform evaluation policy, and transmitting the generated information together to the TNC access point;
step 5 further comprises;
for a component measurement request parameter corresponding to each component type identifier in the second set of component measurement request parameters, the TNC access point obtaining component measurements of the access controller corresponding to the second set of component measurement request parameters; and
the TNC access point generating platform configuration protection polices of the access controller corresponding to the second set of component measurement request parameters under the second platform configuration protection polices and transmitting the generated information together to the evaluation policy server;
step 6 further comprises;
for each component type identifier in the second set of component measurement request parameters, the evaluation policy server transmitting the following information to the corresponding upper integrity measurement verifiers;
information d which is a second set of component measurements;
information e which is a platform configuration protection policy corresponding to the component type identifier among the platform configuration protection policies of the access controller corresponding to the second set of component measurement request parameters; and
information f which is a platform evaluation policy corresponding to the component type identifier among the platform evaluation policies for the access controller corresponding to the second set of component measurement request parameters;
then the integrity measurement verifiers returning component product-level platform evaluation results, a difference platform evaluation policy and component remediation information corresponding to the component type identifier;
next the evaluation policy server converging the respective component product-level platform evaluation results corresponding to the component type identifier into a component type-level platform evaluation result under the platform evaluation policy corresponding to the component type identifier among the platform evaluation policies for the access controller corresponding to the second set of component measurement request parameters, wherein a component product-level platform evaluation result corresponding to each component product sequence number corresponding to the component type identifier is generated by the integrity measurement verifiers converging respective component attribute-level platform evaluation results corresponding to the component product sequence number under a component attribute-level convergence platform evaluation policy corresponding to the component product sequence number in the information f, and each component attribute-level platform evaluation result corresponding to the component product sequence number is generated by the integrity measurement verifiers under a platform evaluation policy corresponding to the component attribute identifier corresponding to the component product sequence number in the information f and a platform evaluation policy corresponding to the component attribute identifier of the component product sequence number in the information e; and
if the second set of component measurement request parameters are all of the component measurement request parameters for the access controller, then converging the difference platform evaluation policies corresponding to the component type identifiers into difference platform evaluation policies for the access controller corresponding to the second set of component measurement request parameters, and converging the component remediation information corresponding to the component type identifiers into component remediation information for the access controller corresponding to the second set of component measurement request parameters; and
if the platform evaluation policies for the access controller corresponding to the second set of component measurement request parameters comprise a component type-level convergence platform evaluation policy, then the evaluation policy server converging the component type-level platform evaluation results corresponding to the component type identifiers into a platform-level platform evaluation result for the access controller corresponding to the second set of component measurement request parameters under the component type-level convergence platform evaluation policy among the platform evaluation policies for the access controller corresponding to the second set of component measurement request parameters and transmitting the generated information to the TNC access point;
step 7 further comprises;
if the TNC access point is not required to initiate another round of the platform authentication protocol, then generating and transmitting to the TNC client a platform authentication action recommendation of the access controller; and
step 8 further comprises;
if the second set of component measurement request parameters are all of the component measurement request parameters for the access controller and the platform evaluation policies for the access controller corresponding to the second set of component measurement request parameters do not comprise a component type-level convergence platform evaluation policy, then the TNC client converging the component type-level platform evaluation results corresponding to the respective component type identifiers generated by the evaluation policy server in step 6 in the current round of the platform authentication protocol into a platform-level platform evaluation result for the access controller corresponding to the second set of component measurement request parameters under the component type-level convergence platform evaluation policy among the platform evaluation policies for the access controller corresponding to the second set of component measurement request parameters;
the TNC client transmitting the component remediation information for the access controller corresponding to the second set of component measurement request parameters to respective corresponding integrity measurement collectors above the TNC client per component type identifier; and
if the information transmitted from the TNC access point in step 7 comprises the platform authentication action recommendation of the access controller, then the TNC client transmitting the platform authentication action recommendation of the access controller to the respective corresponding integrity measurement collectors above the TNC client.
2 Assignments
0 Petitions
Accused Products
Abstract
Provided are a platform authentication strategy management method for trusted connection architecture (TCA), and the trusted network connection (TNC) client, TNC access point and evaluation strategy service provider for implementing the method in the TCA. In the embodiments of the present invention, the platform authentication strategy for the access requester can be configured in the TNC access point or the evaluation strategy service provider, and the platform authentication strategy for the access requester configured in the evaluation strategy service provider can be delivered to the TNC access point. Moreover, a component-type-level convergence platform evaluation strategy can be executed in the TNC access point or the evaluation strategy service provider, to ensure that the realization of the TCA platform authentication has good application extensibility.
36 Citations
14 Claims
-
1. A platform authentication policy management method applicable to a trusted connection architecture, comprising:
-
step 1, configuring, on a Trusted Network Connection, TNC, client, first platform authentication policies comprising a platform authentication management policy of an access requester, platform configuration protection policies of the access requester, platform evaluation policies for an access controller and a platform authentication action recommendation generation policy of the access requester; and configuring, on a TNC access point or an evaluation policy server, second platform authentication policies comprising a platform authentication management policy of the access controller, platform configuration protection policies of the access controller, platform evaluation policies for the access requester and a platform authentication action recommendation generation policy of the access controller; step 2, if the second platform authentication policies are configured on the evaluation policy server, then the TNC access point requesting the evaluation policy server for the second platform authentication policies, and then the evaluation policy server transmitting the configured second platform authentication policies to the TNC access point; step 3, the TNC access point generating and transmitting to the TNC client a first set of component measurement request parameters and platform evaluation policies for the access requester under the platform authentication management policy of the access controller and the platform evaluation policies for the access requester among the second platform authentication policies to initiate one round of a platform authentication protocol, wherein if the first set of component measurement request parameters are all of component measurement request parameters for the access requester, then the platform evaluation policies for the access requester comprise a component type-level convergence platform evaluation policy; step 4, the TNC client, upon reception of the first set of component measurement request parameters and the platform evaluation policies for the access requester, obtaining a first set of component measurements corresponding to the first set of component measurement request parameters, generating protection policies of the access requester corresponding to the first set of component measurement request parameters and transmitting the first set of component measurements, the received platform evaluation policies for the access requester and the generated protection policies of the access requester to the TNC access point; step 5, the TNC access point receiving and forwarding to the evaluation policy server the first set of component measurements, the platform evaluation policies for the access requester and the protection policies of the access requester transmitted from the TNC client; step 6, the evaluation policy server, for each component type identifier, transmitting the following information corresponding to the component type identifier in the first set of component measurements to corresponding upper integrity measurement verifiers; information a which is the component measurements; information b which is a platform configuration protection policy corresponding to the component type identifier among the platform configuration protection policies of the access requester corresponding to the first set of component measurement request parameters; and information c which is a platform evaluation policy corresponding to the component type identifier among the platform evaluation policies for the access requester corresponding to the first set of component measurement request parameters; then the integrity measurement verifiers returning component product-level platform evaluation results, a difference platform evaluation policy and component remediation information corresponding to the component type identifier; if the first set of component measurement request parameters are all of the component measurement request parameters for the access requester, then the evaluation policy server converging difference platform evaluation policies and component remediation information corresponding to respective component type identifiers into difference platform evaluation policies for the access requester and component remediation information for the access requester corresponding to the first set of component measurement request parameters; and
if the platform evaluation policies for the access requester corresponding to the first set of component measurement request parameters comprise a component type-level convergence platform evaluation policy, then the evaluation policy server converging component type-level platform evaluation results corresponding to the component type identifiers into a platform-level platform evaluation result for the access requester corresponding to the first set of component measurement request parameters under the component type-level convergence platform evaluation policy among the platform evaluation policies for the access requester corresponding to the first set of component measurement request parameters;step 7, if the first set of component measurement request parameters are all of the component measurement request parameters for the access requester and the platform evaluation policies for the access requester corresponding to the first set of component measurement request parameters do not comprise a component type-level convergence platform evaluation policy, then the TNC access point converging the component type-level platform evaluation results generated by the evaluation policy server in the current round of the platform authentication protocol into a platform-level platform evaluation result for the access requester corresponding to the first set of component measurement request parameters; the TNC access point transmitting the component remediation information for the access requester corresponding to the first set of component measurement request parameters to respective corresponding integrity measurement collectors above the TNC access point per component type identifier; and the TNC access point transmitting the platform-level platform evaluation result for the access requester and the information transmitted from the evaluation policy server in step 6 to the TNC client; step 8, the TNC client generating and transmitting to the TNC access point a platform action recommendation of the access requester; step 9, the TNC access point transmitting the platform authentication action recommendation of the access requester to the respective corresponding upper integrity measurement collectors; wherein if the first set of component measurement request parameters are a part of the component measurement request parameters for the access requester, then; step 6 further comprises;
the evaluation policy server converging the respective component product-level platform evaluation results corresponding to the component type identifier into a component type-level platform evaluation result under the platform evaluation policy corresponding to the component type identifier among the platform evaluation policies for the access requester corresponding to the first set of component measurement request parameters, wherein a component product-level platform evaluation result corresponding to each component product sequence number corresponding to the component type identifier is generated by the integrity measurement verifiers converging respective component attribute-level platform evaluation results corresponding to the component product sequence number under a component attribute-level convergence platform evaluation policy corresponding to the component product sequence number in the information c, and each component attribute-level platform evaluation result corresponding to the component product sequence number is generated by the integrity measurement verifiers under a platform evaluation policy corresponding to the component attribute identifier corresponding to the component product sequence number in the information c and a platform evaluation policy corresponding to the component attribute identifier of the component product sequence number in the information b; andstep 7 further comprises;
if parts of the component measurement request parameters for the access requester generated in respective rounds of the platform authentication protocol constitute all of the component measurement request parameters for the access requester, then the TNC access point converging component type-level platform evaluation results generated by the evaluation policy server in the respective rounds of the platform authentication protocol and converging difference platform evaluation polices and component remediation information generated by the evaluation policy server in the respective rounds of the platform authentication protocol into difference platform evaluation polices and component remediation information for the access requester;
otherwise, the TNC access point initiating another round of the platform authentication protocol at the end of the current round of the platform authentication protocol;wherein;
step 4 further comprises;
generating a second set of component measurement request parameters for the access controller under the first platform authentication management policy of the access requester and the second platform evaluation policies for the access controller; andif the second set of component measurement request parameters are all of component measurement request parameters for the access controller, then generating platform evaluation policies for the access controller corresponding to the second set of component measurement request parameters under the second platform evaluation policies, wherein the platform evaluation policies for the access controller corresponding to the second set of component measurement request parameters comprise a component type-level convergence platform evaluation policy, and transmitting the generated information together to the TNC access point; step 5 further comprises;
for a component measurement request parameter corresponding to each component type identifier in the second set of component measurement request parameters, the TNC access point obtaining component measurements of the access controller corresponding to the second set of component measurement request parameters; and
the TNC access point generating platform configuration protection polices of the access controller corresponding to the second set of component measurement request parameters under the second platform configuration protection polices and transmitting the generated information together to the evaluation policy server;step 6 further comprises;
for each component type identifier in the second set of component measurement request parameters, the evaluation policy server transmitting the following information to the corresponding upper integrity measurement verifiers;information d which is a second set of component measurements; information e which is a platform configuration protection policy corresponding to the component type identifier among the platform configuration protection policies of the access controller corresponding to the second set of component measurement request parameters; and information f which is a platform evaluation policy corresponding to the component type identifier among the platform evaluation policies for the access controller corresponding to the second set of component measurement request parameters; then the integrity measurement verifiers returning component product-level platform evaluation results, a difference platform evaluation policy and component remediation information corresponding to the component type identifier; next the evaluation policy server converging the respective component product-level platform evaluation results corresponding to the component type identifier into a component type-level platform evaluation result under the platform evaluation policy corresponding to the component type identifier among the platform evaluation policies for the access controller corresponding to the second set of component measurement request parameters, wherein a component product-level platform evaluation result corresponding to each component product sequence number corresponding to the component type identifier is generated by the integrity measurement verifiers converging respective component attribute-level platform evaluation results corresponding to the component product sequence number under a component attribute-level convergence platform evaluation policy corresponding to the component product sequence number in the information f, and each component attribute-level platform evaluation result corresponding to the component product sequence number is generated by the integrity measurement verifiers under a platform evaluation policy corresponding to the component attribute identifier corresponding to the component product sequence number in the information f and a platform evaluation policy corresponding to the component attribute identifier of the component product sequence number in the information e; and if the second set of component measurement request parameters are all of the component measurement request parameters for the access controller, then converging the difference platform evaluation policies corresponding to the component type identifiers into difference platform evaluation policies for the access controller corresponding to the second set of component measurement request parameters, and converging the component remediation information corresponding to the component type identifiers into component remediation information for the access controller corresponding to the second set of component measurement request parameters; and
if the platform evaluation policies for the access controller corresponding to the second set of component measurement request parameters comprise a component type-level convergence platform evaluation policy, then the evaluation policy server converging the component type-level platform evaluation results corresponding to the component type identifiers into a platform-level platform evaluation result for the access controller corresponding to the second set of component measurement request parameters under the component type-level convergence platform evaluation policy among the platform evaluation policies for the access controller corresponding to the second set of component measurement request parameters and transmitting the generated information to the TNC access point;step 7 further comprises;
if the TNC access point is not required to initiate another round of the platform authentication protocol, then generating and transmitting to the TNC client a platform authentication action recommendation of the access controller; andstep 8 further comprises;
if the second set of component measurement request parameters are all of the component measurement request parameters for the access controller and the platform evaluation policies for the access controller corresponding to the second set of component measurement request parameters do not comprise a component type-level convergence platform evaluation policy, then the TNC client converging the component type-level platform evaluation results corresponding to the respective component type identifiers generated by the evaluation policy server in step 6 in the current round of the platform authentication protocol into a platform-level platform evaluation result for the access controller corresponding to the second set of component measurement request parameters under the component type-level convergence platform evaluation policy among the platform evaluation policies for the access controller corresponding to the second set of component measurement request parameters;the TNC client transmitting the component remediation information for the access controller corresponding to the second set of component measurement request parameters to respective corresponding integrity measurement collectors above the TNC client per component type identifier; and if the information transmitted from the TNC access point in step 7 comprises the platform authentication action recommendation of the access controller, then the TNC client transmitting the platform authentication action recommendation of the access controller to the respective corresponding integrity measurement collectors above the TNC client. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A client in a trusted connection architecture TNC, comprising:
-
a first configuring unit configured to receive configured first platform authentication policies comprising a platform authentication management policy of an access requester, platform configuration protection policies of the access requester, platform evaluation policies for an access controller and a platform authentication action recommendation generation policy of the access requester; a first obtaining unit configured, upon reception of a first set of component measurement request parameters and platform evaluation policies for the access requester, to obtain a first set of component measurements corresponding to the first set of component measurement request parameters, to generate protection policies of the access requester corresponding to the first set of component measurement request parameters and to transmit the first set of component measurements, the received platform evaluation policies of the access requester and the generated protection policies of the access requester to a TNC access point; and a first generating unit configured to generate and transmit to the TNC access point a platform action recommendation of the access requester; wherein the first generating unit is further configured to generate second set of component measurement request parameters for the access controller under the first platform authentication polices of the access requester and second platform authentication polices of the access controller; wherein if the second set of component measurement request parameters are all of component measurement request parameters for the access controller, then generating platform evaluation policies for the access controller corresponding to the second set of component measurement request parameters under the second platform evaluation policies, wherein the platform evaluation policies for the access controller corresponding to the second set of component measurement request parameters comprise a component type-level convergence platform evaluation policy, and transmitting the generated information together to the TNC access point; the first obtaining unit is further configured, upon reception of the platform authentication action recommendation of the access controller, to transmit the platform authentication action recommendation of the access controller to the respective corresponding integrity measurement collectors above the TNC client; and if the second set of component measurement request parameters are all of the component measurement request parameters for the access controller and the platform evaluation policies for the access controller corresponding to the second set of component measurement request parameters do not comprise a component type-level convergence platform evaluation policy, then the first generating unit is further configured to converge the component type-level platform evaluation results corresponding to the respective component type identifiers generated by the evaluation policy server in the current round of the platform authentication protocol into a platform-level platform evaluation result for the access controller corresponding to the second set of component measurement request parameters under the component type-level convergence platform evaluation policy among the platform evaluation policies for the access controller corresponding to the second set of component measurement request parameters; and the first generating unit is further configured to transmit the component remediation information for the access controller corresponding to the second set of component measurement request parameters to respective corresponding integrity measurement collectors above the TNC client per component type identifier. - View Dependent Claims (11)
-
-
12. A Trusted Network Connection, TNC, access point in a trusted connection architecture TNC, comprising:
-
a configuring unit configured to receive configured second platform authentication policies comprising a platform authentication management policy of an access controller, platform configuration protection policies of the access controller, platform evaluation policies for an access requester and a platform authentication action recommendation generation policy of the access controller;
or, when the second platform authentication policies are configured on an evaluation policy server, to request the evaluation policy server for the second platform authentication policies and to receive the second platform authentication policies transmitted from the evaluation policy server;a generating unit configured to generate and transmit to a TNC client a first set of component measurement request parameters and platform evaluation policies for the access requester under the platform configuration protection policies of the access controller and the platform evaluation policies for the access requester among the second platform authentication policies to initiate one round of a platform authentication protocol, wherein if the first set of component measurement request parameters is all of component measurement request parameters for the access requester, then the platform evaluation policies for the access requester comprise a component type-level convergence platform evaluation policy; a forwarding unit configured to receive and forward, to the evaluation policy server, a first set of component measurements, the platform evaluation policies of the access requester and protection policies of the access requester transmitted from the TNC client; and an obtaining unit configured, when the first set of component measurement request parameters are all of the component measurement request parameters for the access requester and the platform evaluation policies for the access requester corresponding to the first set of component measurement request parameters do not comprise a component type-level convergence platform evaluation policy, for the TNC access point to converge component type-level platform evaluation results generated by the evaluation policy server in the current round of the platform authentication protocol into a platform-level platform evaluation result for the access requester corresponding to the first set of component measurement request parameters;
to transmit component remediation information for the access requester corresponding to the first set of component measurement request parameters to respective corresponding integrity measurement collectors above the TNC access point per component type identifier; and
to transmit the platform-level platform evaluation result for the access requester and the information transmitted from the evaluation policy server to the TNC client;wherein, the obtaining unit is further configured to obtain component measurements of the access controller corresponding to a second set of component measurement request parameters; and
for the TNC access point to generate platform configuration protection policies of the access controller correspond to the second set of component measurement request parameters under the second platform configuration protection policies and to transmit the generated information together to the evaluation policy server; andwherein the obtaining unit is further configured to transmit a component measurement request parameter corresponding to the component type identifier to the respective corresponding integrity measurement collectors above the TNC access point so that these integrity measurement collectors then return component measurements corresponding to the component type identifier to the TNC access point, and finally the TNC access point converges the received component measurements into component measurements of the access controller corresponding to the second set of component measurement request parameters; and the obtaining unit is further configured to receive a platform-level platform evaluation result for the access controller corresponding to the second set of component measurement request parameters; and the obtaining unit is further configured to generate and transmit to the TNC client a platform authentication action recommendation of the access controller.
-
-
13. A platform evaluation server in a trusted connection architecture, TNC, comprising:
-
a receiving unit configured to receive a first set of component measurements; and an obtaining unit configured, for each component type identifier, to transmit the following information corresponding to the component type identifier in the first set of component measurements to corresponding upper integrity measurement verifiers; information a which is the component measurements; information b which is a platform configuration protection policy corresponding to the component type identifier among platform configuration protection policies of an access requester corresponding to a first set of component measurement request parameters; and information c which is a platform evaluation policy corresponding to the component type identifier among platform evaluation policies for the access requester corresponding to the first set of component measurement request parameters; then these integrity measurement verifiers return component product-level platform evaluation results, a difference platform evaluation policy and component remediation information corresponding to the component type identifier; if the first set of component measurement request parameters are all of component measurement request parameters for the access requester, then the difference platform evaluation policies and the component remediation information corresponding to these component type identifiers are converged into difference platform evaluation policies for the access requester and component remediation information for the access requester corresponding to the first set of component measurement request parameters; and
if the platform evaluation policies for the access requester corresponding to the first set of component measurement request parameters comprise a component type-level convergence platform evaluation policy, then component type-level platform evaluation results corresponding to these component type identifiers are converged into a platform-level platform evaluation result for the access requester corresponding to the first set of component measurement request parameters under the component type-level convergence platform evaluation policy among the platform evaluation policies for the access requester corresponding to the first set of component measurement request parameters; andif the first set of component measurement request parameters are all of the component measurement request parameters for the access requester and the platform evaluation policies for the access requester corresponding to the first set of component measurement request parameters do not comprise a component type-level convergence platform evaluation policy, then a TNC access point converges component type-level platform evaluation results generated by an evaluation policy server in the current round of a platform authentication protocol into a platform-level platform evaluation result for the access requester corresponding to the first set of component measurement request parameters; wherein, the receiving unit is further configured to receive a second set of component measurements; and the obtaining unit is further configured, for each component type identifier in a second set of component measurement request parameters, to transmit the following information to corresponding upper integrity measurement verifiers; information d which is the second set of component measurements; information e which is a platform configuration protection policy corresponding to the component type identifier among platform configuration protection policies of the access controller corresponding to the second set of component measurement request parameters; and information f which is a platform evaluation policy corresponding to the component type identifier among platform evaluation policies of the access controller corresponding to the second set of component measurement request parameters; then these integrity measurement verifiers return component product-level platform evaluation results, a difference platform evaluation policy and component remediation information corresponding to the component type identifier; next the respective component product-level platform evaluation results corresponding to the component type identifier are converged into a component type-level platform evaluation result under the platform evaluation policy corresponding to the component type identifier among the platform evaluation policies for the access controller corresponding to the second set of component measurement request parameters, wherein a component product-level platform evaluation result corresponding to each component product sequence number corresponding to the component type identifier is generated by the integrity measurement verifiers converging respective component attribute-level platform evaluation results corresponding to the component product sequence number under a component attribute-level convergence platform evaluation policy corresponding to the component product sequence number in the information f, and each component attribute-level platform evaluation result corresponding to the component product sequence number is generated by the integrity measurement verifiers under a platform evaluation policy corresponding to the component attribute identifier corresponding to the component product sequence number in the information f and a platform evaluation policy corresponding to the component attribute identifier of the component product sequence number in the information e; and if the second set of component measurement request parameters are all of component measurement request parameters for the access controller, then the difference platform evaluation policies corresponding to these component type identifiers are converged into difference platform evaluation policies for the access controller corresponding to the second set of component measurement request parameters, and the component remediation information corresponding to these component type identifiers is converged into component remediation information for the access controller corresponding to the second set of component measurement request parameters; and
if the platform evaluation policies for the access controller corresponding to the second set of component measurement request parameters comprise a component type-level convergence platform evaluation policy, then the evaluation policy server converges the component type-level platform evaluation results corresponding to these component type identifiers into a platform-level platform evaluation result for the access controller corresponding to the second set of component measurement request parameters under the component type-level convergence platform evaluation policy among the platform evaluation policies for the access controller corresponding to the second set of component measurement request parameters and transmits the generated information to the TNC access point. - View Dependent Claims (14)
-
Specification