Stateless attestation system

US 9,342,683 B2
Filed: 06/07/2013
Issued: 05/17/2016
Est. Priority Date: 01/07/2008
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

requesting from a user computer access to a service of a first server over a network via a first operating environment;

receiving an attestation request from the first server, via the first operating environment, in response to requesting access to the service;

sending from the user computer a value of a secure counter, which is incremented during each interaction of the user computer with the first server, to an attestation server to cause the attestation server to verify trustworthiness of the user computer based on the secure counter value; and

sending a locally-stored attestation record from the user computer to the first server via a second operating environment in response to the attestation request and in response to the attestation server verifying trustworthiness of the user computer, wherein the second operating environment is isolated from the first operating environment, and wherein the attestation record is stored locally in a secure storage device accessible via the second operating environment; and

receiving access to the service in response to the first server verifying the attestation record received from the user computer.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method includes assessing a trustworthiness level of a user computer by communication between the user computer and a first server. A record indicating the trustworthiness level is sent from the first server to the user computer, for storage by the user computer. A request is sent from the user computer to a second server, different from the first server, for a service to be provided to the user computer by the second server. The record is provided from the user computer to the second server by communicating between the user computer and the second server. At the second server, the trustworthiness level is extracted from the record, and the requested service is conditionally allowed to be provided to the user computer depending on the extracted trustworthiness level.

58 Citations

View as Search Results

14 Claims

1. A method comprising:
- requesting from a user computer access to a service of a first server over a network via a first operating environment;
  
  receiving an attestation request from the first server, via the first operating environment, in response to requesting access to the service;
  
  sending from the user computer a value of a secure counter, which is incremented during each interaction of the user computer with the first server, to an attestation server to cause the attestation server to verify trustworthiness of the user computer based on the secure counter value; and
  
  sending a locally-stored attestation record from the user computer to the first server via a second operating environment in response to the attestation request and in response to the attestation server verifying trustworthiness of the user computer, wherein the second operating environment is isolated from the first operating environment, and wherein the attestation record is stored locally in a secure storage device accessible via the second operating environment; and
  
  receiving access to the service in response to the first server verifying the attestation record received from the user computer.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein sending the locally-stored attestation record further comprises:
    - obtaining the record from a trusted platform module (TPM) of the user computer.
  - 3. The method of claim 1, further comprising:
    - the user computer sending configuration information of the user computer to the attestation server to cause the attestation server to verify trustworthiness of the user computer based on the configuration information.
  - 4. The method of claim 3, further comprising:
    - the user computer sending a secure signature to the attestation server to cause the attestation server to verify trustworthiness of the user computer based on the secure signature.
  - 5. The method of claim 1, further comprising:
    - the user computer executing the first operating environment for performing general purpose operations and the second operating environment configured exclusively for providing a secure communication session, wherein operations performed in the first operating environment do not affect operation of the second operating environment.

6. An article of manufacture comprising a non-transitory computer readable storage medium that stores instructions, which when executed cause a computing device to perform operations including:
- requesting from a user computer access to a service of a first server over a network via a first operating environment;
  
  receiving an attestation request from the first server, via the first operating environment, in response to requesting access to the service;
  
  sending from the user computer a value of a secure counter, which is incremented during each interaction of the user computer with the first server, to an attestation server to cause the attestation server to verify trustworthiness of the user computer based on the secure counter value; and
  
  sending a locally-stored attestation record from the user computer to the first server via a second operating environment in response to the attestation request and in response to an attestation server verifying trustworthiness of the user computer, wherein the second operating environment is isolated from the first operating environment, and wherein the attestation record is stored locally in a secure storage device accessible via the second operating environment; and
  
  receiving access to the service in response to the first server verifying the attestation record received from the user computer.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The article of manufacturer of claim 6, wherein the instructions for sending the locally-stored attestation record further comprise instructions for obtaining the record from a trusted platform module (TPM) of the user computer.
  - 8. The article of manufacture of claim 6, further comprising instructions for the user computer sending configuration information of the user computer to the attestation server to cause the attestation server to verify trustworthiness of the user computer based on the configuration information.
  - 9. The article of manufacture of claim 8, further comprising instructions for the user computer sending a secure signature to the attestation server to cause the attestation server to verify trustworthiness of the user computer based on the secure signature.
  - 10. The article of manufacture of claim 7, further comprising instructions forthe user computer executing the first operating environment for performing general purpose operations and the second operating environment configured exclusively for providing a secure communication session, wherein operations performed in the first operating environment do not affect operation of the second operating environment.

11. A computer system comprising:
- a secure storage device to store an attestation record locally at the computer system, the attestation record received from an attestation server; and
  
  a network interface device to communicate from the computer system over a network to the attestation server and a first server separate from the attestation server, the computer system configured to, via the network interface device,request from a user computer access to a service of a first server over a network via a first operating environment;
  
  receive an attestation request from the first server, via the first operating environment, in response to requesting access to the service;
  
  send a value of a secure counter from the user computer configured to receive the attestation record via the network interface device, which is incremented during each interaction of the user computer with the first server, to the attestation server, wherein the attestation server is to verfy trustworthiness of the computer based on the secure counter value; and
  
  send a locally-stored attestation record from the user computer to the first server via a second operating environment in response to the attestation request and is received via the network interface device in response to the attestation server verifying trustworthiness of the user computer, wherein the second operating environment is isolated from the first operating environment locally stored attestation record is previously received from an attestation server separate from the first server, and wherein the attestation record is stored locally in a secure storage device accessible via the second operating environment; and
  
  receive access to the service in response to the first server verifying the attestation record received from the user computer.
- View Dependent Claims (12, 13, 14)
- - 12. The computer system of claim 11, wherein the computer system is further configured to obtain the record from a trusted platform module (TPM) of the user computer to send via the network interface device.
  - 13. The computer system of claim 11, further comprising the user computer configured to receive the attestation record via the network interface device in response to sending configuration information to the attestation server, wherein the attestation server is to verify trustworthiness of the user computer based on the configuration information.
  - 14. The computer system of claim 13, further comprising the user computer configured to receive the attestation record via the network interface device in response to sending a secure signature to the attestation server, wherein the attestation server is to verify trustworthiness of the user computer based on the secure signature.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Weiss, Yoav, Bogner, Etay
Primary Examiner(s)
SCHMIDT, KARI L

Application Number

US13/913,104
Publication Number

US 20130276081A1
Time in Patent Office

1,075 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/44   Program or device authentic...

G06F 21/57   Certifying or maintaining t...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/10   for controlling access to d...

H04L 63/1433   Vulnerability analysis

Stateless attestation system

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

58 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Stateless attestation system

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

58 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links