Stateless attestation system
First Claim
1. A method comprising:
- requesting from a user computer access to a service of a first server over a network via a first operating environment;
receiving an attestation request from the first server, via the first operating environment, in response to requesting access to the service;
sending from the user computer a value of a secure counter, which is incremented during each interaction of the user computer with the first server, to an attestation server to cause the attestation server to verify trustworthiness of the user computer based on the secure counter value; and
sending a locally-stored attestation record from the user computer to the first server via a second operating environment in response to the attestation request and in response to the attestation server verifying trustworthiness of the user computer, wherein the second operating environment is isolated from the first operating environment, and wherein the attestation record is stored locally in a secure storage device accessible via the second operating environment; and
receiving access to the service in response to the first server verifying the attestation record received from the user computer.
0 Assignments
0 Petitions
Accused Products
Abstract
A method includes assessing a trustworthiness level of a user computer by communication between the user computer and a first server. A record indicating the trustworthiness level is sent from the first server to the user computer, for storage by the user computer. A request is sent from the user computer to a second server, different from the first server, for a service to be provided to the user computer by the second server. The record is provided from the user computer to the second server by communicating between the user computer and the second server. At the second server, the trustworthiness level is extracted from the record, and the requested service is conditionally allowed to be provided to the user computer depending on the extracted trustworthiness level.
58 Citations
14 Claims
-
1. A method comprising:
-
requesting from a user computer access to a service of a first server over a network via a first operating environment; receiving an attestation request from the first server, via the first operating environment, in response to requesting access to the service; sending from the user computer a value of a secure counter, which is incremented during each interaction of the user computer with the first server, to an attestation server to cause the attestation server to verify trustworthiness of the user computer based on the secure counter value; and sending a locally-stored attestation record from the user computer to the first server via a second operating environment in response to the attestation request and in response to the attestation server verifying trustworthiness of the user computer, wherein the second operating environment is isolated from the first operating environment, and wherein the attestation record is stored locally in a secure storage device accessible via the second operating environment; and receiving access to the service in response to the first server verifying the attestation record received from the user computer. - View Dependent Claims (2, 3, 4, 5)
-
-
6. An article of manufacture comprising a non-transitory computer readable storage medium that stores instructions, which when executed cause a computing device to perform operations including:
-
requesting from a user computer access to a service of a first server over a network via a first operating environment; receiving an attestation request from the first server, via the first operating environment, in response to requesting access to the service; sending from the user computer a value of a secure counter, which is incremented during each interaction of the user computer with the first server, to an attestation server to cause the attestation server to verify trustworthiness of the user computer based on the secure counter value; and sending a locally-stored attestation record from the user computer to the first server via a second operating environment in response to the attestation request and in response to an attestation server verifying trustworthiness of the user computer, wherein the second operating environment is isolated from the first operating environment, and wherein the attestation record is stored locally in a secure storage device accessible via the second operating environment; and receiving access to the service in response to the first server verifying the attestation record received from the user computer. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A computer system comprising:
-
a secure storage device to store an attestation record locally at the computer system, the attestation record received from an attestation server; and a network interface device to communicate from the computer system over a network to the attestation server and a first server separate from the attestation server, the computer system configured to, via the network interface device, request from a user computer access to a service of a first server over a network via a first operating environment; receive an attestation request from the first server, via the first operating environment, in response to requesting access to the service; send a value of a secure counter from the user computer configured to receive the attestation record via the network interface device, which is incremented during each interaction of the user computer with the first server, to the attestation server, wherein the attestation server is to verfy trustworthiness of the computer based on the secure counter value; and send a locally-stored attestation record from the user computer to the first server via a second operating environment in response to the attestation request and is received via the network interface device in response to the attestation server verifying trustworthiness of the user computer, wherein the second operating environment is isolated from the first operating environment locally stored attestation record is previously received from an attestation server separate from the first server, and wherein the attestation record is stored locally in a secure storage device accessible via the second operating environment; and receive access to the service in response to the first server verifying the attestation record received from the user computer. - View Dependent Claims (12, 13, 14)
-
Specification