1. Field of the Disclosure
The disclosure relates generally to a method and system for effecting an initial authentication of a device to which data may be securely distributed, in part by recording and measuring parameters that are not under the control of said device, including the installed environment in which said device is placed, and for verifying that the authentication of said device remains valid by monitoring changes to said measured parameters.
2. General Background
Device authentication is one known tool that is used for network security purposes. Device authentication may be described as based on storing and presenting credentials to obtain access to a network. Credentials may be based on an account/password combination, or on a digital authentication certificate, such as with the International Telecommunication Union (ITU) X.509 standard recommendation. One known problem with an account/password combination and with the digital certificate methods of authentication is that credentials based on these mechanisms may be presented from a device or system that is not the true owner of the credentials, yet may nevertheless be authenticated as valid, thus improperly granting access to the presenting device. For example, the known good credentials of a system could be transported to a rogue system that would be able to use the credentials to authenticate itself. Thus, from an authentication perspective, nothing prevents theft or other falsification of the credentials, because standard device authentication only evaluates the validity of the credentials being presented, without being able to determine whether the presenter should be permitted to use the credentials.
Thus, automatically identifying and authenticating an electronic device in a secure manner typically involves assigning the device an identity certificate, such as an X.509 certificate. However, as described above, the use of such a certificate on its own may provide security challenges, such as ensuring that a particular device's certificate is not copied or moved to a counterfeit or rogue device, or the device itself has not been moved from the intended environment to another, unintended and possibly untrusted environment. Accordingly, it is desirable to address the limitations in the art. For example, there exists a need to provide for a system and method for the secure delivery of content, which allows for secure delivery of content to a secure device, and which does not solely rely on mechanisms such as X.509 certificates to ensure authentication. As another example, there exists a need for the ability to verify that the networked environment of an authenticated device to which data may be securely distributed has not been modified without authorization, in part by recording and measuring parameters that are not under the control of said device.