This invention relates to a system and method for verifying the authority and integrity of information, and more particularly to a system and method for verifying the authority and integrity of information when a public key is unavailable.
In the field of information technology (IT) management, a large number of computing platforms, such as personal computers, servers, communication devices, and mainframes can be networked together and managed by a single organization. The management of these platforms often requires remote installation and configuration of software. One problem associated with the remote installation and configuration of software is assuring that only authorized code and configuration commands are installed and executed on the platforms. Failure to address this problem can result in problems ranging in seriousness from having merely incompatible or untested applications installed on the platforms to having a malicious virus introduced into the network.
After networked platforms are installed and operational, a public key for the IT management organization responsible for maintaining the platforms is stored on each platform. This permits the IT management organization to affix a digital signature to software and commands sent to each platform. A digital signature is a device by which the source and integrity of transmitted information can be verified. Before the installation of software or the execution of commands, the digital signature is verified at the platform by using the public key for the IT management organization to confirm that the software or commands came from an authorized source.
Unfortunately, in today""s fast paced and heavily networked environments new platforms arriving directly from a manufacturer are constantly being connected to existing networks. These new platforms do not yet contain the public key for the IT management organization, so software and commands sent to the platform cannot yet be authenticated using public key cryptography. This is a problem when initial setup of a newly installed platform is performed remotely by an IT organization, since a few pieces of code and configuration commands must be installed on the platform to identify the responsible IT management organization by its public key for the first time. In essence, there is a window of time during which, for a newly installed platform, the standard mechanism for verifying the source and integrity of transmitted information and commands is unavailable.
For these and other reasons, there is a need for the present invention.
In one embodiment of the invention, a system includes a user platform, a communication channel, and a remote platform. The user platform authenticates information using a transformation value generated from the information. The remote platform transmits the information to the user platform via the communication channel.