Computer system employing dual-band authentication using file operations by trusted and untrusted mechanisms

摘要

A first machine (e.g., server VM) authenticates an untrusted second machine (e.g., new client VM) as a condition to performing or allowing a protected operation. An authentication identifier is written to a file of a file system using one mechanism, and then read from the file using another mechanism. One of the mechanisms is an untrusted mechanism employing the untrusted second machine, while the other is a trusted mechanism performed by the first machine either alone or in combination with a trusted management component that has privileged access to the file system. If the written and read values match, it can be inferred that the second machine is authentic, because the trusted management component has identified and accessed an existing file system that is also separately accessed by the second machine.