outline · – a client is a computing platform that can initiate communication with other clients...
TRANSCRIPT
![Page 1: Outline · – A client is a computing platform that can initiate communication with other clients to transfer or share data and resources Trusted Computing • Traditional Client/Server](https://reader033.vdocuments.us/reader033/viewer/2022042406/5f20e5fe673ec96cf5488fa9/html5/thumbnails/1.jpg)
1
Trusted Computing Technologyand
Client-side Access Control Architecture
Acknowledgement: Some slides and diagrams are adapted from TCG Architecture Overview, Intel IDF Fall 03, and Boot Camp’s TCG 101 Presentation
Outline• Trusted Computing
– TCPA/TCG TPM– LT– NGSCB
• Client-side Access Control Architecture and Protocols using TC– Motivations– Architecture and Protocols– Applications– Related Work– Conclusions and Future Work
![Page 2: Outline · – A client is a computing platform that can initiate communication with other clients to transfer or share data and resources Trusted Computing • Traditional Client/Server](https://reader033.vdocuments.us/reader033/viewer/2022042406/5f20e5fe673ec96cf5488fa9/html5/thumbnails/2.jpg)
2
Terminology• Trust
– “An entity can be trusted if it always behaves in the expected manner for the intended purpose.”
• Is the system what it claims to be?• Has the system been modified or compromised?• Is the system securely storing secrets such that they are
protected from adversaries?
• Entity– a platform, or an application or service running on a platform. – A platform can be a personal computer, personal digital assistant
(PDA), smart phone, etc. – A client is a computing platform that can initiate communication
with other clients to transfer or share data and resources
Trusted Computing• Traditional Client/Server Architecture
– Trust is on the server side.– Trust is obtained with multi layer protection mechanisms.
• Access control• Firewall• Intrusion detection/prevention system
– There is little trust on client side.• Clients are generally lightly protected.• Ubiquitous connectivity in clients• Attacks outpacing today’s protection models• Attack tools readily available
• Information resident on the client becomes susceptible to software-based attacks.– Malicious device drivers and kernels, misconfigured software ,
virus, Trojan horse, worms, spyware– Mismatch between security and high value of data in client
platforms.
![Page 3: Outline · – A client is a computing platform that can initiate communication with other clients to transfer or share data and resources Trusted Computing • Traditional Client/Server](https://reader033.vdocuments.us/reader033/viewer/2022042406/5f20e5fe673ec96cf5488fa9/html5/thumbnails/3.jpg)
3
Trusted Computing
• Evolution of TC– software alone cannot provide an adequate
foundation.– Multics system– capability-based computers– Trust with security kernel based on military-
style security labels– Trust in application
• Totally depends on application• With privileged kernel
![Page 4: Outline · – A client is a computing platform that can initiate communication with other clients to transfer or share data and resources Trusted Computing • Traditional Client/Server](https://reader033.vdocuments.us/reader033/viewer/2022042406/5f20e5fe673ec96cf5488fa9/html5/thumbnails/4.jpg)
4
Trusted Computing
• Recent TC activities:– TCPA/TCG Specifications– Hardware: Intel LT, AMD SEM, TrustedZone, etc– OS/Software: NGSCB– Provide trusted software execution within a single
platform– Provide platform-to-platform propagation of trust– For open systems– Mainly for client side platforms
Trusted Platform Module(TPM)
• Specified by TCPA/TCG• A chip on board
MCH
ICH
AGP
NetworkPort
LPC
TPM
CPU
RAM
BIOS
TPM is connected to the motherboard
![Page 5: Outline · – A client is a computing platform that can initiate communication with other clients to transfer or share data and resources Trusted Computing • Traditional Client/Server](https://reader033.vdocuments.us/reader033/viewer/2022042406/5f20e5fe673ec96cf5488fa9/html5/thumbnails/5.jpg)
5
TPM
• Basic functions:– Cryptographic functions:
• Random number generation, RSA key generation and public key algorithm, etc.
– Hardware-based protection of secrets• Store root security key inside the TPM and never
release it– Integrity measurement, storage, and reporting– Sealed Storage– Remote attestation
TPM• Building blocks of a TPM
– trusted to work properly without additional oversight. – Trust in these components is derived from good
engineering practices, manufacturing process and industry review.
![Page 6: Outline · – A client is a computing platform that can initiate communication with other clients to transfer or share data and resources Trusted Computing • Traditional Client/Server](https://reader033.vdocuments.us/reader033/viewer/2022042406/5f20e5fe673ec96cf5488fa9/html5/thumbnails/6.jpg)
6
Functional TPM Diagram• Root of Trust for Reporting RTR
– Provides cryptographic mechanism to digitally sign TPM state and information
• Root of Trust for Storage RTS– Provides cryptographic
mechanism to protect information held outside of the TPM
• Root of Trust for Measurement– Provided by platform to measure platform state– Defined by platform specification
• Interaction between RTR and RTS is important TPM capability
TPM
RTRRTR RTSRTS
Shielded LocationsShielded Locations
Protected CapabilitiesProtected
Capabilities
RTMRTM
TPM• TPM Credentials:
– Endorsement credential• The EK is a 2048-bit RSA key• One per platform • Issued by TPM manufacture• Provides attestation that this is a “genuine” TPM• Identities the TPM• Provides public key to encrypt the AIKs
• The EK only participates in two operations– Taking TPM ownership– Creation of Attestation Identity Keys
– There are mechanisms to change the EK
TPM
Platform
Platform Credential
Conformance Credential
Endorsement Credential
TPM
PCR
Endorsement Key (EK)
AttestationID Keys
Signature keys
Encryption keys
![Page 7: Outline · – A client is a computing platform that can initiate communication with other clients to transfer or share data and resources Trusted Computing • Traditional Client/Server](https://reader033.vdocuments.us/reader033/viewer/2022042406/5f20e5fe673ec96cf5488fa9/html5/thumbnails/7.jpg)
7
TPM AIK• Attestation Identity Key (AIK) credentials
– Many per platform– Issued by privacy CAs– Identities AIKs– Provides alias of the platform– Provides platform authentication and attestation
• TPM Conformance credential• Platform credential
• Creation and distribution mechanism is not specified by TCG.
TPM
Platform
Platform Credential
Conformance Credential
Endorsement Credential
TPM
PCR
Endorsement Key (EK)
AttestationID Keys
Signature keys
Encryption keys
Platform
TPM
Certifying an AIK
AIK PubKey
1. Owner bundles into an AIK request:
• New AIK PubKey• Endorsement Cred,• Platform Cred,• Conformance Creds
1
3. TTP verifies Credentials
3
Endorsement Credential
2
2. Owner sends AIK request to P-CA
5
5. Signed AIK sent to TPM
4
4. TTP signs AIK
Endorsement Key (EK)
AttestationID Keys
Platform Credential
Conformance Credentials
Privacy CA(P-CA)Privacy CA
(P-CA)
![Page 8: Outline · – A client is a computing platform that can initiate communication with other clients to transfer or share data and resources Trusted Computing • Traditional Client/Server](https://reader033.vdocuments.us/reader033/viewer/2022042406/5f20e5fe673ec96cf5488fa9/html5/thumbnails/8.jpg)
8
Persistent Keys
• Endorsement Key (EK)– Not part of the key
hierarchy• Storage Root Key (SRK)
– All keys are protected by this key
• Root of Key Hierarchy– Changed on new owner
TPM
Platform
Platform Credential
Conformance Credential
Endorsement Credential
TPM
PCR
EK AttestationID Keys
Signature keys
Encryption keys
SRK
TPM• Key Hierarchy
– Non-Migratable Keys :Permanently bound specific TPM, i.e., platform
– Migratable Keys: Can be migrated to other platforms
Storage Root Key(SRK)
Non-Migratable
Storage Key
Migratable Storage Key
Endorsement Key
Migratable Storage Key
Migratable Signing Key
Migratable Signing Key
Non-Migratable Storage Key
Non-Migratable
Signing Key
Migratable Signing or Storage Key
Attestation ID Keys
Migratable Signing or Storage Key
Protected by the RTS
Protected by the TPM
![Page 9: Outline · – A client is a computing platform that can initiate communication with other clients to transfer or share data and resources Trusted Computing • Traditional Client/Server](https://reader033.vdocuments.us/reader033/viewer/2022042406/5f20e5fe673ec96cf5488fa9/html5/thumbnails/9.jpg)
9
TPM• Trusted Boot
– Each boot step is measured and stored– Each measurement event consists of:
• Measured values: integrity, configuration, state, etc. • Value digests: Hash of measured values
– Stored Measurement Log (SML): a sequence of measured values
– Value digests are stored in PCRs: • PCR[new]=SHA1{PCR[old] || measured value}• TPM v1.2 requires 24 PCRs
– Verification requires all SML entries and singed PCRs by an AIK
TPM• Measurement flow and execution flow
• Trust boundary is extended to include measured code.
• the target code is first measured before execution control is transferred.
![Page 10: Outline · – A client is a computing platform that can initiate communication with other clients to transfer or share data and resources Trusted Computing • Traditional Client/Server](https://reader033.vdocuments.us/reader033/viewer/2022042406/5f20e5fe673ec96cf5488fa9/html5/thumbnails/10.jpg)
10
Transitive TrustRTM Component 1
Code
Data
Component 2Code
Data
Stored Measurement
Log 1. RTM measures component1
11
Event Structure1
Event Data
Extend Value
2. RTM creates event structure
22
3. RTM stores event in SML
33
4. RTM extends PCR with value
5. Comp1 measures component2
55
Event Structure2
Event Data
Extend Value
6. Comp1 creates event structure
66
7. Comp1 stores event in SML
88
8. Comp1 extends PCR with value
77
PCR1
PCR2
TPM 44
Verifying the Measurement Log
Stored Measurement
Log
5. Get PCR value from TPM6. Compare calculated value with PCR – mismatch indicates problem no information as to what the problem is
1. Read struct1 from SML
11 Event Structure1
Event Data
Extend Value
Compare values
2. Calculate PCR value
22
3. Read struct2 from SML
Event Structure2
Event Data
Extend Value
33
Expected Value
4. Calculate PCR value
44
55 66
PCR1
PCR2
TPM
![Page 11: Outline · – A client is a computing platform that can initiate communication with other clients to transfer or share data and resources Trusted Computing • Traditional Client/Server](https://reader033.vdocuments.us/reader033/viewer/2022042406/5f20e5fe673ec96cf5488fa9/html5/thumbnails/11.jpg)
11
TPM• Sealed Storage:
– Use one or more PCR values in encryption– PCR(s) are part of the sealed message– Allows software to explicitly state the environment that can
Unseal– Sealed Data is inaccessible to any other environment
• Sealed Signing:– Signing message with a set of PCR values– The platform that signs a message meets specific configuration. – Signature is verified by
• Integrity of the message• Trusted PCR values when the signature was generated.
Sealing Data to the TPM• Send data, authorization
value and requested PCR value– Not the PCR value at the
time of sealing• TPM encrypts data to
create a bound blob– Including the request PCR
values• Blob stored outside TPM
LocalStorage
SealedData
AuthMaterial
Data
Config
Storage key
TPM
PCR
![Page 12: Outline · – A client is a computing platform that can initiate communication with other clients to transfer or share data and resources Trusted Computing • Traditional Client/Server](https://reader033.vdocuments.us/reader033/viewer/2022042406/5f20e5fe673ec96cf5488fa9/html5/thumbnails/12.jpg)
12
Unsealing Data• Load sealed blob into TPM
– Send in authorization values to use storage key
• TPM decrypts blob• After decryption TPM validates
that current PCR values match requested PCR values in sealed blob
• Data only returned on matchLocal
StorageSealedData
AuthMaterial
Data
Storage key
TPM
PCR
TPM• Integrity reporting: attestation
– A challenge-response protocol– a platform (challenger) sends attestation challenge
message to another platform (attestor) – One or more PCR values are signed with an
attestation identity key protected by the TPM of theattestor and provided to the challenger.
• SML entries are attached.• AIK credential is attached.
– The challenger verifies this attestation• Re-generate the hash with values in SML• Evaluate credential• Compare the signed values with expected values
• Attestation = authentication + integrity
![Page 13: Outline · – A client is a computing platform that can initiate communication with other clients to transfer or share data and resources Trusted Computing • Traditional Client/Server](https://reader033.vdocuments.us/reader033/viewer/2022042406/5f20e5fe673ec96cf5488fa9/html5/thumbnails/13.jpg)
13
Platform
TPM
Verifier
Using an AIK1
1. Service requested by Platform User
5. Evaluates trust in AIK
2
2. Challenger requests attestation
[PCR]
3. Integrity signed by an AIK3 4. Attestation sent to
challenger
4
6. Evaluate Platform’s Integrity
6
Attestation = Platform Integrity
signed by AIK
Privacy CA(P-CA)Privacy CA
(P-CA)5
AttestationID Keys
Privacy Models
• Don’t tell anyone anything– Works locally; no distributed trust
• Identity Service Provider (privacy CA)– Use a third-party for proof of identity
• Direct Proof– Prove identity directly without revealing
unique information• User decides which of these to use and
when – can use all or some in combination
![Page 14: Outline · – A client is a computing platform that can initiate communication with other clients to transfer or share data and resources Trusted Computing • Traditional Client/Server](https://reader033.vdocuments.us/reader033/viewer/2022042406/5f20e5fe673ec96cf5488fa9/html5/thumbnails/14.jpg)
14
Identity Service Provider• A Web-based service that validates identity
– It gives you a key you can show to third parties to attest to an identity• Which identity depends on the service and needs
• Using the ISP model the MS nexus will:– Only release HW key/cert (EK) to certified/trusted
parties• Privacy CA
– These parties issue second-level keys• Attestation Identity Keys
Direct Proof• Zero Knowledge Proof (ZK)
– Prove that the system has knowledge of an important something
• Doesn’t reveal the actual piece of knowledge
• Direct Proof (DP)– A ZK proof that proves the association
between an hardware and AIK • Does not reveal the identity of the
specific hardware
![Page 15: Outline · – A client is a computing platform that can initiate communication with other clients to transfer or share data and resources Trusted Computing • Traditional Client/Server](https://reader033.vdocuments.us/reader033/viewer/2022042406/5f20e5fe673ec96cf5488fa9/html5/thumbnails/15.jpg)
15
Direct Proof Process
• In DP the platform attests to it’s identity by proving that it has unique “knowledge” which only it can “know”– Can be used in a P2P model
• Two platforms validate each other• This would establish a session which uses an
identity– Which identity depends on the service and needs
• Using the DP model the MS nexus will never release HW key/cert to anyone
Increasing Increasing levels of levels of
protectionprotection
SoftwareSoftware-Only
Time
Smart Card
Anti-virus, passwords, VPN, firewall, SSL, etc.
User authentication, Portable HW key storage
Future Security Technologies
LaGrande Technology
HW-based security enables NGSCB
TPM Platform authentication, Fixed hardware key storageTodayToday
Requires Security Rooted in HardwareRequires Security Rooted in HardwareRequires Security Rooted in Hardware
Intel Safer ComputingAdvancing Platform Security
![Page 16: Outline · – A client is a computing platform that can initiate communication with other clients to transfer or share data and resources Trusted Computing • Traditional Client/Server](https://reader033.vdocuments.us/reader033/viewer/2022042406/5f20e5fe673ec96cf5488fa9/html5/thumbnails/16.jpg)
16
LT• LT includes:
– Extended CPU: • Enable domain separation• Set policy for protected memory
– Chipset• Protected graphics and memory management
– Protected I/O:• Trusted channel between keyboard/mouse and trusted
software– TCG TPM v1.2
• Protect keys• Provide platform authentication and attestation
LT• High-level functions:
– Protected execution environments• Separation of processes, memory pages, and devices• Enforced by hardware
– Attestation: Prove platform properties• Hardware nature of the platform• Current running state and configurations • Provided by TPM
– Sealed storage• Provided by TPM
– Trusted channels and trusted paths• Secure channel between two applications• Secure path between application and human
– Trusted channel between keyboard and keyboard manager– Trusted channel between mouse and mouse manager– Trusted channel between graphics manager and display adaptor
![Page 17: Outline · – A client is a computing platform that can initiate communication with other clients to transfer or share data and resources Trusted Computing • Traditional Client/Server](https://reader033.vdocuments.us/reader033/viewer/2022042406/5f20e5fe673ec96cf5488fa9/html5/thumbnails/17.jpg)
17
Platform Architectures• Bright side:
– Enable client side control after object/content distribution
– DRM technologies• Dark side:
– Platform owner loses partial control of the system
• A platform for multilateral security policies:
– Sadeghi and Stüble, Taming Trusted Platforms by Operating System Design, LNCS 2908.
![Page 18: Outline · – A client is a computing platform that can initiate communication with other clients to transfer or share data and resources Trusted Computing • Traditional Client/Server](https://reader033.vdocuments.us/reader033/viewer/2022042406/5f20e5fe673ec96cf5488fa9/html5/thumbnails/18.jpg)
18
Related Work• Secure Boot:
– Arbaugh et al., Oakland97– Boot only signed and verified software
• Secure coporcessors – IBM 4758 crypto coprocessor– Closed system to run certified and signed software
• Behavior-based attestation– Haldar et al. USENIX04. – Trusted language-based VM
• Trusted operating systems– SELinux, Trusted Solaris, TrustedBSD– Security-enhanced kernel
Peer-to-Peer Access Control Architecture Using Trusted Computing Technology
Ravi Sandhu and Xinwen Zhang George Mason University
SACMAT05, June 1--3, 2005, Stockholm, Sweden
![Page 19: Outline · – A client is a computing platform that can initiate communication with other clients to transfer or share data and resources Trusted Computing • Traditional Client/Server](https://reader033.vdocuments.us/reader033/viewer/2022042406/5f20e5fe673ec96cf5488fa9/html5/thumbnails/19.jpg)
19
Contributions
• Leverage access control architectures and mechanisms between platforms and users with TC
• Integrate user attributes into TC architecture
• Support a user's ability to roam between platforms by migrating subject identities and attribute certificates.
Motivations• Trust on client platform is needed in modern
systems and emerging applications– Distributed dissemination control (DCON)
• Health records of a patient may be transmitted from a primary physician to a consultant who can access them for some limited period of time and cannot transmit them to anyone else
– P2P VOIP application• Realtime protection of audio data in a platform
– conversation is not eavesdropped or illegally recorded. • Forward control of audio object (e.g., voice mail)
– Control the platform and user to forward
– M-commerce• electronic currency between peer platforms• payment systems for p2p e-commerce (e.g., micropayment,
mobile-payment)
![Page 20: Outline · – A client is a computing platform that can initiate communication with other clients to transfer or share data and resources Trusted Computing • Traditional Client/Server](https://reader033.vdocuments.us/reader033/viewer/2022042406/5f20e5fe673ec96cf5488fa9/html5/thumbnails/20.jpg)
20
Motivations• Need new security model and architecture:
– Change of trust relation between client and server• No centralized and strongly protected server• Data located in general client platforms
– Location of policy enforcement changed: • Client-side policy enforcement needs trust
– Trust of platform and application• Dynamic environment • Software-based attacks
– Trusted user authentication and authorization in client platform– Trusted path from user to applications and vice versa.
• Spoofing and ``man-in-the-middle'' eavesdropping or modification attacks
• Trusted input from user to application• Trusted output from application to monitor
Architecture• Platform with trusted reference monitor (TRM)• Assumptions:
– Tamper resistent hardware– A homogeneous environment
• Each platform is equipped uniformly with necessary TC hardware.
Hardware
OS Kernel Space
OS User Space
Application2
SecureChannelApplication1
TrustedReference
Monitor
Secure Kernel
TrustedHardware
protected runtimeenvironment
SealedStorag
e
TPM Hardware
OS Kernel Space
OS User Space
ApplicationTrusted
ReferenceMonitor
Secure Kernel
Domain Manager
LaGrandeTechnology PCR
TPMPCR PCR PCR
![Page 21: Outline · – A client is a computing platform that can initiate communication with other clients to transfer or share data and resources Trusted Computing • Traditional Client/Server](https://reader033.vdocuments.us/reader033/viewer/2022042406/5f20e5fe673ec96cf5488fa9/html5/thumbnails/21.jpg)
21
Available Credentials • TPM AIK pair (PKTPM.AIK, SKTPM.AIK)
– private key is protected by a TPM with SRK.– Public key is certified by a privacy CA.
• TRM key pair (PKTRM,SKTRM)– The private key is protected by the TPM.– The public key is certified by AIK.
• Application key pair (PKAPP,SKAPP)– Similar to TRM key pair
• TPM storage key(s) – Either the SRK of a TPM, or a key protected by the SRK– Protect TRM's credential – Protect secrets and policies
Functions of TRM• TRM.Seal(H(TRM),x):
– seals data x by TRM with integrity measurement of H(TRM).– x can only be unsealed under this TRM when the corresponding
PCR value is H(TRM).– In practical a set of PCRs may be included.
• TRM.GenerateKey(k)– generates a secret key k
• TRM.Attest(H(TRM), PKTRM) – Return {H(TRM) || PKTRM} SK_TPM.AIK
– Attestation response singed by AIK of TPM
![Page 22: Outline · – A client is a computing platform that can initiate communication with other clients to transfer or share data and resources Trusted Computing • Traditional Client/Server](https://reader033.vdocuments.us/reader033/viewer/2022042406/5f20e5fe673ec96cf5488fa9/html5/thumbnails/22.jpg)
22
Architecture• Policy and Secret Distribution:
– Each object has a policy.– Object is encrypted with secret key before distribution.– Policy specifies what platform and application can access this object
• migratable or non-migratable policy
Hardware
OS Kernel Space
OS User Space
TrustedReference
Monitor
Secure Kernel
Hardware
OS Kernel Space
OS User Space
TrustedReference
Monitor
Secure Kernel
Attest Challenge
APP
Alice's Platform
Attest ResponsePolicy & Secrets
SealedStorage
TrustedHardware TPM Trusted
Hardware TPM
Access Request
Bob's Platform
Request: {OBJ_ID | H(APPB)} |}SK_{TPM_B.AIK}
Attest challenge
Attest response: {H(B.TRM) | PK_B.TRM}}SK_{TPM_B.AIK}
Verify attestationGenerate object encryption key k_OBJSeal k_OBJ
{k_OBJ | policy }PK_B.TRM
1
2
3
4
Verify H(APPB)
Seal k_OBJand policy
Architecture• Policy Enforcement in a client platform
– Only valid TRM can unseal the policy info and secret.– This valid TRM (specified by integrity measurement) can enforce the
policy.
View request: {OBJ}k_OBJ
Attest challenge
Attest response: {H(APPB) | PK_APPB}SK_{TPM.AIK}
Verify attestationGenerate session key k_s
APPB TRM1
2
3
4{k_s }PK_APPB, {OBJ}k_s
Update object attribute:viewTimes=viewTimes-1
Bob's Platform
APPB
Hardware
OS Kernel Space
OS User Space
TrustedReference
Monitor
Secure Kernel
Trusted Hardware
APPBSealedStorage
![Page 23: Outline · – A client is a computing platform that can initiate communication with other clients to transfer or share data and resources Trusted Computing • Traditional Client/Server](https://reader033.vdocuments.us/reader033/viewer/2022042406/5f20e5fe673ec96cf5488fa9/html5/thumbnails/23.jpg)
23
Revocation• Revocation because of
– Trust revocation of a requesting application– Trust revocation of a TRM– Trust revocation of a platform
• Two approaches: – Push: Object owner sends updated policy to client
side– Pull: client side check policy update from object
owner– Both may have delayed revocation– Instant revocation needs centralized policy server
Support User Attributes• Each platform has a user agent (UA)
– Controlled by platform administrator– A key pair (PKUA,SKUA)
• Each user has an identity key pair (PKu, SKu)– Migratable key
• Identity and role certificates:
UserAgent
Hardware
OS Kernel Space
OS User Space
TrustedReference
Monitor
Secure Kernel
TrustedHardware TPM
{PK_u, H(UA),{PK_UA}SK_TPM.AIK } }SK.UA
{PK_u}SK.CA
{PK_u}SK.CA, H(UA),{PK_UA}SK_TPM.AIK } }SK.UA
{{PK_u}SK.ICA, Role}SK.RS
Identity CA Role Server
![Page 24: Outline · – A client is a computing platform that can initiate communication with other clients to transfer or share data and resources Trusted Computing • Traditional Client/Server](https://reader033.vdocuments.us/reader033/viewer/2022042406/5f20e5fe673ec96cf5488fa9/html5/thumbnails/24.jpg)
24
Support User Attribute• Binding of identity and role certificates
– tightly-coupled binding: by signature– loosely-coupled binding: by other components
Identify Infoname, email, SSN
Public Key Infokey, algorithm, length
Other Infoserial no, issuer,
valid period,
ICA's Signature
IdentityCertificate
Binder InfoIdentity
Public KeyOther Info
Attribute InfoRole name,Group, Title
Other Infoserial no, issuer,
valid period,
Role Server's Signature
RoleCertificate
Support User Attribute• Role-based policy enforcement:
– TRM sends attestation challenge message to the UA.– UA responds with attestation information. – If the TRM trusts the running UA, it sends requesting
message for role information of the user.– The UA sends back the role certificate of the user.
• UA may submit the proof-of-possession for the corresponding private key of the identity public key
– Mutual attestation may be needed • UA needs to ensure that TRM does not release role
information. • Role certificate is private information of a user.
![Page 25: Outline · – A client is a computing platform that can initiate communication with other clients to transfer or share data and resources Trusted Computing • Traditional Client/Server](https://reader033.vdocuments.us/reader033/viewer/2022042406/5f20e5fe673ec96cf5488fa9/html5/thumbnails/25.jpg)
25
Support User Attribute• Migration of User Credentials
– Identity credential and role credential are migratable.• Not bounded to specific platform• Can be moved or copied between platforms
– Destination platforms determined by identity owner (user)
UserAgent
Hardware
OS Kernel Space
OS User Space
TrustedReference
Monitor
Secure Kernel
TrustedHardware TPM
UserAgent
Hardware
OS Kernel Space
OS User Space
TrustedReference
Monitor
Secure Kernel
TrustedHardware TPM
Platform 1 Platform 2
User CredentialMigration
Attest challenge
Attest response: {H(UA2), PK_UA2}SK_TPM2.AIK
Verify attestationUnwrap SK_u
{SK_u}PK_UA2
1
2
3Wrap SK_u
Applications• Secure VOIP:
– Realtime Protection of Conversation• Secure channel between VOIP software and device driver• Attestation between TRM and VOIP software• Attestation between TRM and UA• Attestation between TRM and device driver
– Secure Storage and Forward of Voice Mail• A policy specifying authorized platform and user attribute• Similar to DCON
TrustedReference
Monitor
VoIP clientapplication
SoundCard
Driver
12
34
7
UserAgent
5 6
7
![Page 26: Outline · – A client is a computing platform that can initiate communication with other clients to transfer or share data and resources Trusted Computing • Traditional Client/Server](https://reader033.vdocuments.us/reader033/viewer/2022042406/5f20e5fe673ec96cf5488fa9/html5/thumbnails/26.jpg)
26
Related Work• Attestation-based policy enforcement
– Sailer et al. CCS04– Controlled access from client to server by attesting
client platform• P2P content distribution
– Schecheter et al. 03– Admission control by verifying platform and P2P
software
Summary• Architecture with TC to support peer-to-peer based access control• General architecture for client-side access control • Consider trust of platforms and applications in access control policy• Integrate user attributes in TC• Future work:
– Leverage security in other distributed systems using TC• P2P and Ad Hoc networks• Grid systems• Ubiquitous and pervasive computing environments
– Access control model with TC• A new model? • Fit in some component of existing model?