Research On Key Technology Of Trusted Authentication

Application operation, sharing server and communication are three important aspects for security of information system. In "three vertical, three horizontal and two centers" assurance architecture for information system, authentication mechanism is the precondition for information system to be accessed securely and efficiently. This thesis firstly applies trusted computing technology to authentication in order to achieve trusted authentication in platform itself, platform to platform, and user to platform. Then we study identification authentication on the trusted platform, key management of trusted platform and some related technologies. As a result, the main contributions have been obtained as follows:(1) A trusted computing platform can be constructed by using TPM or TCM, which provides a root of trust for hardware platform, operating system and applications. In order to ensure the information system trusted, establishing and transitivity of trusted chain are both challenging work. But most exiting research on the model of the trusted computing theory focuses on how to compute trust in the information world. That is, how to apply the trust between people in sociology to computing environment and then achieve the trust in information world. These models focus on trusting relationship in sociology, which needs to be changed in order to provide the assurance for trust computing in theory. Following trust root and transitive trust defined by TCG, we propose a theoretic model of trusted chain by introducing the noninterference theory into the domain of trusted computing. Then we formalize and verify the model.(2) In network communication, terminal should attest its identity and configuration to the communicators. The shortcomings of popular binary attestation are not only leaking information about the configuration of platform including hardware and software, but also requiring the verifiers to know all possible "trusted" configurations of all platforms as well as managing upgrade and backup that change the configuration. Then the adversary can easily attack the end-system. This thesis proposes a new remote automated anonymous attestation scheme, which uses property-based certificate instead of using configuration information. The advantages of the scheme include hiding the identity of platform by applying signature, providing guidelines for system upgrade and backup in trust checking, and avoiding the negotiation between trusted platform and the third trusted party. Thus, this attestation scheme is more efficient and secure. (3) To prevent the secret information from leaking in the information system, encryption is an efficient method. In encryption, key management is one of the most important taches. No matter how strong the encryption is, the whole information system will be collapsed entirely if the secret key released. Secret sharing schemes have been adopted to manage the secret keys. But, the existing secret sharing schemes are not efficient when disturbing the secrets or updating the shadows. We propose a time-bound dynamic secret sharing scheme based on the XTR public key cryptosystems, which can reduce exponential operations three times less than the old scheme with the same security strength. In the scheme, every participant can not share the secret out of the period of validity and the dealer delivers nothing when participants update the shadows. The process of updating shadow is forward security and each participant shares many secrets with other participants by holding only one shadow. The security of the scheme is based on the security of Shamir's threshold scheme, XTR discrete logarithm problem and the one-way hash function.(4) Considering the authentication between uses and terminals, we propose an identity based digital signature algorithm of XTR public key cryptosystems. XTR integrates most of the advantages of RSA and ECC without their limitations. The length of XTR key is shorter than the length of RSA key with the equivalent security and its key selection speed is much faster than ECC. Furthermore, an identity based blind signature algorithm of XTR public key cryptosystems is proposed. The security is equivalent to solving discrete logarithm problem of XTR group. And the new signature algorithms can be used in a wider application field. We prove the security of the signature algorithms and analyze their efficiency.(5) A prototype of trusted authentication on the terminal is designed and implemented. Based on the core of Linux 2.6, we improve its trusted startup and realized user authentication in PAM and two-factor authentication is used in it. The secure administrator can use the tool of management and authentication to configure the system according to the secure requirement, secure compromise and secure suppose. The center of secure management can make different policies of access control according to the different requirements.To summarize the work mentioned above, authentication mechanism is the precondition for information system to be accessed securely and efficiently. We discuss the researches on trusted authentications of platform itself, trusted authentication between platforms, authentication between users and platforms, and related technologies in the thesis. The principal achievements of this thesis present a new approch for the design and implementation of the trused mechanism in the high level secure information systems.