Research On Remote Attestation Technologies In Trusted Computing

With the development and widespread application of information technology, information security has been paid more and more attentions. In the international information security field, trusted computing technology with the goal of improving the security of computer systems has become one of the research hot spots, and remote attestation is one of the difficult and key issues in trusted computing research. How to make two nodes in a network to be able to determine the trust degree of the platform of the other party quickly and effectively before interaction, without leaking the configuration information of the platform, has become the key problem of remote attestation. In addition, wireless networks are more prone to attacks due to its openness, the secrecy and authentication technology of telecommunications are the primary problems of wireless network security to be solved urgently. How to add platform identity and integrality verification to mobile terminals and how to enhance the security of the wireless network access authentication protocols, under the condition of guaranteeing the user identity anonymity of mobile terminals, have become a new problem of wireless network access authentication. Aiming at the above problems, the main research works of this dissertation are as follows.(1) Aiming at the drawbacks of the DAA protocols in inter-domain attestation, the withdrawal of TPM certificates and the existence of Rudolph risk, a direct anonymous attestation protocol in inter-domain environment (RIDAA) is proposed. A new participant TA is added in the new protocol on the basis of the current three party DAA protocol. All TAs form a ring, so trust relationship between different trust domains is established by the TAs. And, this trust relationship is guaranteed by the ring formation and signature mechanism. After each TA attests the validity of the platform identity in its domain, the TA will issue a ring bill (ring signature) for the platform, and the bill can be attested by any verifier who has public key of the ring in other domains. Moreover, according to different situations of the trust domains the two authentication parties are located in, two solutions are given which can reduce the probability of Rudolph risk and one solution is given which can totally prevent the occurrence of Rudolph risk. The security of the protocol has been proved by RO model.(2) The remote attestation protocols based on attributes are investigated. Two typical representatives of attribute based protocols, PBA protocol and PBA-RS protocol, are analyzed in particular. The advantages and disadvantages of each protocol in maintenance of attribute certificate, privacy protection of platform configuration and applicability are pointed out. Aiming at these shortcomings, two new protocols, PBA-TS protocol and PBA-CS protocol, are proposed. In PBA-TS protocol, one certificate application mechanism based on ring signature is designed to substitute the certificate application mechanism with which the platform configuration is sent directly to the certificate issuer by plaintext in PBA protocol. Thereby, the privacy protection of platform configuration is enhanced. Secondly, a new withdrawal mechanism of attribute certificate is designed, which simplifies the current withdrawal procedure of the attribute certificate. PBA-CS protocol is a simplified version of PBA-TS protocol. The security of these two protocols has been proved by RO model.(3) Based on the above research work, to solve the problem that the platform identity of the wireless terminal is not authenticated in the current WLAN access authentication protocol, a WLAN trusted access authentication model based on single certificate is proposed. A WLAN wireless access authentication protocol based on single certificate is also proposed by using the above attribute-based PBA-TS protocol and reorganizing the identity-based key negotiation protocol. This new protocol realizes bi-directional authentication and validation of platform integrity between wireless terminal and trusted access point, and establishes the unicast dialog key and the encrypted authentication key between the two parties simultaneously. Through security analysis, the new authentication protocol has the security attributes of explicit key authentication, the perfect forward secrecy, S A forward secrecy, known key safety and non-key leak masquerade, and provides the authentication of the platform identity of wireless terminals and the protection of user identity and platform configuration.(4) An inter-domain roaming trusted access authentication protocol without certificate RAP-IR is proposed, which solves the problem that the proxy in other domains needs to authenticate the identity of a mobile terminal when the mobile terminal tries to access the resources of other networks. Besides the realization of user identity authentication of the mobile terminal, this protocol realizes the authentication of platform identity and platform integrity of the mobile terminal via attribute-based remote attestation. Meanwhile, the protocol creates the shared keys between the mobile terminal and the key distribution center, the mobile terminal and the local proxy, the mobile terminal and the external proxy, and the external proxy and the local proxy, respectively. These measures solve the problem that shared key needs to be encrypted twice in traditional key distribution. Moreover, mobile terminals communicate using anonymous identities during the whole process of roaming access authentication, each time accessing other networks a temporary identity is created and the symmetric keys established based on the temporary identity are different. All these improve the protection of the mobile terminal identity and the privacy of the transmission data. Finally, theoretical proof of the security and anonymity of this protocol are given by CK model and RO model.In this dissertation, the remote attestation in trusted computing is studied in detail, and some achievements are made, but further improvement and exploration are still necessary. There are plenty of research topics in trusted computing, and many other problems need to be further studied besides remote attestation.