| Trusted computing is a new security technology of information system. It enhances trust of the terminal by providing trust capabilities such as data integrity, secure storage and identity verification. A user could access to trusted services in trusted computing platform only if he was authorized. So authorization is a key process to achieve trusted for platform. Delegation is a new authorization manner to meet the demand in role backup and prililege separation. The basic idea behind delegation is that some active entity in a system delegates authority to another active entity to carry out some functions on behalf of the former.TPM Specification supports delegation mechanism. There is a problem that TPM can not verify the current validation of delegation information efficiently. Besides, there are some security problems in delegation specific authorization protocol such as delegation blob replacement. Focus on these problems, this paper mainly researches related mechanism and betters the one in TPM specification to improve the security of delegation mechanism. It includes following three aspects.Firstly, a list of authorization data with its privilege and operating on this list is provided. Different from decentralized management in TCG delegation model, this manner is applied to manage delegation information centralized and can verify whether the delegation information is valid currently more effectively.Secondly, Merkle Hash Tree is applied to manage the delegation information centralized. The manner of operating on hash tree by TPM and host is also presented. It not only can verify the current validation of delegation information efficiently but also is not limited by storage and implementation capability of TPM.Thirdly, delegation authorization protocol is improved. Symmetric encryption algorithm, combine the verification of entity and capability and communication mechanism are applied to solve the problems of lack of confidentiality protection, delegation blob replacement and cognition inconsistency between mutual parts of session.The simulation experiment is introduced. Author codes and tests the pivotal function procedures based TPM_Emulator and TrouSerS, a TSS instance, in Linux environment. Then author programs commands and interfaces about delegation to implement the improved delegation mechanism and protocol mentioned above.Finally, the paper points out the future work. The more experiment is essential to be carried out. Delegation mechanism should be studied more deeply to optimize its performance. |
PDF Full Text Request