Research On Trusted Network Connect Accessing Based On Trusted Certificates

With the rapid development of modern communication technology and popularity of computer network, Internet is becoming more and more popular which has played a role for us. Now online-office and E-commerce are used by many people, which have improved working efficiency and brought so much pleasure to our lives. However, a lot of security problems come up with them inevitably such as computer virus hacking DOS attack etc. These malice behaviors have consumed large amounts of bandwidth and resulted in huge economic loss. The development of Internet has been hampered.In order to solve security problems, experts has proposed and designed many technology and criteria such as firewall IDS etc. However changes in security area are so rapid that those new attacks are becoming more intelligent and comprehensive. The traditional technologies which can only passively defend interior attacks are not competent enough. And if we apply them in large flow networks, their performance and efficiency are not acceptable. Even in some cases, they become the attack target of hackers.Internet is so vulnerable because of its openness and drawbacks in composing protocols. Experts have changed their focus to how to improve security state of each terminal to enhance the robustness of whole Internet. Some methods such as security coprocessor, password accelerator and personal tokens have been proposed. They have some advantages but all of them can not be accepted by market because of their own limitation. Trusted Network Connection is proposed by Trusted Computing Group founded by Microsoft HP Intel etc. Trust can be understood as four aspects: predictive result, monitored state, action in estimate and irregularity in control. TNC has five features: random keys, I/O in safe, memory in protect, sealed data storage and remote authentication. When a user wants to have access of TNC, PDP (Policy Decision Point) initializes integrity handshake to verify whether user's trusted information like OS and security software state meet local policy, authorizing or isolating it. TNC is an open architecture compatible to physical technology like 802.1x and security ones like SSL and IPSec providing an entire safe framework.However after reading TCG specifications we realize that its theory researching is far beyond application and current market demand. TNC requires that a embedded chip should be planted into motherboard. This chip is called TPM (Trusted Platform Module) integrated with RAM ROM Flash RSA and SHA-1 engine. Terminals without TPM can not be authorized to have access to TNC. Undoubtedly, the price increasing of the PC having embedded TPM and its relative software will hinder users from buying them. Now TNC has not been popular enough to persuade users to buy this kind of PC if they are not familiar with TNC. And if a user bought a PC like this, the extra money is wasted if he dose not use TNC network frequently. It is quite terrible that embedded TPM or its software are found bugs, vendors can only recall these machines to fix it. It is a huge loss both for users and vendors.We propose a transition model for users without TPM to decrease their loss. We add a new entity in TNC scenario named Trusted Information Certificate Authority. Users access web TICA web site to register and select a kind of certificate they wanted. Difference of certificates lie in valid time, access QoS, price etc. Then download Trusted Information Collector which collects user trusted information and send to TICA to verify whether this user meets the certificate demand he selects. If it does, TICA generates a certificate and sends it to the user. TIC receives and stores the certificate. User operates TIC to send certificate to Policy Decision Point requiring authentication. PDP will send user's certificate to check whether it is valid and then make a final decision under local security policy. The decision is enforced by Policy Enforcement Point. Validity of certificates is known after PDP communicates with TICA, which can avoid user faking certificates and mid-attacks. In order to provide more reasonable services, TICA can consult to some users to design different kinds of certificates. The difference may lie in QoS after authentication.We introduce this model in detail including scenario entities protocols and communication process. And we discuss the opening design of trusted certificate and the possibility to apply it in other service not only in authentication. Finally we give our designation of Prototype system and implement it under Linux which shows the feasibility and practicality of our model.