Research On The Remote Attestation For Trusted Networks

Remote Attestation is one of the important functions of Trusted computing Platform. Users use TPM (Trusted Platform Module) or TCM (Trusted Cryptography Module) security chip to complete remote attestation: the platform’s identity and the platform’s integrity status. In some ways, TPM/TCM can be regarded as crypto graphic chip specifically for remote attestation. Remote attestation can authenticate trusted computing platform hardware, firmware, and software, and it can communicate with the remote party platform to prove software running on each layer software stack, and even a virtual machine running status. Remote attestation can complete the authentication of safety chip and the platform running state namely the integrity of the certification at the same time, and it can greatly improve the security and reliability of network communication terminal. Remote attestation mainly includes two parts, one is remote attestation of identity, and the other one is remote integrity.First of all, about remote identification, TCG organization suggests privacy CA, the trusted computing platform, obtain a CA certificate by the trusted third party, to show that the platform is safe and reliable. Later, Brickell proposed Direct Anonymous certificate (Direct Anonymous Attestation, DAA) scheme based on TPM, use the encryption techniques such as zero knowledge proof and group signature to prove the identity of platform anonymously. In this paper, on the basis of original DAA algorithm a cross-domain DAA algorithm is proposed. The algorithm satisfies the basic characteristic of the DAA, namely anonymity, unforgeability, non-association. The algorithm use the CL-LRSW group signature algorithm, by introducing a cross-domain certificate issuer, provides the trusted platform which wants to go cross the domain a cross-domain DAA certificate. Through the transition of cross-domain DAA certificate, that makes the nodes within the two different trust domains can mutual authenticate, thus effectively solves that the original DAA scheme does not support multiple trust domain. Through the experiment, this article also tests the computational complexity of the scheme and time consuming of it, which confirmed the feasibility of it.Second, about the platform integrity proving, the author of this paper strengthens the TNC@FHH on related theory and technology. TNC@FHH is based on the expansion of the 802.1 x authentication protocol. This paper studies the working principle of TNC@FHH, designed an available trusted network access system. The trusted network access system will check platform’s identity (the user’s name and password) is legal or not, and platform’s integrity status: platform files’ integrity, inserted USB disks, the clamav is open or not and antivirus software’s version is the latest version or not, port state is legal or not. In addition to identity and integrity checking, this access system also provides a part of the integrity of the trusted network isolation repair function, namely for the illegal part of the integrity it will provide intelligent repair function. For example, that Antivirus software version is expired, will make the trusted computing platform were forced from trusted area to move to isolation, from the isolation server to download antivirus software RPM package, to complete the restoration of antivirus software. In addition, the access system also has the function of dynamic authentication, namely the trusted platform will report platform identity information every 6 seconds.