1Introduction
With rapid development of cloud computing, Internet of Things and mobile Internet, information technology has changed society management and public life profoundly, and ubiquitous information has already been treated as important digital assets of a nation, an enterprise or a person. Considering widespread computer virus, malicious software and enhanced hacker technique, these important assets are facing more and more practical threats. It is no doubt a preferential security requirement from nation, enterprise and person that a trustworthy computing environment should be built to maintain confidentiality, integrity, authenticity and reliability of information. Traditional security technologies like firewall, IDS and virus defense usually focus on server-side computing platforms, thus relatively vulnerable client-side terminals are gradually becoming the weak link of an information system. Against these requirements and threats, trusted computing (TC) technology aims at establishing a trust transfer system by improving the security of computer architecture, so as to ensure the security of platform and solve the trust problem of man-to-program, man-to-computer and man-to-man.
Trusted computing is an emerging technology under this background. Up to now, there exist many different ways of understanding of “trusted.” Several authoritative organizations, such as ISO/IEC, IEEE and TCG (Trusted Computing Group), have made efforts to establish their own explicit definitions [1–3]. TCG has further proposed a novel and widely accepted solution for enhancing security of computer system by embedding TPM (Trusted Platform Module) into hardware platform. In this book, our point of view is similar to that of TCG. We argue that a “trusted” computer system should always act in an expected way, and this property could be achieved by a trusted computing environment established upon a dedicated security chip.
Early in the middle of 1990s, some computer manufacturers began to research security solutions based on trusted computing technology. By adding a security chip into computer hardware, these solutions implement a series of mechanisms, such as the root of trust, secure storage and chain of trust, and achieve the secure goal of trusted computing environment. This kind of technical schemes was widely accepted by the IT industry, and as a result TCPA (Trusted Computing Platform Alliance, a mainstream industry alliance of trusted computing technique) was founded in 1999. After TCPA proposed TPM1.1 specifications in 2001, trusted computing products proposed by some mainstream IT manufacturers were gradually accepted by market and industry society. In 2003, TCPA was renamed to TCG and owned about 200 members, including nearly all international mainstream IT manufacturers. Technical specifications proposed by TCG had already formed a systematic architecture, which involves major IT areas like security chip, PC, server and network, and four core specifications were accepted as ISO standards in 2009. By 2010, TPM had already been a standard component of laptop and desktop, and mainstream PC-related manufacturers such as Microsoft and Intel also had adopted trusted computing in their core products.
As a country with special security requirements and supervision rules, China has made achievement on both products and specifications of trusted computing. TCM, referred to as DNA of Chinese information security, is the most important contribution of China in trusted computing area. Upon its own cryptographic algorithm, China has established TCM-centered specification architecture of its trusted computing technology. Broadly speaking, development of Chinese trusted computing technology has undergone the following three phases.
From 2001 to 2005, China concentrated on tracking and absorbing concepts of TCG technology. Manufacturers like Lenovo and SinoSun published TCG-compliant products, and Work Group 1 of National Information Security Standardization Technical Committee (TC260) founded a special trusted computing workgroup that greatly impulsed trusted computing standard research.
From 2006 to 2007, China established architecture of its own trusted computing theory, technology and standards. In these years, China carried out research on trusted computing technical solution based on its own cryptography algorithms and proposed “cryptographic application scheme for trusted computing.” China also set up a special workgroup on researching application of trusted computing technology. Later, this group changed its name to China TCM Union (TCMU). TCMU published TCM-centered specification “Technical Specification of Cryptographic Support Platform for Trusted Computing” [4] and “Functionality and Interface Specification of Cryptographic Support Platform for Trusted Computing” in December 2007.
After 2008, China focused on promoting its trusted computing industry. A series of TCM products have been put on the market and well accepted by governments, military troops and civilian areas. TCMU has nearly 30 members now, including Lenovo, Tongfang and NationZ, and has greatly given impulse to Chinese trusted computing industry with the support of Chinese government. Until 2010, TCMU established a comprehensive trusted computing industry system, including security chip, trusted computer, trusted network, trusted application and test/evaluation of trusted computing products. To promote industrialization of trusted computing, special committee of information security of China Information Industry Association has founded China Trusted Computing Union (CTCU) in 2008.
1.1Related Work
The purpose of trusted computing technology is to improve computer architecture by introducing trusted computing security chip so as to enhance trustworthiness of common computing platform and network. TCG embeds TPM into PC or server’s motherboard and provides several novel security mechanisms [5]. Microsoft has started NGSCB [6] plan. In NGSCB, a trusted execution environment based on microkernel is built to enhance Windows security and privacy. Meanwhile, Intel dedicates to TXT [7] hardware security technology to implement trusted computing through a series of hardware, including CPU, chipset and IO devices. China also manages to release its own security chip TCM, and establishes architecture of cryptographic supporting platform for trusted computing.
To sum up, trusted computing technology, driven by related industrial community, is undergoing a rapid development process. Meanwhile, academic community also carries out trusted computing research and makes achievements related to trust of platform, trust of network, test/evaluation of trusted computing and so on. Basic idea of related work is to establish trust in a single terminal platform, then to establish trust between platforms by remote attestation and finally to extend trust to network.
1.1.1Security Chip
Current mainstream architecture of trusted computing technology and specification is proposed by TCG whose history can be traced back to 1990s. As the core of TCG trusted computing technology, TPM specifications, first published in 2001, have been modified and upgraded iteratively. TPM mainly acts as the root of trust in computing platform, provides key cryptographic functions and shielded storage locations and then builds a reliable computing platform with the help of other software/hardware. Currently, TPM specifications have already been accepted by most IT giants. TPM products, usually acting as the core component of trusted applications and services, have already been widely deployed in various laptops, desktops, servers and other kinds of computing platforms.
Chinese trusted computing specifications were published in 2007, and corresponding products have appeared on market since then. In general, TCM absorbs concept and architecture of international trusted computing technology, but there are great differences in the concrete design principle between these two kinds of products. On one hand, TCM adopts more secure and efficient elliptic curve cryptography (ECC) algorithms instead of RSA. On the other hand, TCM initiates several aspects of key technology for meeting Chinese local security and market requirements.
Recently, new trends in technology of security chip have emerged. In 2006, the specification of “Mobile Trusted Module” (MTM) was published by TCG mobile workgroup. Compared with TPM and TCM, MTM is more flexible in implementation and deployment and concerns more stakeholders. Obviously, it has been attached much importance that new security chip should be verifiable, upgradable and customizable. Furthermore, mainstream IT vendors propose several influential TC-related security technologies, including Intel TXT and ARM TrustZone. By complementing and coordinating each other, these new achievements constitute comprehensive technology architecture for establishing a reliable trusted execution environment.
1.1.2Trust within a Terminal Platform
The main method to establish trust within a terminal platform is building a chain of trust. From the perspective of building time, building a chain of trust consists of two phases: trust boot and OS measurement. From the perspective of building method, the chain of trust can be categorized into static and dynamic ones. Up to now, most works in this aspect focus on OS measurement. Representatives of the early works include Copilot [8] and Pioneer [9], both relying on special peripherals to complete measurement. TCG proposes a method to build measurement system by using TPM as root of trust for common terminal platforms. Under the TCG architecture, IBM T.J. Watson research center proposes Integrity Measurement Architecture (IMA) [10] and Policy-Reduced IMA (PRIMA) [11]. CMU further gives BIND system [12], which is a fine-grained measurement architecture for distributed environment. Chinese researchers have also proposed their solutions [13, 14] based on IMA.
Another research area about trust of terminal is Trusted Software Stack (TSS). TSS is a kind of software that packs and abstracts TPM functionalities. It is one of the most important components in trust platform, and can be regarded as extension of trust functions from hardware to application layer. TCG has published TSS specifications, which define architecture and interfaces that TSS developers should follow. In 2005, IBM gave the first TCG-compliant TSS product – Trousers, which is regarded as fundamental open-source software in trusted computing area. Similar to IBM, IAIK in Austria and Sirrix AG in Germany developed jTSS and μuTSS for Java applications and mobile devices.
Based on the above technology, industrial community gradually releases products of trusted PC and server. Recently, two kinds of new trusted computing platforms have drawn more and more attention. On one hand, in the mobile trusted platform, researchers follow basic idea of MTM and present mobile terminals with trusted computing functions and characteristics. As an example, Samsung publishes TrustZone-based KNOX system in their mobile phone. On the other hand, in the virtualization trusted platform, researchers take full advantage of isolation to prevent critical software from being interfered, and present a batch of advanced technology schemes, such as LKIM [15], HIMA [16], HyperSentry [17] and vTPM [18]. LKIM and HIMA both leverage isolation mechanism in virtualization platform and implement integrity measurement by supervising memories of virtual machines (VM). HyperSentry further uses hardware mechanisms to implement measurement in a transparent manner. VTPM, presented by IBM, provides every virtual machine with a dedicated virtual TPM, which can be used to solve problem of resource conflict when sharing TPMs between virtual machines. Ruhr University enhances availability of vTPM by promoting vTPM to property-based TPM virtualization scheme [19]. The limitation of these two schemes is lack of effective binding between vTPM and TPM.
1.1.3Trust between Platforms
Based on chain of trust for terminal, remote attestation is used to extend trust of local terminal platforms to remote terminal platforms. It can be divided into platform identity attestation and platform state attestation.
In the aspect of platform identity attestation, TPM v1.1 specification adopts a scheme based on Privacy CA, which authenticates platform through attestation identity key (AIK). Its limit lies in that anonymity cannot be perfectly achieved. To achieve anonymity, TPM v1.2 adopts Direct Anonymous Attestation (DAA) scheme based on CL signature [20, 21]. Ge and Tate further propose a more efficient DAA scheme for embedded device [22]. Researchers start to make DAA protocol research with ECC instead of RSA cryptography, so as to overcome shortcomings in literals [21, 22] like over length signature and massive computation. Brickel et al. propose the first DAA based on bilinear maps under LRSW assumption [23, 24], which greatly improves computation and communication performance. Chen and Feng make a step forward by designing a scheme under q-SDH assumption [25, 26]. Brickell and Chen alternate fundamental cryptography assumptions of existing DAA schemes, and thus significantly reduce TPM’s computation in DAA [27, 28]. Performance of their schemes is simulated and analyzed on ARM CPUs [29].
In the aspect of platform state attestation, TCG recommends binary attestation method, and IBM implements a prototype system following this method [30]. This method is easy and reliable, but incurs poor scalability and configuration privacy. To counter these shortcomings, property-based attestation (PBA) alternates to attest security properties that are obtained by evaluating binary measurement values. IBM and Rulr University successfully propose their own PBA architectures [31, 32], and Chen then presents the first concrete PBA protocol [33], which achieves provable security in random oracle model and supports revocable property certificate and blinded verification. Chen also presents a PBA protocol without the trusted third party, which uses ring signature technology to hide configuration of platform into property sets [34]. Kühn et al. introduce an implementation method of PBA, which does not require any software/hardware modification [35]. Besides, Haldar et al. give semantic-based attestation [36]. This scheme attests semantic security of Java programs through using trusted virtual machine. CMU proposes software-based attestation [37] for embedded device. Li et al. convert platform configuration into history behavior sequence, and propose system behavior-based attestation [38].
1.1.4Trust in Network
Considering popularization of Internet application, just establishing trust for terminals is not satisfiable. It is desirable to extend trust to network, and make the whole network into a trusted execution environment.
Cisco and Microsoft proposed their Network Access Control (NAC) [39] and Network Access Protection (NAP) [40] solutions. NAC advantages in connection control and supervision of network equipment, while NAP is good at terminal state evaluation and supervision. In 2005, TCG proposed Trusted Network Connection (TNC) architecture specification v1.0 [41], the main feature of which is introducing integrity of terminal into the decision of network connection access control. After 2005, TNC specifications have been updated continuously. In recent version, TNC incorporates Meta Access Point (MAP) and MAP client such that it can dynamically control network access according to change of metadata. Meanwhile, TNC also supports interoperation with NAP. Chinese researchers have also carried out research on trusted network based on TCG TNC [42].
Besides TNC, NAP and NAC, security protocols have also been improved. Current protocols such as SSL/TLS and IPSec only authenticate users’ identities and ensure integrity and confidentiality of network data, but cannot authenticate terminals’ integrity. Against this issue, IBM extends terminal integrity attestation to SSL [43]. In [43], terminal negotiates security parameters with trusted network, attests the integrity of platform configuration under SSL protocol with terminal integrity extension and finally establishes trusted channel between terminal and trusted network. Rulr University finds scheme in [43] may suffer man-in-the-middle attack. To solve the problem [44], researchers in Rulr University provide platform property certificate to bind SSL identity and AIK. Rulr University also implements TLS-compatible trust channel based on OpenSSL [45].
1.1.5Test and Evaluation of Trusted Computing
In aspect of test and evaluation of trusted computing technology, research work appears in the fields of compliance test for TPM specifications, security mechanism analysis and products security evaluation.
As the name implies, compliance test aims at examining the compliance degree between concrete TPM products and specifications. It is one of the most important research directions in the trusted computing test and evaluation. In this aspect, Rulr University proposes the first TPM test solution [46]. Their scheme describes details of manual test, which is nonautomated and lacks quality analysis of test results. Chinese researchers are dedicated to automation of compliance test for TPM specifications [47, 48]. Based on the model of extended finite state machine (EFSM) of TPM/TCM, Institute of Software, Chinese Academy of Sciences (ISCAS) introduces a set of comprehensive methods, including test model, automatic generation method of test case and analysis method of test case quality. Effect and performance of these methods have been justified in practical test work upon real TPM/TCM products.
Analysis of trusted computing mechanism embodies traditional method of security protocol analysis in trusted computing area. Analysis objects of this research area are relatively abstract and theoretical part of trusted computing technology, mainly including protocols and critical mechanisms, such as authorization protocols (AP) in TPM/TCM, DAA, extending of PCR and establishing of chain of trust. Target of this kind of work is to theoretically detect defects in the protocols and mechanisms or to prove their security properties. Most work adopts formal method, which can be further divided into model checking and theorem proving. Up to now, Milan University, Rulr University, Carnegie Mellon University (CMU) and Institute of Software, Chinese Academy of Science have successfully found defects in TPM/TCM authorization protocols, DAA, chain of trust and key migration [49–54].
Evaluation of trusted computing products embodies importance of security engineering in the international information security area. According to the basic idea of security engineering, to ensure security of product, it is necessary that whole life cycle of products, including requirement analysis, designing, production and deployment, is under strict control and evaluation. TCG has already started evaluation projects of TPM [55] and TNC. According to the result of these projects, Infineon’s SLB9635TT1.2 is the first TPM product passing the evaluation based on TPM protection profile [56, 57]. Meanwhile, seven TNC-related products from Juniper and Hochschule Hannover, including IC4500 access control suites, EX4200 switch and StrongSwan, have been certified by TCG.
Above all, current research achievements on trusted computing test and evaluation are relatively rare, and it needs to be improved in both coverage and deepness of trusted computing test and evaluation. First, in the aspect of test target, current works have only verified and analyzed small part of trusted computing products and security mechanisms. Most of trusted computing mechanisms, protocols and products, especially those emerging TC-related technologies mentioned below, are not concerned yet. Second, in the aspect of test level, current works reside in independent components of a computing platform, namely, research on overall security of computing platform is still scarce. Third, in the aspect of specification, only a few products like TPM can be tested according to test and function specifications. Most trusted computing products can only be tested and evaluated without any formal guidance. Some mechanisms, like chain of trust, even lack detailed function specifications.
1.2Our Work
Research team led by author of this book has carried out in-depth and systematic research on key technologies of trusted computing. Our contributions can be concluded as follows.
First, in the aspect of trust model and chain of trust, we mainly focus on overcoming shortcomings of previous integrity measurement schemes, such as poor scalability and dynamics. We establish a trust model based on trust degree, and introduce methods of dynamic measurement on OS and recoverable trusted boot. We further implement these methods and manage to build a complete chain of trust prototype system, which covers the whole running process of a computer from terminal boot to application.
Second, in the aspect of remote attestation, we construct a novel pairing-based PBA and the first pairing-based DAA under q-SDH assumption. These important achievements significantly promote the research level of China on remote attestation protocol. Adoption of pairing has broadened the way of remote attestation research, and laid theory foundation for application of key technology of remote attestation.
Third, in the aspect of test/evaluation of trusted computing, we propose a reduction-based automatic test case generation method from the extended finite state machine. Based on this method, we further implement a test/evaluation system for trusted computing platform that supports compliance test for TPM/TCM specifications. It has already been used by test and evaluation authority in China. We also carry out work on formal analysis of TCM authorization protocol, and successfully find a replay attack against this protocol. These works have played an important role in improving security and quality of Chinese trusted computing products and standardizing Chinese trusted computing industry.
1.2.1Chain of Trust
Establishing trust within a terminal platform is fundamental for building trust between platforms and in network, and has always been an active research field. For trust model, we comprehensively take into account influence of each boot-time component on overall trust, and propose a terminal trust model based on trust degree. For building methods of chains of trust, we propose efficient and secure measurement schemes for bootloader and OS, respectively. These schemes completely cover the whole computer running timeline from terminal boot to application running.
1.2.1.1Trust Model Based on Trust Degree
To establish a trust on terminal platform, a trust model must be built to describe the way in which trustworthiness of any software, firmware and hardware can be ensured at both boot and running time. In TCG’s architecture, computer boots from security hardware and authenticates each entity in boot process step by step so as to ensure trustworthiness at boot time. After that, computer could use access control method following BLP or BiBa model to ensure trustworthiness at running time. However, TCG is not fully concerned about environment that platform resides in, and trusted boot of any entities may be influenced by previously booted entities. Furthermore, ensuring trustworthiness by access control model may face some difficulties such as lacking reliable method to judge trust degree and lacking adaptability to change of trust degree; thus, TCG’s method may be hard to implement and use. Given the above consideration, we propose a trust model [58, 59] based on trust degree. To figure out process to establish trust at boot time, we leverage the concept of trust degree to describe influence of booted entities on booting entities. Meanwhile, in order to figure out process to establish trust at runtime, we give out rules to dynamically adjust trust degree of entities at runtime and implement access control based on trust degree of entities.
1.2.1.2Recoverable Trusted Boot
Chains of trust can hardly be recovered once corrupted at boot time, thus we propose a recoverable trusted boot scheme. The basic idea of this method is to verify the chain of trust established at boot time, check integrity of critical parts of OS such as kernel and key files and recover the OS by another secure system if the chain of trust is corrupted.
We implement a trusted boot subsystem based on this scheme. The system uses TPM/TCM as the root of trust, and extends common boot system with functions like system components measurement, verification, configuration and recovering. Once running, the system successfully measures all components running before OS using TPM/TCM, verifies established chain of trust before OS and checks integrity of critical system file and kernel of OS. If all checks pass, OS will be booted successfully. Otherwise, corrupted files will be recovered and the chain of trust will be rebuilt.
Trusted boot subsystem significantly enhances robustness of chain of trust in boot phase. Meanwhile, the recovery function only imposes a little influence on system performance, thus extra delay caused by the system is acceptable.
1.2.1.3Chain of Trust within OS
The chain of trust within OS is much more complex than trusted boot. The main challenge is to design and implement an efficient measurement architecture. Existing architectures, such as IMA, suffer from coarse-grained measurement and TOCTOU (time of check, time of use) attacks. Against these problems, we propose component measurement [60] and dynamic measurement [61] for building the chain of trust on Windows/Linux. These methods could provide fine-grained and dynamic measurement functions on kernel modules, components and applications, so as to ensure load-time and runtime trustworthiness of these codes.
According to the above methods, we implement boot-time and runtime chain of trust on Windows/Linux [62]. We make OS measurement grain finer and verify system’s security by several popular attacking experiments. The experiments show that our system could detect common attacks on integrity of system process at an affordable cost on system performance.
1.2.2Remote Attestation
Remote attestation is an important security mechanism aiming at solving problems of trust between trusted computing platforms or nodes in trusted network. Remote attestation can be divided into platform identity attestation and platform state attestation. These two basic attestation models are similar. Participants in attestation include a trusted platform P with TPM/TCM as prover, a remote platform V as verifier and a trusted third party (TTP) T as supporting role. TPM/TCM and trusted third party act as trust anchor in this model: TPM/TCM guarantees platform’s authenticity and trusted third party guarantees correctness of protocol.
Attestation protocol is the hotspot of current research on remote attestation. Main attestation protocols include DAA and PBA.
1.2.2.1Direct Anonymous Attestation
Next Generation of DAA. Since RSA cryptography-based BCL DAA [21] appeared in 2004, groups of researchers dedicate to DAA protocol improvement. Elliptic curve cryptography is much more efficient than RSA and owns shorter private key and signature (at the same security level), thus ECC and pairing is more suitable for next generation of DAA. In 2008, we first adopted ECC to improve DAA and proposed next generation of DAA protocol [26, 63], which promoted performance of DAA and related research greatly.
Our scheme is based on q-SDH and DDH assumptions, and is one of the earliest q-SDH and pairing-based schemes. It is provable secure under idea-real system model. Compared with original DAA, its signature length is shortened by 10 % and its computation is also reduced significantly. We further propose a DAA protocol [64] based on improved BB signature [25], which nearly doubles computation efficiency of “join phase” of DAA. These works guide the direction of adopting q-SDH assumption to improve DAA protocol. Based on our work, a lot of following works have made continuous improvements on DAA protocol.
A Forward-Secure DAA. While designing DAA protocol, researchers mainly focus on user-controlled anonymity and user-controlled traceability, but pay little attention to the situation of leak of TPM internal secret, say f. Once f leaks, it not only corrupts all security properties of current DAA protocol instance but also influences previous DAA signatures. To solve this problem, we carry out extension research on DAA security and propose a forward-secure DAA [65]. This scheme not only satisfies all basic security requirements but also enhances platform anonymity when DAA secret leaks. This work is only the first step of extension research on DAA security research, and lots of problems still need to be solved.
Besides the above-mentioned improvements, we have also addressed other issues of DAA. We have researched on DAA that has anonymous authentication problem across several security domains, and proposed a cross-domain DAA scheme [66]. This scheme is expected to solve the problem across different security domains or TPMs from different vendors. We have also made continuous efforts in applying DAA in various special scenarios, including wireless terminals, mobile phones and other embedded devices, and designing of DAA protocols in these scenarios still needs further study.
1.2.2.2Property-Based Attestation
Attestation of platform’s integrity is one of the most important issues in trusted computing research. Within various solutions, property-based attestation (PBA) is the most promising and practical one. We carry out research on PBA systematically, and related works mainly lie in three aspects: attestation granularity, attestation performance and DAA-PBA-joint attestation [67, 68].
Fine-Grained Component-Based PBA. Traditional PBA [35] attests the property of whole platform. This kind of scheme is coarse-grained and faces some difficulties in practical application. For example, it is hard to issue and update property certificates for the whole platform if not impossible. To solve these problems, we propose a component-based PBA and implement a prototype [68]. The basic idea of this scheme is to convert requirements on platform property attestation into logic expressions about properties of related components, then prover only needs to attest property of each independent component. Through zero-knowledge proof method, attestation of component property proves that cryptographic commitments on components measurement meet requirements in components’ property certificate.
The scheme is provable secure under random oracle model, and enjoys the following features: first, it is fine-grained, scalable and verifiable; second, no temporarily issued certificate is needed, and revocation and verification is efficient; third, privacy of platform configuration is well protected. This scheme moves a step forward on improving traditional PBA, and solves basic problems of PBA application in both aspects of protocol design and system implementation.
Paring-Based Efficient PBA. Traditional RSA-based PBA suffers from heavy computation of zero-knowledge proof and low performance. Thus, in [67], we construct an efficient PBA for TCM. This protocol shares the same security model with traditional protocols, and they all aim at proving unforgeability and configuration privacy. In the scheme, each platform configuration-property pair(cs, ps) has been issued with a property certificate σ = (a, A, b, B, c) based on CL-LRSW and pairing. Through signature proof of knowledge method, a platform can prove that commitment on configuration value stored in TCM meets specific requests of platform’s property.
The scheme leverages pairing to simplify PBA, and is provably secure in signature unforgeability and privacy of configuration. Compared with RSA-based PBA, the scheme also reduces computation by nearly 32 % and shortens signature length by about 63 %.
DAA-PBA-Joint Attestation Protocol. DAA and PBA concern platform anonymity and configuration privacy, respectively, and they can be combined in practical application to achieve better result. That is, both DAA and PBA can be conducted in a single attestation process. Literature [69] gives a joint attestation scheme. Its basic idea is embedding anonymous authentication into property attestation process. In detail, trusted third party first verifies platform’s anonymous identity, and then issues a compound certificate (f, cs, ps)about anonymous identity and configuration-property pair. In this way, a single attestation process achieves the goals of both DAA and PBA, which no doubt enjoys a better performance.
1.2.3Trusted Network Connection
Most current research on trusted network is based on TCG TNC architecture. Through verifying integrity and authenticity of terminals, TNC architecture ensures trustworthiness of identity and running state of terminals, and further ensures trustworthiness of the whole network. However, TNC still has some disadvantages. First, privacy of terminal is not well protected. Second, interaction between TNC entities has not been protected by secure protocols. Third, a terminal is not continuously supervised after connected. For the terminal privacy protection on connecting time, we propose a TNC-based anonymous access scheme [70] for network connection. The scheme is implemented in two concrete forms in our prototype: an IpTables-based system in IP layer, and an 802.1x-based system in data link layer. Both kinds of implementation share the same architecture, which consists of access connecting terminal, network access control server and enforcement point of network access control, as is shown in Figure 1.1. In this architecture, enforcement point transmits authentication messages between connecting terminal and network access control server, and enforces the access policy given by network access control server. Enforcement point is implemented as a secure gateway in IP layer of TNC architecture, or as a switch supporting VLAN isolation in data link layer of TNC architecture. According to AR’s identity and integrity, PDP gives the decision result of network access control. When an AR conforms to access control policy, it is allowed to connect to network. Otherwise, it is only allowed to connect to an isolated domain. In this way, network access control is realized based on identity and integrity.
For terminal privacy protection, we propose an anonymous TNC scheme based on TCG TNC and DAA. Before connecting to network, terminal should apply for an anonymous credential DAA Cert from platform identity issuer. We extend the fourth and sixth steps of current TCG TNC work flow (platform certificate verification phase) [41], so as to implement network connection in an anonymous style. In the fourth step, terminal computes signature of knowledge according to DAACert, and sends this signature to platform identity issuer for an authentication credential of anonymous identity key. In the sixth step, terminal uses the authenticated identity key to sign the measurement value of platform, and then platform identity issuer will verify authenticity of anonymous identity and correctness of integrity measurement.
In general, TNC extends terminal trust to network but does not concern about protection of terminal identity privacy. Our TNC system combines TNC and DAA, so as to effectively supervise terminals while protecting their privacy. It meets the security requirement of network connection in open environment.
1.2.4Application of Trusted Computing
Trusted computing is now widely applied in many areas such as secure PC, trusted network, trusted storage and DRM. Wemainly focus on trusted storage and trusted usage control for ensuring data confidentiality and freshness and implementing access control administration of data in a trusted style.
1.2.4.1Trusted Storage
In TCG architecture, trusted storage is mainly implemented by sealing function of TPM. When TPM seals data, it encrypts the data and binds data with system configuration (in PCR), so as to ensure confidentiality of data. Due to the frequent change of software/hardware in PC and server, sealed data are easily inclined to be unavailable in practical application, and TCG sealing scheme often suffers from poor scalability. To handle this situation, we propose a property-based sealing scheme for virtualization platform [71]. In this scheme, a TPM is multiplexed by several virtual machines to protect their data security, and properties are organized in hierarchical and graded manner to enhance operational flexibility of sealed data. Every VM has a set of virtual PCRs (vPCR) to store its system configuration. While sealing data, sealing proxy first transforms VM configuration into properties and extends these properties into PCRs, and then TPM seals the data with the properties. While unsealing data, sealing proxy compares security level of current VM’s property with that of sealed property. Only when security level of VM’s property is relatively higher, proxy extends the properties into resetTab.PCR and invokes TPM to unseal data. That is to say, sealed data can only be accessed when security level of VM’s property does not degrade.
Another feature at hardware level of TCG trusted storage is that data can be bound with TPM’s monotonic counter, which is critical for ensuring data’s freshness and preventing replay attack. But due to limited production cost, very few counters are provided to meet freshness requirement of massive data storage. Thus, we propose a novel virtual monotonic counter scheme [72]. In this scheme, virtual monotonic counters are constructed based on physical counters in TPM, and security properties of virtual counters like monotonic growth and tamper resistance are guaranteed by hardware TPM. In detail, creation and increment operations of virtual counters will trigger real increment operations on physical counters, and these real operations are protected by TPM transport session. Because log of transport session records all operations on TPM counters and corresponding virtual ones, virtual and physical counters are strictly bound.
1.2.4.2Trusted Usage Control
In distributed applications, data can be accessed both locally and remotely; thus, it is desired that data should be mused according to its owner’s policy, no matter where data actually locate. Thus we implement a trusted usage control system [73, 74], which concerns not only local access control but also data and policy’s security after they are distributed. Through enhancing expressiveness of policy language and introducing policy enforcer into remote data user’s platform, we guarantee that remote data user could only use the data according to policy designated by data owner.
In our system, integrity of user’s platform needs to be verified when data are distributed to the user. During the distribution process, the security of data and policy as well as configuration privacy of data user’s platform should be protected. We leverage TLS to guarantee confidentiality and authenticity of data and policy. We further adopt key authentication method to verify configuration of data user’s platform, without corrupting privacy of platform’s configuration [73]. In detail, data owner will designate a trusted configuration set S, and any configuration in this set is considered to conform to owner’s security policy. Then data user sends an encryption key K to owner and attests that this key is bound to certain configuration C in S. The attestation method is carefully designed so as to not reveal any concrete information about configuration. Finally, data user gets the data encrypted by K, and are forced to decrypt the data in condition that system’s configuration is C.
Against concrete application, we also make effort on solving technical problems of trusted usage control in practice, and utilize our trusted usage control system to further propose a TPM-based DRM scheme [75] and a layer usage control scheme of digital content [76].
1.2.5Test and Evaluation of Trusted Computing
Test and evaluation is now a hotspot in trusted computing research field. Our work includes three aspects. First, we carry out research on automatic compliance test for TPM/TCM specification. Compared with traditional manual method, automatic scheme advantages in low cost and high performance. Furthermore, this scheme supports good analysis of test result (such as statistics on test coverage) and facilitates quantification of trustworthiness of test results. Second, we carry out research on analysis and evaluation of trusted computing protocols, especially model checking-based analysis of TCM authorization protocols, and successfully find their defects. Third, we implement a comprehensive test system of trusted computing platform, and it is the first practical trusted computing test system in China. This section will summarize key points in these works, and further contents could be found in Section 1.1.5.
1.2.5.1Automatic Compliance Test for TPM/TCM Specification
In compliance test for TPM/TCM specification, main difficulty lies in automation and quality analysis of test result. Against this situation, we make breakthrough in the following three points [77, 78].
First, in the aspect of TPM test model, we use standard specification language to describe TPM v1.2 so as to avoid ambiguity and error in specification. We further give an EFSM-based test model through analyzing TPM functions and lay the foundation of automation test.
Second, in the aspect of automatic compliance test method, we use a two-phase test case generation method. Through splitting test phase, we significantly reduce test complexity and promote degree of automation of test. Furthermore, test workload and the interferences of artificial factor on test result are reduced.
Third, in the aspect of quality analysis of test cases, we use reachability tree to accurately evaluate test quality. Through clarifying relationship between quantity and coverage of test cases, we can choose appropriate test case generation policy, and thus provide sufficient evidence of trustworthiness of test result.
1.2.5.2Analysis of TCM Authorization Protocol
TCM authorization protocol is critical for protecting TCM internal secrets. Because Chinese specifications of trusted computing are published at a relatively late time, works on analysis of this protocol are just starting out. We propose the first work on security analysis of AP protocol using model choking, and successfully find replay attacks on this protocol.
We first use symbolic model to describe AP, which eliminates ambiguity. Then, we set assumptions about cryptography and attackers, and use PROMELA to describe participants’ behaviors and protocol properties, that is, honest participants’ sessions must match. Finally, we input description of protocol and properties into SPIN and find a theoretical replay attack against AP. By taking certain security countermeasures, this attack can be well prevented.
1.2.5.3Comprehensive Test/Evaluation System of Trusted Computing Platform
Comprehensive test/evaluation system of trusted computing platform is a suite of systems for testing, analyzing and emulating security chip, cryptography algorithms and protocols. Main functions of the system include compliance test on security chip and trusted software, correctness and performance test on cryptography algorithms and simulation of trusted computing protocols. The system is scalable and effective in testing work, and as the first comprehensive test system of trusted computing in China, it has already been put into practice in Chinese authority of test and evolution on information security product. In practical testing works on Chinese trusted computing products, this system has successfully detected defects of TCM products, such as noncompliance with specifications and poor interoperability. The system also finds incompleteness and ambiguity of Chinese specifications in the aspects of key management, key authentication, command audit, counter and locality. We argue that all defects should be carefully considered for future specification updating.
1.3Problems and Challenges
As an emerging security technology, trusted computing has already been a research hotspot. Mainstream desktop and laptop products in both China and international area have all been equipped with TPM or TCM. Though trusted computing industry has made great progress, there are still many problems to be solved in both theoretical and technical aspects [79]. As pointed out by Chinese experts in 2007, there are still barriers in five aspects for trusted computing development [80]. As research of trusted computing deepens in recent years [81, 82], breakthrough has already been made in theoretical and key technical aspects of some of these problems.
There is no doubt that trusted computing is a kind of technology with broad prospects, but in practice, it is not “catholicon” to solve all IT security problems. There are still challenges and barriers for pervasive applications. First, research on theoretical model for trusted computing is still rare, and nearly no progress has been made in recent years. Second, trusted computing chip is too complex, and its compatibility and specification compliance need to be improved. Third, the key technology of trusted computing such as integrity measurement suffers from poor scalability and complexity for administration. Fourth, trusted computing has not been deeply merged with other security mechanisms of OS, network and application.
We believe that bottleneck of trusted computing will eventually be broken through with the deepening of related research and developing of information security technology. In other words, we regard trusted computing as a breakthrough direction for future information security technology.
1.4Structure of This Book
This book includes eight chapters and one appendix. The first chapter is the introduction of background, state-of-the-art and our work on trusted computing. Chapter 2 introduces security chips, including TPM, TCM and mobile modules. Chapter 3 explains technology for establishing chains of trust, such as root of trust, static chain of trust, dynamic chain of trust and chains of trust for virtualization platform. Chapter 4 presents trusted software stack, including TSS, TSM and development of trusted application. Chapter 5 introduces various trusted computing platforms, such as PC, server, mobile platform, virtualization platform and application of trusted computing platform. Content of test and evaluations that is mentioned above, such as TPM/TCM test, analysis of critical trusted computing mechanisms, evaluation of trusted computing product and comprehensive test system, will be further explained in Chapter 6. Chapter 7 presents remote attestation, and finally in Chapter 8 TNC is detailed. Last but not least, algorithms and preliminaries used in trusted computing will be illustrated in appendix.