• Keine Ergebnisse gefunden

6.4 Attestation Protocols

6.4.3 Individual Attestation Protocol (IAP)

In contrast to the PBAP, the IAP can be used to individually verify whether the plat-form configuration of a SN is trusted. A CN needs only to perplat-form symmetric operations and two short messages need to be exchanged. The messages are very small, because no long public key primitives, e.g., keys, signatures need to be transmitted. Since trans-mitting messages is the most cost intensive factor in WSNs [190], this is of particular

interest, especially if the sink wants to verify the platform configuration of a SN. In this case, messages are transferred along several hops.

The protocol we propose is again divided in initialization phase and attestation phase. The initialization phase is performed only once after deployment of the sensor nodes while the attestation phase can be performed every time a CN (or the sink) wants to verify the platform configuration of a SN. In the embedded world, this initialization phase could for example performed directly before a vehicle leaves the factory site.

Initialization EachCNj establishes a shared, symmetric keyKCNj,SNi with itsSNi. For this purpose, existing (non TPM-based) techniques, e.g., [191], might be used.

However, we recommend using a key establishment protocol that uses the functionality of a TPM, e.g., [66]. This approach has the advantage that key generation within a TPM is inherently more secure than key generation on off-the-shelf embedded platforms.

As in [191], we assume that this short period of time to establish pairwise keys is secure and nodes cannot be compromised. The keys KCNj,SNi are sealed onSNi to its valid platform configuration PSNi. Thus, SNi can only access these keys if it is in its valid state.

To enable the sink to perform the attestation with SNi, a shared symmetric key KSink,SNi is preconfigured on SNi before deployment and sealed likewise.

Attestation Protocol 6.4.4 shows howCNj can verify the platform configuration of SNi. First, CNj sends a challenge to SNi. The challenge consists of an encrypted block containing anonce and the identifier IDCNj of CNj, and an additionally IDCNj in plaintext. KCNj,SNiis used for encryption. After receiving the challenge,SNiunseals KCNj,SNi related toIDCNj. This is only possible if the platform configurationPSNi is valid. Using this key, SNi decrypts the encrypted block and verifies if the decrypted identifier is equal to the identifier received in plaintext. If they match, SNi knows that this message originates fromCNj, encrypts thenonce0 usingKCNj,SNi, and sends it back.1 Otherwise, SNi aborts. SNi then deletes KCNj,SNi from the RAM. CNj decrypts the received response message and checks if the decrypted nonce00 matches the nonce it has sent in the first step. If they match, SNi is declared trusted and CNj can send data to SNi. This data is encrypted using KCNj,SNi. The attestation of SNi by the sink is performed likewise, using the key KSink,SNi. Protocol 6.4.4 uses a challenge-response authentication involving the TPM to verify freshness of integrity information and thus satisfies Requirement 1. In addition, the ID of the CN is also injected to prevent replay attacks. Requirement 3 is also satisfied by binding further transaction data sent over the channel to a specific cryptographic key shared between theSNi and CNj. In contrast to the PBAP, this approach ensures authenticity of the attestation channel and, thus, establishes a secure attestation channel.

1However, the trust level ofCNj cannot be assumed, because the node could be potentially com-promised and the key is not protected by a TPM.

6.4. ATTESTATION PROTOCOLS 99

Protocol 6.4.4: Individual Attestation Protocol SUMMARY: A CN verifies the integrity of a SN RESULT: Integrity validation

1. Notation.

SNi is a super node CN is a cluster node

PSNi denotes the actual platform configuration

KCNj,SNi denotes the shared key betweenCNj and SNi 2. Protocol steps.

CNj →SNi: IDCNj,{nonce, IDCNj}KCNj,SNi (1) SNi Unseal(PSNi, dSNi,{KCNj,SNi}ePSNiSNi) =KCNj,SNi (2) SNi D({nonce, IDCNj}KCNj,SNi, KCNj,SNi) = (nonce0, ID0CNj) (3) SNi checkID0CN

j

=? IDCNj (4)

SNi E({nonce0, IDSNi}, KCNj,SNi) ={nonce0, IDSNi}KCNj,SNi (5) SNi →CNj : IDSNi,{nonce0, IDSNi}KCNj,SNi (6)

SNi deleteKCNj,SNi from RAM (7)

CNj D({nonce0, IDSNi}KCNj,SNi, KCNj,SNi) = (nonce00, ID0SNi) (8) CNj ifnonce00=? nonce, state of SNi is valid (9) 3. Protocol actions.

(a) In the first step, CNj transfers an encrypted nonce together with its ID using the shared key to SNi.

(b) SNi performs the TPM Unsealcommand and unseals the shared key.

(c) SNi decrypts the sent message an verifies in (4) whether the ID of the decrypted message matches the ID sent in plaintext.

(d) SNiencrypts the decrypted nonce and theIDofCNj with the unsealed key.

The obtained message is transferred to CNj in (6).

(e) SNi deletes the unsealed key from its RAM.

(f) CNj decrypts the received message and verifies (9) if the received nonce matches the nonce sent in (1).

It might also be preferable to directly transmit data in an attestation challenge rather than waiting until an attestation response has been received and a SN is declared

trusted. This might be preferable in scenarios where an immediate receipt of data is important or where CNs send data very infrequently to a SN. Therefore, the protocol is modified in steps (1) and (3). Protocol 6.4.5 shows the resulting protocol and also satisfies Requirement 1 and Requirement 3 of a secure attestation channel (see Chapter 3. In step (1) CNj sends the data to SNi within the encrypted block. SNi can only decrypt this message in step (3) if its platform configuration is valid and access the data.

All other steps remain the same as shown in Protocol 6.4.4. Thus, if CNj receives the message in step (6) and the checks in steps (7) and (8) succeed, CNj can be assured that SNi has successfully received the data and is still trusted.

Protocol 6.4.5: Modified Individual Attestation Protocol

SUMMARY: A CN delivers data that is bound to a specific state to a SN RESULT: Data transfer with data confirmation and integrity reporting 1. Notation.

SNi is a super node CN is a cluster node

PSNi denotes the actual platform configuration

KCNj,SNi denotes the shared key betweenCNj and SNi 2. Protocol steps.

CNj →SNi : IDCNj,{nonce, IDCNj, data}KCNj,SNi (1) SNi Unseal(PSNi, dSNi,{KCNj,SNi}ePSNiSNi) =KCNj,SNi (2) SNi D({nonce, IDCNj, data}KCNj,SNi, KCNj,SNi) =

(nonce0, IDCN0

j, data)

(3)

SNi checkID0CN

j

=? IDCNj (4)

SNi E({nonce0, IDSNi}, KCNj,SNi) ={nonce0, IDSNi}KCNj,SNi (5) SNi →CNj : IDSNi,{nonce0, IDSNi}KCNj,SNi (6)

SNi delete KCNj,SNi from RAM (7)

CNj D({nonce0, IDSNi}KCNj,SNi, KCNj,SNi) = (nonce00, ID0SNi) (8) CNj ifnonce00=? nonce, state of SNi is valid (9) 3. Protocol actions.

(a) In the first step,CNj transfers an encrypted nonce together with itsIDand the sensed data using the shared key toSNi.

(b) SNi performs theTPM Unsealcommand and unseals the shared key.

6.5. ANALYSIS 101