enable him to compose a complete M, which would state that his complete platform configuration is trusted. However, this attack fails, since the attacker has to use the true random number generator of the TPM and it is computationally infeasible to again compute the same key KT K.
Replay, relay, or man-in-the-middle attacks on the ticketSig(ISn) are not successful, since the ticket is bound to a specific key KT K. Attacks of this type are detected by the challenge-response phase accomplished in steps (2) and (3). If the verifier is not trusted for generating the session key KAB, Protocol 5.4.1 can be easily extended by using a Diffie-Helman-based key-establishment as, for example, proposed in Chapter 3.
Our proposed solution does not reveal the exact platform configuration to a verifier, because the trust-level of a platform configuration is represented by a set of signed hash-values. Since each hash-value is computed based on Equation (5.1) and the used hash-function is pre-image resistant, it is computationally infeasible to find the input parameters of the pre-image. However, the signature of the validator permits drawing conclusions concerning the software application running on the prover’s platform. If, for example, only one validator is responsible for ticket issuance of one software appli-cation and, thus, one measurement event, a validator can rediscover that this specific application is running on the prover’s platform. To alleviate this problem, blinded sig-natures combined with zero-knowledge proofs [85, 28, 23] could be used. This approach would enable each validator to obtain a certificate on a blinded public key and, thus, to embed the public key into a public key hierarchy. The verifier could then validate that a specific public key is part of a key hierarchy without directly recovering the identity of the validator. However, the exact specification of such a cryptographic certification protocol is not part of this thesis and remains for future work.
5.6 Summary
In this chapter, we proposed a distributed integrity validation architecture that allows outsourcing the attestation process. Our approach enables dividing a whole platform configuration into self-contained, independent parts. All independent parts are trans-ferred to independent validators in order to verify the trust level of one self-contained part. Since all independent parts can be combined to represent the whole platform configuration, a platform can prove its complete trust level to a second entity by trans-ferring all independent and validated parts. For our proposed concept, we also presented a security protocol that provides freshness and authenticity of software integrity val-ues and prevents an adversary from masquerading an untrusted platform configuration.
Our proposed protocol is secure, since it is based on the property of a non-migratable key bound to a specific platform configuration. While our protocol is rather imprac-tical if it is used in very complex non-constraint operating systems characterized by a large amount of measurements, it is utilizable in next-generation operating system environments based on virtualization or in embedded systems. In these environments,
the trust level of a platform can be represented by a small number of measurements, thereby making our proposed solution to be reasonable practical.
Chapter 6
Lightweight Attestation
In this chapter, we show how attestation techniques can be realized in systems with very low computation power. This chapter shares some material with: Detecting Node Compromise in Hybrid Wireless Sensor Networks using Attestation Techniques [96].
6.1 Introduction
In the preceding chapters, we have seen how the trusted platform module can be used to establish secure attestation channels. The protocols proposed therein require asym-metric cryptography and a relative high computation power to compute and establish shared keys, which enable establishing an authentic attestation channel. In addition, these protocols have an intrinsic complexity as some sort of validation entity has to de-termine the trust level of a particular communication partner using the complex SML.
We referred to this process as explicit attestation (compare Section 3.2). The explicit attestation may be very complex, especially when many software components are in-volved and are represented by the SML. To make a statement of the trust level of a certain platform, it is necessary that the manufacturer of a particular software provides trusted reference values, with which the SML can be processed and the resulting values be re-computed. If one manufacturer is not providing reference values for a particular process, or the SML contains a process to which no trusted reference value can be found, the complete software system should be declared as being not trusted. Thus, this flexi-bility of being able to report a big amount of measurements is also its major drawback.
However, in resource-constrained systems or systems with very low computation power, such as wireless sensor networks or embedded systems, a complex attestation process that is based on asymmetric cryptography is impractical. With respect to attestation techniques, these systems are characterized by two issues:
1. These systems do often not possess enough computation power to perform asym-metric cryptography.
2. The software configuration of these systems often does not change during their whole lifetime.
89
In this chapter, we propose two lightweight TPM-based attestation protocols for resource-constrained systems. These protocols allow performing animplicit attestation by utilizing the fact that the software configuration of resource-constrained systems often does not change during their whole lifetime. Our proposed protocols enable a low-cost node to verify the trust level of another node which possesses more computation power and which are equipped with a Trusted Platform Module. Both protocols do not require expensive public key cryptography and the exchanged messages are very short.
This chapter is organized as follows. In Section 6.2, we introduce the setting of our work. In this context, we present two application scenarios for lightweight attestation techniques and show for each scenario that there is a need for using attestation tech-niques. In Section 6.3, we show the assumptions of our work and also explain the specific notation we are using in this chapter. Section 6.4 is the core part of this chapter and deals with the attestation protocols, which we propose for securing resource-constrained systems. In Section 6.5, we analyze our proposed protocols regarding security and per-formance and in Section 6.7, we finally present a summary of this chapter.