On a Possible Privacy Flaw in Direct Anonymous Attestation (DAA)
A possible privacy flaw in the TCG implementation of the Direct Anonymous Attestation (DAA) protocol has recently been discovered by Rudolph. This flaw allows a DAA Issuer to covertly include identifying information within DAA Certificates, enabling a colluding DAA Issuer and one or more verifiers to link and uniquely identify users, compromising user privacy and thereby invalidating the key feature provided by DAA . In this paper we argue that, in typical usage scenarios, the weakness identified by Rudolph is not likely to lead to a feasible attack; specifically we argue that the attack is only likely to be feasible if honest DAA signers and verifiers never check the behaviour of issuers. We also suggest possible ways of avoiding the threat posed by Rudolph’s observation.
KeywordsDirect Anonymous Attestation DAA Privacy Trusted Computing
Unable to display preview. Download preview PDF.
- 2.Mitchell, C.J. (ed.): Trusted Computing. IEE Press, London (2005)Google Scholar
- 3.Trusted Computing Group (TCG): TCG Specification Architecture Overview. Version 1.2, The Trusted Computing Group, Portland, Oregon, USA (2004)Google Scholar
- 4.Rudolph, C.: Covert identity information in direct anonymous attestation (DAA). In: Venter, H., Eloff, M., Labuschagne, L., Eloff, J., von Solms, R. (eds.) 22nd IFIP TC-11 International Information Security Conference (SEC 2007) on New Approaches for Security, Privacy and Trust in Complex Environments, Sandton, South Africa, May 14-16, 2007. IFIP International Federation for Information Processing, vol. 232, pp. 443–448. Springer, Boston (2007)CrossRefGoogle Scholar
- 5.Balfe, S., Lakhani, A.D., Paterson, K.G.: Trusted computing: Providing security for peer-to-peer networks. In: Proceedings of the Fifth International Conference on Peer-to-Peer Computing (P2P 2005), Konstanz, Germany, August 31–September 2, 2005, pp. 117–124. IEEE Computer Society, Los Alamitos (2005)CrossRefGoogle Scholar
- 7.Leung, A., Poh, G.S.: An anonymous watermarking scheme for content distribution protection using trusted computing. In: Proceedings of the International Conference on Security and Cryptography (SECRYPT 2007), Barcelona, Spain, August 28–31, 2007, pp. 319–326. INSTICC Press (2007)Google Scholar