Advertisement

Interoperable Remote Attestation for VPN Environments

(Work in Progress)
  • Ingo Bente
  • Bastian Hellmann
  • Joerg Vieweg
  • Josef von Helden
  • Arne Welzel
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6802)

Abstract

This paper describes an approach to perform a Remote Attestation in VPN environments, using Trusted Network Connect techniques. The solution is based on the VPN connection set up to authenticate the user, and the afterwards established VPN tunnel to perform a TNC handshake. In this handshake the Remote Attestation takes place. The result of this Attestation is then used by the Policy Enforcement Point to configure a packet filter. The initial configuration of this packet filter allows only communication with the Policy Decision Point and according to the Attestation result, the configuration is changed to either allow or forbid network access. The approach is completely independent of the used VPN solution, thus realising interoperability. The approach is also compared against other ideas for a VPN-based Remote Attestation. Furthermore, this paper also describes an implementation of this approach.

Keywords

Trusted Network Connect Trusted Computing Virtual Private Networks Remote Attestation Network Access Control 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Baiardi, F., Sgandurra, D.: Attestation of integrity of overlay networks. Journal of Systems Architecture (2010) (in press) (corrected proof), http://www.sciencedirect.com/science/article/B6V1F-508PPYT-1/2/59cabe0d98e91e12c75b03d76b270d9f
  2. 2.
    Brickell, E., Camenisch, J., Chen, L.: Direct anonymous attestation. In: CCS 2004: Proceedings of the 11th ACM Conference on Computer and Communications Security, pp. 132–145. ACM, New York (2004)Google Scholar
  3. 3.
    Camenisch, J.: Better privacy for trusted computing platforms. In: Samarati, P., Ryan, P.Y.A., Gollmann, D., Molva, R. (eds.) ESORICS 2004. LNCS, vol. 3193, pp. 73–88. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  4. 4.
    Chen, L., Landfermann, R., Löhr, H., Rohe, M., Sadeghi, A.R., Stüble, C.: A protocol for property-based attestation. In: STC 2006: Proceedings of the First ACM Workshop on Scalable Trusted Computing, pp. 7–16. ACM, New York (2006)CrossRefGoogle Scholar
  5. 5.
    Netfilter and Iptables Project Homepage, http://www.netfilter.org/ (accessed on 2010/08/04)
  6. 6.
    Kaufman, C.: Internet key exchange (ikev2) protocol (2005), http://tools.ietf.org/html/rfc4306
  7. 7.
    Kent, S., Atkinson, R.: Security architecture for the internet protocol (1998), http://tools.ietf.org/html/rfc2401
  8. 8.
    libtnc Website, http://sourceforge.net/projects/libtnc/ (accessed on 2010/08/04)
  9. 9.
    Maughan, D., et al.: Internet security association and key management protocol (isakmp) (1998), http://tools.ietf.org/html/rfc2408
  10. 10.
    OpenVPN Website, http://openvpn.net/ (accessed on 2010/08/04)
  11. 11.
    Schulz, S., Sadeghi, A.R.: Secure VPNs for trusted computing environments. In: Chen, L., Mitchell, C.J., Martin, A. (eds.) Trust 2009. LNCS, vol. 5471, pp. 197–216. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  12. 12.
    Schulz, S., Sadeghi, A.R.: Extending ipsec for efficient remote attestation. In: Sion, R. (ed.) Financial Cryptography. LNCS. Springer, Heidelberg (January 2010), Workshop on Real-Life Cryptographic Protocols (RLCPS) Google Scholar
  13. 13.
    TCG Infrastructure Work Group: Reference Architecture for Interoperability (Part I) (June 2005), http://www.trustedcomputinggroup.org/resources/infrastructure_work_group_reference_architecture_for_interoperability_specification_part_1_version_10, specification Version 1.0 Revision 1
  14. 14.
    TCG Infrastructure Working Group: Platform Trust Services Interface Specification (IF-PTS) (November 2006), http://www.trustedcomputinggroup.org/files/temp/6427263A-1D09-3519-ADEE3EFF23C8F901/IWG%20IF-PTS_v1.pdf, specification Version 1.0
  15. 15.
    TCG Trusted Network Connect Work Group: TNC IF-IMC (February 2007), http://www.trustedcomputinggroup.org/resources/tnc_ifimc_specification, specification Version 1.2 Revision 8
  16. 16.
    TCG Trusted Network Connect Work Group: TNC IF-IMV (February 2007), http://www.trustedcomputinggroup.org/resources/tnc_ifimv_specification, specification Version 1.2 Revision 8
  17. 17.
    TCG Trusted Network Connect Work Group: TNC Architecture for Interoperability (May 2009), http://www.trustedcomputinggroup.org/resources/tnc_architecture_for_interoperability_specification, specification Version 1.4 Revision 4
  18. 18.
    TCG Trusted Network Connect Working Group: TNC IF-PEP: Protocol Bindings for RADIUS (February 2007), http://www.trustedcomputinggroup.org/files/resource_files/8CC5592B-1D09-3519-AD45F0F893766F6B/TNC_IF-PEP_v1.1_rev_0.7.pdf, specification Version 1.1 Revision 0.7
  19. 19.
    TCG Trusted Platform Module Work Group: TPM Main Part 2 TPM Structures (October 2006), http://www.trustedcomputinggroup.org/files/resource_files/E14876A3-1A4B-B294-D086297A1ED38F96/mainP2Structrev103.pdf, specification Version 1.2 Level 2 Revision 103
  20. 20.
    TCG Trusted Platform Module Work Group: TPM Main Part 3 Commands (October 2006), http://www.trustedcomputinggroup.org/files/resource_files/E14A09AD-1A4B-B294-D049ACC1A1A138ED/mainP3Commandsrev103.pdf, specification Version 1.2 Level 2 Revision 103
  21. 21.
    TCG Trusted Platform Module Work Group: TPM Main Part 1 Design Principles (July 2007), http://www.trustedcomputinggroup.org/files/resource_files/ACD19914-1D09-3519-ADA64741A1A15795/mainP1DPrev103.zip, specification Version 1.2 Level 2 Revision 103
  22. 22.
    TNC at FHH Website, http://www.trust.inform.fh-hannover.de/ (accessed on 2010/08/04)
  23. 23.
    Trusted Computing Group: Glossary, http://www.trustedcomputinggroup.org/developers/glossary/ (accessed on 2010/08/06)

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Ingo Bente
    • 1
  • Bastian Hellmann
    • 1
  • Joerg Vieweg
    • 1
  • Josef von Helden
    • 1
  • Arne Welzel
    • 1
  1. 1.Trust@FHH Research GroupFachhochschule Hannover - University of Applied Sciences and ArtsHannoverGermany

Personalised recommendations