Abstract
This paper describes an approach to perform a Remote Attestation in VPN environments, using Trusted Network Connect techniques. The solution is based on the VPN connection set up to authenticate the user, and the afterwards established VPN tunnel to perform a TNC handshake. In this handshake the Remote Attestation takes place. The result of this Attestation is then used by the Policy Enforcement Point to configure a packet filter. The initial configuration of this packet filter allows only communication with the Policy Decision Point and according to the Attestation result, the configuration is changed to either allow or forbid network access. The approach is completely independent of the used VPN solution, thus realising interoperability. The approach is also compared against other ideas for a VPN-based Remote Attestation. Furthermore, this paper also describes an implementation of this approach.
Keywords
- Trusted Network Connect
- Trusted Computing
- Virtual Private Networks
- Remote Attestation
- Network Access Control
This is a preview of subscription content, access via your institution.
Buying options
Preview
Unable to display preview. Download preview PDF.
References
Baiardi, F., Sgandurra, D.: Attestation of integrity of overlay networks. Journal of Systems Architecture (2010) (in press) (corrected proof), http://www.sciencedirect.com/science/article/B6V1F-508PPYT-1/2/59cabe0d98e91e12c75b03d76b270d9f
Brickell, E., Camenisch, J., Chen, L.: Direct anonymous attestation. In: CCS 2004: Proceedings of the 11th ACM Conference on Computer and Communications Security, pp. 132–145. ACM, New York (2004)
Camenisch, J.: Better privacy for trusted computing platforms. In: Samarati, P., Ryan, P.Y.A., Gollmann, D., Molva, R. (eds.) ESORICS 2004. LNCS, vol. 3193, pp. 73–88. Springer, Heidelberg (2004)
Chen, L., Landfermann, R., Löhr, H., Rohe, M., Sadeghi, A.R., Stüble, C.: A protocol for property-based attestation. In: STC 2006: Proceedings of the First ACM Workshop on Scalable Trusted Computing, pp. 7–16. ACM, New York (2006)
Netfilter and Iptables Project Homepage, http://www.netfilter.org/ (accessed on 2010/08/04)
Kaufman, C.: Internet key exchange (ikev2) protocol (2005), http://tools.ietf.org/html/rfc4306
Kent, S., Atkinson, R.: Security architecture for the internet protocol (1998), http://tools.ietf.org/html/rfc2401
libtnc Website, http://sourceforge.net/projects/libtnc/ (accessed on 2010/08/04)
Maughan, D., et al.: Internet security association and key management protocol (isakmp) (1998), http://tools.ietf.org/html/rfc2408
OpenVPN Website, http://openvpn.net/ (accessed on 2010/08/04)
Schulz, S., Sadeghi, A.R.: Secure VPNs for trusted computing environments. In: Chen, L., Mitchell, C.J., Martin, A. (eds.) Trust 2009. LNCS, vol. 5471, pp. 197–216. Springer, Heidelberg (2009)
Schulz, S., Sadeghi, A.R.: Extending ipsec for efficient remote attestation. In: Sion, R. (ed.) Financial Cryptography. LNCS. Springer, Heidelberg (January 2010), Workshop on Real-Life Cryptographic Protocols (RLCPS)
TCG Infrastructure Work Group: Reference Architecture for Interoperability (Part I) (June 2005), http://www.trustedcomputinggroup.org/resources/infrastructure_work_group_reference_architecture_for_interoperability_specification_part_1_version_10 , specification Version 1.0 Revision 1
TCG Infrastructure Working Group: Platform Trust Services Interface Specification (IF-PTS) (November 2006), http://www.trustedcomputinggroup.org/files/temp/6427263A-1D09-3519-ADEE3EFF23C8F901/IWG%20IF-PTS_v1.pdf , specification Version 1.0
TCG Trusted Network Connect Work Group: TNC IF-IMC (February 2007), http://www.trustedcomputinggroup.org/resources/tnc_ifimc_specification , specification Version 1.2 Revision 8
TCG Trusted Network Connect Work Group: TNC IF-IMV (February 2007), http://www.trustedcomputinggroup.org/resources/tnc_ifimv_specification , specification Version 1.2 Revision 8
TCG Trusted Network Connect Work Group: TNC Architecture for Interoperability (May 2009), http://www.trustedcomputinggroup.org/resources/tnc_architecture_for_interoperability_specification , specification Version 1.4 Revision 4
TCG Trusted Network Connect Working Group: TNC IF-PEP: Protocol Bindings for RADIUS (February 2007), http://www.trustedcomputinggroup.org/files/resource_files/8CC5592B-1D09-3519-AD45F0F893766F6B/TNC_IF-PEP_v1.1_rev_0.7.pdf , specification Version 1.1 Revision 0.7
TCG Trusted Platform Module Work Group: TPM Main Part 2 TPM Structures (October 2006), http://www.trustedcomputinggroup.org/files/resource_files/E14876A3-1A4B-B294-D086297A1ED38F96/mainP2Structrev103.pdf , specification Version 1.2 Level 2 Revision 103
TCG Trusted Platform Module Work Group: TPM Main Part 3 Commands (October 2006), http://www.trustedcomputinggroup.org/files/resource_files/E14A09AD-1A4B-B294-D049ACC1A1A138ED/mainP3Commandsrev103.pdf , specification Version 1.2 Level 2 Revision 103
TCG Trusted Platform Module Work Group: TPM Main Part 1 Design Principles (July 2007), http://www.trustedcomputinggroup.org/files/resource_files/ACD19914-1D09-3519-ADA64741A1A15795/mainP1DPrev103.zip , specification Version 1.2 Level 2 Revision 103
TNC at FHH Website, http://www.trust.inform.fh-hannover.de/ (accessed on 2010/08/04)
Trusted Computing Group: Glossary, http://www.trustedcomputinggroup.org/developers/glossary/ (accessed on 2010/08/06)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Bente, I., Hellmann, B., Vieweg, J., von Helden, J., Welzel, A. (2011). Interoperable Remote Attestation for VPN Environments. In: Chen, L., Yung, M. (eds) Trusted Systems. INTRUST 2010. Lecture Notes in Computer Science, vol 6802. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-25283-9_20
Download citation
DOI: https://doi.org/10.1007/978-3-642-25283-9_20
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-25282-2
Online ISBN: 978-3-642-25283-9
eBook Packages: Computer ScienceComputer Science (R0)