Improving Trusted Tickets with State-Bound Keys

  • Jan Nordholz
  • Ronald Aigner
  • Paul England
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7904)

Abstract

Traditional network authentication systems like Windows’ Active Directory or MIT’s Kerberos only provide for mutual authentication of communicating entities, e.g. a user’s email client interacting with an IMAP server, while the user’s machine is inherently assumed to be trusted. While there have been first attempts to explicitly establish this trust relationship by leveraging the Trusted Platform Module, these provide no means to directly react to potentially relevant changes in the client’s system state. We expand previous designs by binding keys to the current platform state and involving these in the network authentication process, thereby guaranteeing the continued validity of the attestee.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    TrouSerS - the open-source software stack, http://trousers.sourceforge.net
  2. 2.
    Brickell, E., Camenisch, J., Chen, L.: Direct anonymous attestation. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, CCS 2004, pp. 132–145. ACM, New York (2004), http://doi.acm.org/10.1145/1030083.1030103 Google Scholar
  3. 3.
    Corporation, M.: TPM and BitLocker drive encryption, http://msdn.microsoft.com/en-us/library/windows/hardware/gg487306.aspx
  4. 4.
  5. 5.
    Corporation, M.: Secured Boot and Measured Boot: Hardening Early Boot components against malware. Tech. rep., Microsoft Corporation (2012)Google Scholar
  6. 6.
    Goldman, K.A., Perez, R., Sailer, R.: Linking Remote Attestation to Secure Tunnel Endpoints. IBM Technical Paper (2006), http://domino.research.ibm.com/library/cyberdig.nsf/1e4115aea78b6e7c......85256b360066f0d4/fb0d5a04296a0bee852571ff0054f9fb
  7. 7.
    Group, T.I.W.: A CMC profile for AIK certificate enrollment. Tech. rep., Trusted Computing Group (2011)Google Scholar
  8. 8.
    Group, T.P.C.W.: TCG PC client specific implementation specification for conventional BIOS. Tech. rep., Trusted Computing Group (2012)Google Scholar
  9. 9.
    Group, T.C.: TCG Software Stack (TSS) Specification Version 1.2 level 1. Tech. rep., Trusted Computing Group (2007), http://www.trustedcomputinggroup.org/files/resource_files/6479CD77-1D09-3519-AD89EAD1BC8C97F0/TSS_1_2_Errata_A-final.pdf
  10. 10.
    Group, T.C.: TPM main specification level 2 version 1.2 revision 116. Tech. rep., Trusted Computing Group (2011), http://www.trustedcomputinggroup.org/resources/tpm_main_specification
  11. 11.
    Leicher, A., Kuntze, N., Schmidt, A.U.: Implementation of a trusted ticket system. In: Gritzalis, D., Lopez, J. (eds.) SEC 2009. IFIP AICT, vol. 297, pp. 152–163. Springer, Heidelberg (2009), http://dx.doi.org/10.1007/978-3-642-01244-0_14 CrossRefGoogle Scholar
  12. 12.
    Sailer, R., Zhang, X., Jaeger, T., van Doorn, L.: Design and implementation of a TCG-based integrity measurement architecture. In: Proceedings of the 13th USENIX Security Symposium, pp. 223–238. ACM (2004)Google Scholar
  13. 13.
    Zhu, L., Tung, B.: Rfc4556: Public key cryptography for initial authentication in kerberos (PKINIT) (2006), http://tools.ietf.org/html/rfc4556

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Jan Nordholz
    • 1
  • Ronald Aigner
    • 2
  • Paul England
    • 2
  1. 1.TU BerlinGermany
  2. 2.Extreme Computing GroupMicrosoft ResearchUSA

Personalised recommendations