You are on page 1of 6

An Approach to Establish Trusted Application using Trusted Network Connect (TNC) Protocol.

Mohd Anuar Mat Isa1, Jamalul-lail Ab Manan2, Raja Mariam Ruzila Raja Ahmad Sufian3, Azhar Abu Talib4
MIMOS Berhad, Technology Park Malaysia, 57000 Bukit Jalil Kuala Lumpur, Malaysia.

{anuar.isa1 | jamalul.lail2 | ruzila3 | atalib4}@mimos.my
Abstract— Trusted Computing offer great opportunities to enhance security and privacy of the user. Trusted Platform Module (TPM) is the implementation of the trusted platform initiatives on a chip under the Trusted Computing Group (TCG). The TPM chip that is similar to smart card but hardwired onto motherboard, hence making it tamper resistant from remote attack. To interface with the TPM chip, the TCG prescribe a standard interface to communicate with the TPM. However, there are some difficulties in interfacing an application to the TPM. Acquiring full knowledge of Trusted Computing is a critical success factor to successfully modify existing application including design, coding and testing the TPM based application. This paper presents a method that allows existing application running on a platform without a TPM to utilize the TPM functionalities. In addition, this paper also discusses a possible way to improve networking application using Trusted Network Connect (TNC) protocol to perform secure and trusted remote attestation.

INTRODUCTION A. Trusted Computing Group The Trusted Computing Group (TCG) is a non-profit industry standard organization with the aim of enhancing the security and privacy of the computing platforms. Since 2003, the TCG has published specifications defining architectures, guidelines, functions and interfaces that provide a baseline for a wide variety of computing platform to implement the TCG procedures. Trusted Platform Module (TPM) is a tamper proof microchip designed to create, store, and protect cryptographic keys, and with the TPM integrated into motherboards allows it to be used as root of trust of the system. TCG has intended for TPM to be the foundation upon which secure computing platforms are built. A framework is built around the TPM and a new generation of x64 CPUs with Trusted Execution Technology (Intel TXT) were produced by Intel and AMD [1]. Research in information security revealed that protecting encryption keys within a hardware device such as the TPM has the potential to solve many of the most prevalent and serious security issues facing information security professionals today, including rising numbers of software vulnerabilities, theft of equipment containing sensitive data including personally identifiable information (PII), and identity theft [2].

RELATED WORK A virtual private network (VPN) allows the provisioning of private network services for an organization or organizations over a public or shared infrastructure such as the internet or service provider backbone network [3]. VPN offers a lower cost and highly flexible alternative to dedicated private networks that use leased lines, Frame Relay, or ATM circuits, which are not cheap to plan and deploy [4]. VPN also provides seamless remote access for telecommuters and mobile workers, as well as cost-effective remote-office connectivity. Besides that, it provides tremendous cost savings, increasing the scalability and productivity for enterprise data networks by utilizing shared networks without compromising the security [5]. The trend toward network convergence, however, places new demands on VPNs [6]. A number of technologies and protocols are used to enable site-to-site and remote access VPN including Secure Socket Layer (SSL), IP Security (IPsec) [3], etc. Secure Socket Layer (SSL) is used to secure application layer [5] and IPSec to protect IP traffic between security gateways or hosts as it transits an intervening network [3]. SSL is also commonly used to encrypt HTTP data and enable secure Web browsing via HTTPS using port 443 [7]. First, Policy-Based Network Management (PBNM) is a policy to guide the behavior of the network or distributed system. The PBNB offers flexibility and customizable management solution for ease of use by managing a group or system administrator simply by using policy. The PBNB system consists of these primary components: i) policy management tool, ii) policy repository, iii) Policy Decision Point (PDP) and iv) Policy Enforcement Point (PEP) [8]. The policy uses predefined rules (e.g. in xml format) to define VPN communication and network management behaviors in order to secure the system and to provide availability to use the system. Secondly, Z. Yanqin et. al. [9] presented on optimizing VPN security gateways using Security Policy Database (SPD) configuration and key exchange, which are based on machine learning and Elliptic Curve Cryptography (ECC) [9,10,11]. This paper point up key security areas: i) authentication to assure packet transmitted by valid source and without alteration, ii) confidentiality to assure no eavesdropping by

Again on related works. This can be done using the TPM to provide attestation before establishment a network connection. . In their design. the access control solutions can evaluate the endpoint's suitability for given access to the network. The TNC architecture will leverage and integrate with existing network access control mechanisms such as 802. The Trusted Network Connect (TNC) architecture as shown in Fig 1 focuses on interoperability of the network access control and the use of the trusted computing as the basis for enhancing security of those solutions. we looked into more details on how to ensure target platform is a trusted platform and not a phishing or spoofing platform. B. software state attestation. 3. existing application needs to be changed or upgraded before utilizing the TPM functionality. Figure 2 illustrates the process to establish trusted network connection through TNC protocol. Here we simulate a nonTCG application capable to work as well as the trusted application via the trusted agent and trusted compartment. However. C Nie [17] briefly illustrated the problem with attestation using static root of trust to check the integrity of platform. For application developers. For instance. R. In this case. TNC Client and TNC Server must employ at least Fig. The TNC specifications also define interoperability interfaces to allow for the exchange of new types of attributes in the context of network access control solutions. The Trusted Services are implemented within the Operating System to provide an interface between application layers (e.. any public key system such as RSA can be used to construct ring signature attestation protocol and an RSA-based scheme is encouraged without involvement of third trusted party and the issuer of the TPM in the Join sub-protocol. the third party is Privacy Certificate Authority (Privacy CA) which uses credentials to prove an identity of a user or generating the Attestation Identity Key (AIK) credential for specific transactions. coding and test software. as well as information pertaining to the Platform-Authentication exchange. They proposed another solution using dynamic root of trust provided by new CPU architecture such as Intel Trusted Execution (Intel TXT). The term “Platform-Authentication” carries the specific TCG meaning of performing verification of the integrity status of a platform via attestation [12]. al. J Liu et al. This process involves third party as verifiers especially when an application is using remote attestation or client-server transaction. In their proposal. To facilitate the trusted software. Those attributes will include endpoint compliance information.[15] presented a design to verify client integrity properties and establish trust into client’s policy enforcement before permitting client to have access to corporate intranet. the interface between the end user and the application (software) using TPM is still inflexible and it is difficult to implement. The services may consist of the trusted manager.g. which tries to determine the trusted state of attesting platform from its system trustworthiness related behaviours. Integrity measurements are specifically used as evidence of the security posture of the endpoint. The details of process will be discussed in part D.encrypting the messages and iii) key management to secure exchange key processes [9]. they require deep trusted computing knowledge to enable them to design.1X. 1 : TNC Architecture [13]. The root of trust begins at hardware TPM or Software TPM (virtual TPM) as mentioned in the trusted computing specifications [18]. PROBLEM STATEMENT Since 1999. METHODS & SOLUTIONS A. the Trusted Computing solutions emerge to protect computing activities. TNC Client and TNC Server must lie on top of Trusted Services layer because they use APIs provided by lower layer. Indeed. LI XiaoYong and SHEN Chang-Xiang [14] enlightened us about problems encountered when using property based attestation such as leakage of platform configuration privacy and it is hard to define trustworthiness related properties. Chain of Trust Chain of Trust is the key to realize Trusted Computing principles. Finally. [16] discussed remote anonymous attestation protocol based on the ring signature. at layers 3 above) with the TPM. an attestation is a process to measure and verify the trustworthiness of a platform besides the authorization protocol to check against the user. trusted storage and trusted isolated/virtualized execution. Overview This paper discussed a possible solution that will allow existing networking application without TPM to use TPM functionalities. they used an integrity heartbeat enabling the VPN server to track changes in the remote client’s security properties and implemented policy changes at some stage in the attestation process. we present the flow of chain of trust and its process to transfer the control to the next chain. fig. They proposed to solve these problems using system behaviour based attestation model. Furthermore. It can be done using a concept called “trusted compartment” and “trusted services”. this paper also discusses a possible way to improve networking software using the TNC protocol that will perform secure and trusted remote attestation. Sailer et.

as specified by TCG documentations. However. and only available for two operations: i) establishing TPM Owner and ii) establishing Attestation Identity Keys (AIK) [20]. However. Manufacturer Initiate Sec Connection TPM Trusted Client Agent Platform Credential EK Credential EK Public Key. 4 Trusted Entity generates credentials after TPM is distributed to a consumer Platform Vendor Compartment runs Trusted Agent C S . non-networking application does not require TNC architecture may directly communicate with the Trusted Services. execution of the application is isolated and will not be affected by other compartments or host operating system. Manufacturer Code and other info 2 TPM EK Credential Trusted Entity PEP sec Enf Fig. The EK Credential contains at least Endorsement Key (EK). a non-trusted application is measure and its integrity measurements are use for attestation process.509 version 3. Until now. present implementation and achievement of TPM do not fully utilize TCG specifications because some of TPM vendor or platform vendor do not provided these credential. bounded to a certain TPM. Fig. The Endorsement Key (EK) is a 2048-bit RSA key pair representing platform identity [19]. which enables someone to create special types of certificates. TPM should have a credential used for platform identity management and platform integrity management 19]. 4) validity of TPM and EK. C. platform model. TPM model. Certificate generation consists of assembling values for the credential fields and signing over the assembled fields [19].g. In this way. and TPM version) and issuer identity. i) TNC specifications. It is cryptographically unique. only Infineon TPM 1. The trusted compartment is secluded area where in. Generally. A certificate is an instantiation of a credential using the industrystandard certificate structure from ISO/IEC/ITU-T X. Credential & Certificate A credential is an abstract proof that must be instantiated as a certificate before it can be exchanged between entities. it provides a sandbox environment where in. 3 Credentials are generated and stored (non-volatile memory) in TPM before delivery to a client EK Credential Age Trusted Client Application Trusted Agent load application into compartment Fig. a trusted agent within the trusted compartment must create and maintain chain of trusted from the TPM to the upper layer. ii) able to spawn trusted compartments and iii) executes a trusted application. the non-trusted application and its associated files or libraries are executed in same compartment but inaccessible to other compartments. and it is free of charge [21]. Model. This is necessary because the entity generating EK will also create a credential to attest (e. a certificate signed by vendor or a trusted entity is required [20]. Referring to TCG specifications. Model. On the other hand. TPM model (TPM manufacturer. research and evaluation. 2 The general flow to establish the trusted remote attestation A trusted application is a piece of software designed to support the TPM operation and capable of preserving the chain of trust. However. a non-trusted (non-TCG) application is any piece of software designed for specific purpose without the trusted computing security concern. Fig.three components. The TCcert provides the Trusted Computing certificate tool. For instance. To protect non-trusted application with trusted computing module. a missing EK is not a violation of the TCG specification. The Platform Credential contains at least credential type label. Manufacturer 3 Code and other info Owner / Customer 4 5 Request TPM 1 Info EK Public Key. but TPM cannot be used in trust models and applications scenarios where in. EK will be generated by TPM vendor before the platform is shipped to end users or resellers. platform specification and issuer identity [19]. The TCcert is an experimental software and it can be use for educational. EK Credential.2 chip provided the EK Credential and IAIK/OpenTC TCcert [21] implements TCG Infrastructure Credential Profiles.

trusted client spawns a trusted compartment together with trusted agent within that compartment. After handshaking processes has completed. Therefore. 7 shows how Access Requestor initiates remote network connection to Policy Decision Point (PDP). 6. properties base or DAA. Fig 6. Fig. Trusted Client Agent (TCA) inside the trusted Fig. These entities could be a hardware manufacturer or local organization hardware verifiers. the client application is loaded into the trusted compartment after the Trusted Client Agent successful performs all integrity measurements and integrity verifications. measuring security aspects of the Access Requestor integrity [12]. During this process both side may choose a protocol used for attestation such as binary measurement. TPM may have multiples of AIK and each of AIK is used for specific transaction as well as to protect platform owner privacy. EK Credential Platform Credential 1 Owner / Customer 3 AIK Credential 2 Validation & Verification Privacy Certification Authority compartment then performs integrity measurement for any applications that will be loaded into the trusted compartment. The VPN Remote Attestation We propose two methods to implement trusted application: i) network application with trusted compartment (e.g. The NAA is a component that decides whether the Access Requestor should be granted access or halt. Client App T Integrity Me . etc. PCA may be employed to issue AIK credentials that vouch for trustworthiness of the platform without disclosing EK unique values to challenger [21]. attestation of the platform gives evidence (not residing in the platform) that is used to determine if AIK can be trusted to authenticate the platform. TCA collects these measurements from Integrity Measurement Collectors (IMC). 4 shows an example of how credentials (EK Credential) are issued by trusted entity. TSA within the trusted compartment begins to negotiate (handshake) with TCA about the trust policies that both parties agreed and desired to enforce. Fig 9).Fig. AIK is obtained either from Privacy Certification Authority (PCA) or Direct Anonymous Attestation (DAA) protocol [20]. These integrity measurements must be verified to conform to the desired configurations and expected states before being stored in the PCR(s) for later use. 7 Application within trusted compartment Trusted Entity Credential Issuer Fig. Accordingly. The firewall as shown in the diagram holds the secure connection and check security policy enforced by the Network Access Authority (NAA). These verifiers may not always be the manufacturer [19] but they can be any entity that can perform and ascertain that TPM or platform conforms to TCG specifications or organization policies. 5 The PCA issued the AIK credentials after successful validates trust assertions. TCA uses secure connection (OpenSSL or IPSec) to establish secure network connection with Trusted Server Agent (TSA). After secure connection has passed firewall security policies. D. Refer to Fig. 7 & 8) and ii) network application without trusted compartment (e. The client application must be measured by the TCA to enforce chain of trust between platform and the new running application. The Integrity Measurement Collectors is a software component that runs on the Access Requestor (AR).g. Fig. credentials issued by TPM and platform manufacturers are required to validate trust assertions of AIK [21]. the secure connection moves forward to the Trusted Server. 6 TNC Client spawns multiple trusted network services As shown in Fig. trusted agents at the both sides start to collect integrity measurements from Integrity Measurement Collectors (IMC). The NAA consults TNC Server to determine whether the Access Requestor comply with Policy Decision Point security policies [12]. Based on Fig 7. the Trusted Server accepts incoming secure connection and spawns a new trusted compartment to handle this communication. TSA defines a root of trust measurements required from TCA and likewise TCA defines a root of trust measurements required from TSA in order to establish trust both side (mutual attestation). EK may become associated with personally identifiable information such as Attestation Identity Key (AIK). 5.

This method is proposed to be used in a non-TCG application to i) apply trusted compartment. the TSA knows the Access Requestor (or TCA) is a genuine and valid identity. ftp. the TSA loads an encrypted the Firewall Trusted Compartment token from the local trusted storage and decrypts it server’s + using TPM_UNSEAL command. The Access Requestor must have these integrity metrics in PCRs and allow server to challenges those integrity values. 8 Trusted Server spawns multiple trusted network services The TSA challenges (or queries) the target platform configurations to acquire integrity measurements based on server policy. Both parties use Integrity Measurement Verifiers (IMV) to verify received integrity metrics and store the results in the trusted storage. Server App 2 Trusted Client Agent Trusted Server Agent Data . remote desktop) with a specific platform configurations (or TPM). Fig. The TCA also challenges Policy the server platform to obtain integrity measurements such as Enforment the server application measurement. the Access Requestor decrypts the session token using TPM_UNSEAL command and then. 8 shows an example of the server application running inside the trusted compartment. After that.g. authentication process. This process enables the Access Requestor to verify the server is genuine and trusted entity. With assumption. The TSA accepts incoming connection and performs validation to verify the token. These session tokens have an expiry date and it can be use to certify a specific application (e. Fig.g. about the session token. The TCA sends the session token to the TSA without re-establishing a new attestation process if the token has not expired. iii) tunnel inside secure communication channel to convert a nontrusted communication to TNC compliant protocol. trusted compartment measurement. Local CA). Then. client application measurement. this may increase protection of the application but it also cost more bit overhead (e. 9 shows an example of network communication without trusted compartment. The session certificate and token must be sealed and stored in secure storage that any events such as system reboot or system shutdown after which it must invalidate the token.. 10) and generate additional network packets. The method to establish trust between the client application and the server application allows a non-TCG application to exist as trusted application.TCA provides identity credentials to attest client platform with TSA. ii) trusted agent and then. antivirus measurement and firewall measurement of the Access Requestor PCRs value.g. the client application is allowed to perform it Integrity Measurement tasks (e. TNC performs If the attestation process is successful to prove both parties are trusted entities.. Fig.g. On the Collectors (IMC) / Verifiers (IMV) other hand. As mentioned before. etc. both parties must terminate immediately the Trusted attestation process if there is any unsuccessful attempt in the Server process flow. Furthermore. root of trust and trusted Point (PEP) compartment measurement. Both parties also generate a session token that identify the client and server had already established a trusted communication. the server’s token is Trusted Server send to the Access Requestor. etc). data transfer.g. use this token to initialize a tunnel to server application. etc. header information within the token has a valid id or nonce and etc) but the PEP does not perform validation to the token. The TSA verifies client platform credential with PCA (e. both parties must sign the integrity measurements using the AIK via the TPM_SIGN command. These session tokens are stored in the local machine and it protected via the TPM_SEAL command. browser. Fig. which is the application is running inside the OpenSLL communication channel. PCA vouches client platform by checking integrity signatures. and then concludes whether integrity metric is acceptable and returns the result to TSA. the Access Agent Requestor Server validation to verify the token from server. 9 Application without trusted compartment The token is removed from the system once it is expired and time-to-live (TTL) for the token must be short to avoid replay attack. In that case. The TSA may demand the root of trust. The Policy Enforcement Point (PEP) or the trusted firewall allow the TCA to pass over after checking that the Access Requestor has a valid token (e. If the Access Requestor’s token is valid. Metadata Access Point (MAP) Access Requestor (AR) Server App Fig. There is an alternative to improve our suggested process in a context of network bandwidth and transmission protocol. VPN. The client and server need to re-establish trust and generate new session certificate after the token is unacceptable. Fig. 10 shows an example of the overlap channel.

"Elliptic curve cryptosystems". 8-38. and Marcel Winandy. Level 2. vol. Syngress 2007 Mark Lewis. Jia Zhao. “Proper Virtual Private Network (VPN) Solution”. CISCO website (2008).” IETF RFC draft-freier-ssl-version3-02. “A Policy-based Network Management System for IP VPN”. IEEE 2001 Ahmed A. 4. we have also discussed a case study on the implementation of our proposal using the client server application. Christian St¨uble. 28 April 2008 Alex Cheong Chee Seong.1..opentc. pp 9-60. TNC Client or TNC Server) manages these ports.2. pp 10. Revision 6. Trusted Network Connect. Scott Granneman. Alex Galis. pp. P.com.com/en/US/solutions/collateral/ns340/ns394/ns171/ns461/n et_brochure09186a00800b0da5. “An Efficient Attestation for Trustworthiness of Computing Platform”. pp 1. the application may not necessarily tunnel OpenSLL channel only but simultaneously running synchronously both software (application and OpenSLL) in the same trusted compartment. 2nd August 2007 TCG Credential Profiles. IEEE2008. “Virtual private networks”. Hunter. Comparing.asprg. IEEE2006 Koblitz. Specification Revision 1. TKK T-110. C. the application (client or server) operates at port 20 and the Trusted Services (e. the TSA must accept this client application because it is trusted software for the reason that the OpenSSL (trusted agent) has already performed an attestation on behalf the application. Furthermore. WISSEC2006 Martin Pirker. [Online].pp 1. Bo Yang. Xiaolan Zhang. We may visualize the OpenSSL connection (trusted agent) operates at port 21. In summary. Designing and Deploying VPNs. Leendert van Doorn.Fig. Kocker. pp 11. Available: http://trustedjava.203-209. Advances in CryptologyCrypto'85. Specification Version 1. REFERENCES [1] Technikon Forschungs. Specification Version 1. [Online].5290 Seminar on Network Security 2007. and P.php?item=tccert/readme . This method is similar in its mechanism to the implementation of the FTP protocols that operate on port 21 to do a control and protocol. Freier. To overcome this limitation. For future work. [Online]. the TCA invoke the client application (or others network application) to initialize the network communication. and Majdi Ashibani. “TCG Inside? . "Use of elliptic curves in cryptography”. “Dynamic Root of Trust in Trusted Computing”. IEEE2006 Reiner Sailer.417-426. ICCT2003 Zhu Yanqin. Hu Yuemei. “Design and Optimizing of VPN Security Gateways”.1986 TCG Trusted Network Connect TNC Architecture for Interoperability. (2008) OpenTC Project website. we use a trusted agent as a wrapper to allow non-TGC application to use the TPM.014 For TPM Family 1. Karlton. CONCLUSION & FUTURE WORK This paper presents a method to establish trusted application where in. Christian Wachsmann. Revision 1. Fathi Ben Shatwan. Dayou Liu.A Note on TPM Specification Compliance” . Available: http://www. pp. Xiaochun Cheng. (2008) Open Trusted Computing (OpenTC) consortium website.3.net/aptiss2008/slides/TNC_Briefing_2008-0613_final_updates-alex. Available: http://www. Jaha. 21 May 2007 Ahmad-Reza Sadeghi.ppt LI Xiao-Yong and SHEN Chang-Xiang. IEEE 2008. LNCS 218. TCG Specification Architecture Overview. Mathematics of Computation. and port 20 as data transmission. Voice and Video Enabled IPSec VPN Solution Overview.net/index. “Attestation-based Policy Enforcement for Remote Access”. pp 1. The OpenSLL (trusted agent) connection performs attestation because the application (client or server) does not support the TPM. 2006 R. Cong Nie. Trent Jaeger. Kun Yang. ciscopress.4.g. “The SSL Protocol: Version 3. APTISS 2008. Larry Chaffin. pp 1-2. pp 1. Qian Peide. Laura E. 1987 Miller V.und Planungsgesellschaft mbH. Marcel Selhorst. N. pp 1. Venkateswaran.48. pp. ppt slide.net/index. After successful generation of the session token. we are looking forward to implement our proposal in the cloud computing as well as a part of cloud infrastructure. we may use virtualization to provide isolation and secure environment before deploying the trusted application.sourceforge. Available: http://www. November 1996 Xin Guo. CISCO SYSTEM.3. pp 123-127. Adobe Press. Microsoft Vista for IT Security Professionals.0.html O. ACM2004 Jiqiang Liu.cisco.php? option=com_content&task=view&id=29&Itemid=45 Tony Piltzecker. Zhen Han. 10 Multi layer encryption increase the cost of processor execution and network bandwidth. Subsequently. “A Remote Anonymous Attestation Protocol in Trusted Computing”.