Journal on Communications ›› 2015, Vol. 36 ›› Issue (8): 91-103.doi: 10.11959/j.issn.1000-436x.2015139
• Academic paper • Previous Articles Next Articles
Wei FENG,Yu QIN,Deng-guo FENG,Bo YANG,Ying-jun ZHANG
Online:
2015-08-25
Published:
2015-08-25
Supported by:
Wei FENG,Yu QIN,Deng-guo FENG,Bo YANG,Ying-jun ZHANG. Design and implementation of secure Windows platform based on TCM[J]. Journal on Communications, 2015, 36(8): 91-103.
"
终端 | 协议 |
1)Client | 物理现场安装 ATM 软件和完整性度量软件,并重启运行Client-S |
2)Client-S→Server-V | 注册请求Req |
3)Server-V→Client-S | 随机挑战值nonce |
4)Client-S | a)激活并加载PIK私钥PriPIK到TCM; |
b)载入PEK到TCM,并与当前PCR值绑定; | |
c)生成 TCM 签名 Q =TCM_SignPriPIK{PCR,nonce}; | |
d)从内核读取度量列表ML | |
5)Client-S→Server-V | Q,ML |
6)Server-V | a)验证Client平台CertPIK和CertPEK; |
b)计算聚集值Ag=Hash_Aggre(ML); | |
c)验证签名VerifyPubPIK(Q,Ag,nonce); | |
d)验证ML中的每条完整性记录(与可信数据库对比); | |
e)所有验证通过,保存 Client 终端信息到数据库,并基于ML生成白名单wl; | |
f)为验证通过的Client终端生成服务密钥sk; | |
g)使用PEK加密wl和sk:ew=EncryptPubPEK(wl),esk =EncryptPubPEK(sk) | |
7)Server-V→Client-S | 验证失败返回Fail;或者验证成功返回加密分组(ew,esk) |
8)Client-S | 存储加密的白名单和服务密钥 |
"
系统组件 | 模块功能 | 代码量/行 | 总计 |
Hook功能 | 38(asm)+169(C) | ||
SM3杂凑 | 293(C) | ||
终端—内核扩展 | 散列表 | 155(C) | 38行汇编和2 202行C代码 |
度量模块 | 232(C) | ||
管控模块 | 167(C) | ||
通信模块 | 204(C) | ||
其他 | 982(C) | ||
终端—安全服务 | TCM交互模块 | 1 012(C) | 1 791行C代码和5 946行Java代码 |
内核交互模块 | 779(C) | ||
通信与管理界面 | 5 946(Java) | ||
服务端 | 认证服务 | 1 404(C) | 1 404行C代码, 8 372行Java代码和7 200行jsp代码 |
管理界面 | 8 372(Java)+7 200(jsp) |
[1] | Available online[EB/OL]. . |
[2] | 国家密码管理局. 可信计算密码支撑平台功能与接口规范[S]. 2007.Chinese Commercial Cryptography Administration Office. Functionality and Interface Specification of Cryptographic Support Platform for Trusted Computing[S]. 2007. |
[3] | Trusted Computing Group. Trusted Platform Module Main Specification[S]. Version 1.2,Revision 103 2007. |
[4] | BRYAN P , JONATHAN M M , ADRIAN P . Bootstrapping trust in commodity computers[A]. Proceedings of the IEEE Symposium on Security and Privacy[C]. 2010. 414-429. |
[5] | SAILER R , ZHANG X L , JAEGER T ,et al. Design and implementation of a TCG-based integrity measurement architecture[A]. Proceedings of USENIX Security '04[C]. Berkeley:USENIX Association, 2004. 223-238. |
[6] | JAEGER T , SAILER R , SHANKAR U . PRIMA:policy-reduced integrity measurement architecture[A]. In Proceedings of the 11th ACM Symposium on Access Control Models and Technologies[C]. New York: ACM Press, 2006. 19-28. |
[7] | 冯登国, 秦宇等 . 可信计算技术研究[J]. 计算机研究与发展, 2011,48(8): 1332-1349. FENG D G , QIN Y ,et al. Research on trusted computing technology[J]. Journal of Computer Research and Development, 2011,48(8): 1332-1349. |
[8] | Trusted Computing Group. Trusted Platform Module Library:Part 1-Part 4[S]. Family 2.0,Level 00 Revision 00.96, 2013. |
[9] | NUNO S , RODRIGO R , KRISHNA P.G , STEFAN S . Policy-sealed data:a new abstraction for building trusted cloud services[A]. Proceedings of the 21st USENIX Security Symposium[C]. Bellevue,WA, 2012.10. |
[10] | KURT D , JOHANNES W . Implementation aspects of mobile and embedded trusted computing[A]. Proceedings of the 2nd International Conference on Trusted Computing[C]. 2009. 29-44. |
[11] | FENG W , FENG D G , WEI G ,et al. TEEM:a user-oriented trusted mobile device for multi-platform security applications[A]. Trust and Trustworthy Computing[C]. 2013. 133-141. |
[12] | FENG W , QIN Y , FENG D G ,et al. Mobile trusted agent(MTA):build user-based trust for general-purpose computer platform[A]. Proceedings of Network and System Security[C]. Springer Berlin Heidelberg, 2013. 307-320. |
[13] | CHEN C , HIMANSHU R , STEFAN S , ALEC W . cTPM:a cloud TPM for cross-device trusted applications[A]. Proceedings of 11th USENIX Symposium on Networked Systems Design and Implementation[C]. DEATTLE,WA, 2014. 187-201. |
[14] | CHEN L Q , LI J T . Flexible and scalable digital signatures in TPM 2.0[A]. Proceedings of ACM SIGSAC Conference on Computer and Communications Security[C]. New York,NY,USA, 2013. 37-48. |
[15] | NAUMAN M,KHAN S , ZHANG X , SEIFERT J P . Beyond kernel-level integrity measurement:enabling remote attestation for the Android platform[A]. Trust and Trustworthy Computing[C]. 2010. 1-15. |
[16] | ZHANG X W , JEAN-PIERRE S , ONUR A . Design and implementation of efficient integrity protection for open mobile platforms[J]. IEEE Transactions on Mobile Compuring, 2014,13(1): 188-201. |
[17] | LI Y L , JONATHAN M.M , ADRIAN P . SBAP:software-based attestation for peripherals[A]. Proceedings of the 3rd International Conference on Trust and Trustworthy Computing[C]. 2010. |
[18] | LI Y L , JONATHAN M M , ADRIAN P . VIPER:verifying the integrity of PERipherals' firmware[A]. Proceedings of the 18th ACM Conference on Computer and Communications Security[C]. 2011. 3-16. |
[19] | KARIM E D,AURéLIEN F , DANIELE P , GENE T . SMART:secure and minimal architecture for(establishing a dynamic)root of trust[A]. Network and Distributed System Security Symposium(NDSS)[C]. 2012. |
[20] | SPARKS E R . A security assessment of trusted platform modules[R]. Technical Report TR2007-597,Dartmouth College, 2007. |
[21] | 张帆 等. Windows 驱动开发技术详解[M]. 北京: 电子工业出版社, 2008. ZHANG F ,et al. Windows Driver Development Internals[M]. Beijing: Publishing House of Electronics Industry of ChinaPress, 2008. |
[22] | 潘爱民 . Windows内核原理与实现[M]. 北京: 电子工业出版社, 2010. PAN A M . Windows Kernel Principle and Realization[M]. Beijing: Publishing House of Electronics Industry of ChinaPress, 2010. |
[23] | 谭文, 邵坚磊 . 天书夜读-从汇编语言到Windows内核编程[M]. 北京: 电子工业出版社, 2008. TAN W , SHAO J L . Reading Sanscrit at Midnight – From Assembly Language to Windows Kernel programming[M]. Beijing: Publishing House of Electronics Industry of ChinaPress, 2008. |
[1] | Bibo TU, Jie CHENG, Haojun XIA, Kun ZHANG, Ruina SUN. Overview of research on trusted attestation technology of cloud virtualization platform [J]. Journal on Communications, 2021, 42(12): 212-225. |
[2] | Xinfeng HE,Junfeng TIAN,Fanming LIU. Survey on trusted cloud platform technology [J]. Journal on Communications, 2019, 40(2): 154-163. |
[3] | Junfeng TIAN,Tianle LI. Data integrity verification based on model cloud federation of TPA [J]. Journal on Communications, 2018, 39(8): 113-124. |
[4] | Junfeng TIAN,Yongchao ZHANG. Trusted auditing method of virtual machine based on improved expectation decision method [J]. Journal on Communications, 2018, 39(6): 52-63. |
[5] | Liang TAN,Neng QI,Lingbi HU. New extension method of trusted certificate chain in virtual platform environment [J]. Journal on Communications, 2018, 39(6): 133-145. |
[6] | Xingshu CHEN,Wei WANG,Xin JIN. Label-based protection scheme of vTPM secret [J]. Journal on Communications, 2018, 39(11): 170-180. |
[7] | Tian-shu WANG,Gong-xuan ZHANG,Xi-chen YANG. Trusted solution monitoring system based on ZigBee wireless sensor network [J]. Journal on Communications, 2017, 38(Z2): 67-77. |
[8] | Yuan SHI,Huan-guo ZHANG,Bo ZHAO,Zhao YU. Security-enhanced live migration based on SGX for virtual machine [J]. Journal on Communications, 2017, 38(9): 65-75. |
[9] | Lei WANG,Ming-hua YANG,Zeng-liang LIU,Jian-qun ZHENG. Trust chain generating and updating algorithm for dual redundancy system [J]. Journal on Communications, 2017, 38(1): 1-8. |
[10] | Qian-ying ZHANG,Shi-jun ZHAO,Wei FENG,Yu QIN,Deng-guo FENG. Research of a trusted execution environment module for multiple platforms [J]. Journal on Communications, 2014, 35(Z2): 72-85. |
[11] | Zhen-ji ZHOU,Li-fa WU,Zheng HONG,Hai-guang LAI,Cheng-hui ZHENG. Trusted virtual machine management model for cloud computing [J]. Journal on Communications, 2014, 35(Z2): 94-105. |
[12] | . Research of a trusted execution environment module for multiple platforms [J]. Journal on Communications, 2014, 35(Z2): 11-85. |
[13] | . Trusted virtual machine management model for cloud computing [J]. Journal on Communications, 2014, 35(Z2): 13-105. |
[14] | . Research of platform identity attestation based on trusted chip [J]. Journal on Communications, 2014, 35(8): 13-106. |
[15] | Qian-ying ZHANG,Deng-guo FENG,Shi-jun ZHAO. Research of platform identity attestation based on trusted chip [J]. Journal on Communications, 2014, 35(8): 94-106. |
Viewed | ||||||
Full text |
|
|||||
Abstract |
|
|||||
|