Abstract
Trusted Network Connect (TNC) requires both user authentication and integrity validation of an endpoint before it connects to the internet or accesses some web service. However, as the user authentication and integrity validation are usually done via independent protocols, TNC is vulnerable to the Man-in-the-Middle (MitM) attack. This paper analyzes TNC which uses keys with Subject Key Attestation Evidence (SKAE) extension to perform user authentication and the IF-T protocol binding to TLS to carry integrity measurement messages in the Universally Composable (UC) framework. Our analysis result shows that TNC using keys with SKAE extension can resist the MitM attack. In this paper, we introduce two primitive ideal functionalities for TNC: an ideal dual-authentication certification functionality which binds messages and both the user and platform identities, and an ideal platform attestation functionality which formalizes the integrity verification of a platform. We prove that the SKAE extension protocol and the basic TCG platform attestation protocol, both of which are defined by TCG specifications, UC-realizes the two primitive functionalities respectively. In the end, we introduce a general ideal TNC functionality and prove that the complete TNC protocol, combining the IF-T binding to TLS which uses keys with SKAE extension for client authentication and the basic TCG platform attestation platform protocol, securely realizes the TNC functionality in the hybrid model.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Asokan, N., Niemi, V., Nyberg, K.: Man-in-the-middle in tunnelled authentication protocols. In: Christianson, B., Crispo, B., Malcolm, J.A., Roe, M. (eds.) Security Protocols 2003. LNCS, vol. 3364, pp. 28–41. Springer, Heidelberg (2005)
Canetti, R.: Universally composable security: A new paradigm for cryptographic protocols. In: Proceedings of the 42nd IEEE Symposium on Foundations of Computer Science, pp. 136–145. IEEE (2001)
Canetti, R.: Universally composable signature, certification, and authentication. In: Proceedings of the 17th IEEE Computer Security Foundations Workshop, pp. 219–233. IEEE (2004)
Canetti, R., Krawczyk, H.: Universally composable notions of key exchange and secure channels. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 337–351. Springer, Heidelberg (2002)
Chen, L., Warinschi, B.: Security of the TCG Privacy-CA solution. In: 2010 IEEE/IFIP 8th International Conference on Embedded and Ubiquitous Computing (EUC), pp. 609–616. IEEE (2010)
Gajek, S., Manulis, M., Pereira, O., Sadeghi, A.-R., Schwenk, J.: Universally composable security analysis of TLS. In: Baek, J., Bao, F., Chen, K., Lai, X. (eds.) ProvSec 2008. LNCS, vol. 5324, pp. 313–327. Springer, Heidelberg (2008)
Institute for Electrical and Electronics Engineers (IEEE). IEEE802, Port-Based Network Access Control, IEEE Std 802.1X-2004 (December 2004)
Küsters, R., Tuengerthal, M.: Joint state theorems for public-key encryption and digital signature functionalities with local computation. In: IEEE 21st Computer Security Foundations Symposium, CSF 2008, pp. 270–284. IEEE (2008)
McCune, J.M., Parno, B.J., Perrig, A., Reiter, M.K., Isozaki, H.: Flicker: An execution infrastructure for tcb minimization. ACM SIGOPS Operating Systems Review 42, 315–328 (2008)
Melnikov, A., Zeilenga, K.: Simple Authentication and Security Layer (SASL). Technical report, RFC 4422 (June 2006)
Pfitzmann, B., Waidner, M.: A model for asynchronous reactive systems and its application to secure message transmission. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy, S&P 2001, pp. 184–200. IEEE (2001)
Sailer, R., Zhang, X., Jaeger, T., Van Doorn, L.: Design and implementation of a tcg-based integrity measurement architecture. In: USENIX Security Symposium, vol. 13, p. 16 (2004)
Trusted Computing Group. Subject Key Attestation Evidence Extension Version 1.0, Revision 7 (June 16, 2005)
Trusted Computing Group. TNC IF-T: Protocol Bindings for Tunneled EAP Methods Specification Version 1.1, Revision 10 (May 21, 2007)
Trusted Computing Group. Trusted Platform Module Library Part 1: Architecture, Family “2.0” Level 00, Revision 00.99 (August 22, 2013)
Trusted Computing Group. Trusted Platform Module Library Part 3: Commands, Family “2.0” Level 00, Revision 00.99 (August 22, 2013)
Trusted Computing Group. TNC IF-TNCCS: TLV Binding Specification Version 2.0, Revision 16 (January 22, 2010)
Trusted Computing Group. TNC IF-T: Binding to TLS Specification Version 2.0, Revision 7 (February 27, 2013)
Trusted Computing Group. TNC Architecture for Interoperability Specification Version 1.5, Revision 3 (May 7, 2012)
Xiao, Y., Wang, Y., Pang, L.: Security analysis and improvement of TNC IF-T Protocol Binding to TLS. Communications, China 10(7), 85–92 (2013)
Zhang, J., Ma, J., Moon, S.: Universally composable secure TNC model and EAP-TNC protocol in IF-T. Science China Information Sciences 53(3), 465–482 (2010)
Zhang, Z., Zhu, L., Wang, F., Liao, L., Guo, C., Wang, H.: Computationally sound symbolic analysis of EAP-TNC protocol. In: Chen, L., Yung, M., Zhu, L. (eds.) INTRUST 2011. LNCS, vol. 7222, pp. 113–128. Springer, Heidelberg (2012)
Zhao, S., Zhang, Q., Qin, Y., Feng, D.: Universally Composable secure TNC protocol based on IF-T binding to TLS, https://eprint.iacr.org/2014/490.pdf
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Zhao, S., Zhang, Q., Qin, Y., Feng, D. (2014). Universally Composable Secure TNC Protocol Based on IF-T Binding to TLS. In: Au, M.H., Carminati, B., Kuo, CC.J. (eds) Network and System Security. NSS 2015. Lecture Notes in Computer Science, vol 8792. Springer, Cham. https://doi.org/10.1007/978-3-319-11698-3_9
Download citation
DOI: https://doi.org/10.1007/978-3-319-11698-3_9
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-11697-6
Online ISBN: 978-3-319-11698-3
eBook Packages: Computer ScienceComputer Science (R0)