Article

Beyond secure channels

Authors:

Ahmad-Reza Sadeghi,

Patrick Stewin,

N. AsokanAuthors Info & Claims

STC '07: Proceedings of the 2007 ACM workshop on Scalable trusted computing

Pages 30 - 40

https://doi.org/10.1145/1314354.1314363

Published: 02 November 2007 Publication History

Abstract

A Trusted Channel is a secure communication channel which is cryptographically bound to the state of the hardware and software configurations of the endpoints. In this paper, we describe secure and flexible mechanisms to establish and maintain Trusted Channels which do not have the deficiencies of previous proposals. We also present a concrete implementation proposal based on Transport Layer Security (TLS) protocol, and Trusted Computing technology. We use Subject Key Attestation Evidence extensions to X.509v3 certificates to convey configuration information during key agreement (TLS handshake). The resulting session key is kept within the Trusted Computing Base, and is updated in a predetermined manner to reflect any detected change in the local configuration. This allows an endpoint to detect changes in the configuration of the peer endpoint while the Trusted Channel is in place, and to decide according to a local policy whether to maintain or tear down the Trusted Channel

References

[1]

Advanced Micro Devices, Inc. IOMMU Architectural Specification. Advanced Micro Devices, Inc.: http://www.amd.com/us-en/assets/content_type/ white_papers_and_tech_docs/34434.pdf, Feb. 2007. PID 34434 Rev 1.20.

[2]

S. M. Bellovin. Problem Areas for the IP Security Protocols. In Proceedings of the Sixth Usenix UNIX Security Symposium, 1996.

Digital Library

[3]

D. Chess, J. Dyer, N. Itoi, J. Kravitz, E. Palmer, R. Perez, and S. Smith. Using trusted co-servers to enhance security of web interaction. United States Patent 7,194,759: http://www.freepatentsonline.com/7194759.html, Mar. 2007.

[4]

T. Dierks and E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.1. Internet Engineering Task Force: http://www.ietf.org/rfc/rfc4346.txt, Apr. 2006. Network Working Group RFC 4346.

[5]

S. B.-W. et al. Transport Layer Security (TLS) Extensions. Internet Engineering Task Force: http://www.ietf.org/rfc/rfc3546.txt, June 2003. Network Working Group RFC 3546.

[6]

K. Goldman, R. Perez, and R. Sailer. Linking remote attestation to secure tunnel endpoints. In STC ¿06: Proceedings of the first ACM workshop on Scalable trusted computing, pages 21--24, New York, NY, USA, Nov. 2006. ACM Press.

[7]

Intel Corporation. Intel Trusted Execution Technology - Preliminary Architecture Specification. Intel.com: http://download.intel.com/technology/security/ downloads/31516803.pdf, Nov. 2006. Preliminary Architecture Specification and Enabling Considerations.

[8]

S. Jiang, S. Smith, and K. Minami. Securing Web Servers against Insider Attack. In ACSAC ¿01: Proceedings of the 17th Annual Computer Security Applications Conference, page 265, Washington, DC, USA, 2001. IEEE Computer Society.

Digital Library

[9]

S. Kent and K. Seo. Security Architecture for the Internet Protocol. Internet Engineering Task Force: http://www.ietf.org/rfc/rfc4301.txt, Dec. 2005. Network Working Group RFC 4346. Obsoletes: RCF2401.

Digital Library

[10]

J. Marchesini, S. W. Smith, O. Wild, J. Stabiner, and A. Barsamian. Open-Source Applications of TCPA Hardware. In ACSAC ¿04: Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC¿04), pages 294--303, Washington, DC, USA, 2004. IEEE Computer Society.

Digital Library

[11]

J. M. McCune, B. Parno, A. Perrig, M. K. Reiter, and A. Seshadri. Minimal TCB Code Execution. In SP ¿07: Proceedings of the 2007 IEEE Symposium on Security and Privacy, pages 267--272, Washington, DC, USA, 2007. IEEE Computer Society.

[12]

Ned M. Smith. System and method for combining user and platform authentication in negotiated channel security protocols. United States Patent Application 20050216736: http://www.freepatentsonline.com/20050216736.html, Sept. 2005.

[13]

A.-R. Sadeghi and C. Stüble. Property-based attestation for computing platforms: caring about properties, not mechanisms. In NSPW ¿04: Proceedings of the 2004 workshop on New security paradigms, pages 67--77, New York, NY, USA, 2004. ACM Press.

[14]

A.-R. Sadeghi, C. Stüble, and N. Pohlmann. European multilateral secure computing base - open trusted computing for you and me. Datenschutz und Datensicherheit DuD, 28(9):548--554, 2004. Verlag Friedrich Vierweg & Sohn, Wiesbaden.

[15]

A.-R. Sadeghi, C. Stüble, M. Wolf, N. Asokan, and J.-E. Ekberg. Enabling Fairer Digital Rights Management with Trusted Computing, 2007. To be presented at ISC07, Information Security Conference 2007.

Digital Library

[16]

R. Sailer, E. Valdez, T. Jaeger, R. Perez, L. van Doorn, J. L. Griffin, and S. Berger. sHype: Secure hypervisor approach to trusted virtualized systems. Techn. Rep. RC23511, Feb. 2005. IBM Research Division.

[17]

R. Sailer, X. Zhang, T. Jaeger, and L. van Doorn. Design and implementation of a TCG-based integrity measurement architecture. In SSYM¿04: Proceedings of the 13th conference on USENIX Security Symposium, pages 16--16, Berkeley, CA, USA, 2004. USENIX Association.

Digital Library

[18]

K. Smith. Creating Secure Web Service Sessions. SOA World Magazine: http://webservices.syscon.com/read/250516_1.htm, Aug. 2006.

[19]

G. Spafford. Attributed to in Risks Digest 19.37 review of LARGE, by David H. Freedman and Charles C. Mann, Sept. 1997. http://catless.ncl.ac.uk/Risks/19.37.html.

[20]

F. Stumpf, O. Tafreschi, P. Röder, and C. Eckert. A robust Integrity Reporting Protocol for Remote Attestation. In Proceedings of the Second Workshop on Advances in Trusted Computing (WATC ¿06 Fall), Tokyo, Dec. 2006.

[21]

TCG Infrastructure Working Group (IWG). TCG Infrastructure Workgroup Subject Key Attestation Evidence Extension. Trusted Computing Group: https://www.trustedcomputinggroup.org/specs/IWG/IWG_SKAE_Extension_1-00.pdf, June 2005. Specification Version 1.0 Revision 7.

[22]

TCG Infrastructure Working Group (IWG). TCG Infrastructure Working Group Reference Architecture for Interoperability (Part I). Trusted Computing Group: https://www.trustedcomputinggroup.org/ specs/IWG/IWG_Architecture_v1_0_r1.pdf, June 2005. Specification Version 1.0 Revision 1.

[23]

Trusted Computing Group. TCG Specification Architecture Overview. Trusted Computing Group: https://www.trustedcomputinggroup.org/groups/TCG_1_3_Architecture_Overview.pdf, Mar. 2003. Specification Revision 1.3 28th March 2007.

[24]

Trusted Computing Group. TPM v1.2 Specification Changes. Trusted Computing Group: https://www.trustedcomputinggroup.org/groups/tpm/TPM_1_2_Changes_final.pdf, Oct. 2003

[25]

Trusted Computing Group. TCG TPM Main Part 2 TPM Structures. Trusted Computing Group: https://www.trustedcomputinggroup.org/specs/TPM/Main_Part2_Rev94.zip, Mar. 2006. Specification Version 1.2 Level 2 Revision 94.

[26]

Trusted Computing Group. TCG TPM Main Part 3 Commands. Trusted Computing Group: https://www.trustedcomputinggroup.org/specs/TPM/Main_Part3_Rev94.zip, Mar. 2006. Specification Version 1.2 Level 2 Revision 94.

[27]

Trusted Network Connect Work Group. TCG Trusted Network Connect TNC Architecture for Interoperability. Trusted Computing Group: https://www.trustedcomputinggroup.org/specs/TNC/TNC_Architecture_v1_2_r4.pdf, May 2007. Specification Version 1.2 Revision 4.

[28]

D. Wagner and B. Schneier. Analysis of the SSL 3.0 protocol. In 2nd USENIX Workshop on Electronic Commerce, Nov. 1996.

Digital Library

Cited By

Wagner PBirnstill PBeyerer J(2024)DDS Security+: Enhancing the Data Distribution Service With TPM-based Remote AttestationProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3670442(1-11)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3670442
Hamidy GYulianti SPhilippaerts PJoosen W(2023)TC4SE: A High-Performance Trusted Channel Mechanism for Secure Enclave-Based Trusted Execution EnvironmentsInformation Security10.1007/978-3-031-49187-0_13(246-264)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1007/978-3-031-49187-0_13
Niemi ASovio SEkberg J(2022)Towards Interoperable Enclave Attestation: Learnings from Decades of Academic Work2022 31st Conference of Open Innovations Association (FRUCT)10.23919/FRUCT54823.2022.9770907(189-200)Online publication date: 27-Apr-2022
https://doi.org/10.23919/FRUCT54823.2022.9770907
Show More Cited By

Index Terms

Beyond secure channels
1. Networks
  1. Network protocols
    1. Application layer protocols

Recommendations

Trusted Sockets Layer: A TLS 1.3 Based Trusted Channel Protocol
Secure IT Systems
Abstract
Trusted channels are important when communication requires end-point integrity assurance in addition to secure channel guarantees. To facilitate adoption, trusted channel protocols are often designed as extensions to the widely-used TLS protocol ...
An efficient implementation of trusted channels based on openssl
STC '08: Proceedings of the 3rd ACM workshop on Scalable trusted computing

Security breaches on the Internet rarely involve compromising secure channels - typically based on protocols like Transport Layer Security (TLS) or Internet Protocol Security (IPsec) - because communication endpoints are much easier to compromise. ...
RATLS: Integrating Transport Layer Security with Remote Attestation
Applied Cryptography and Network Security Workshops
Abstract
We present RATLS, a companion library for OpenSSL that integrates the Trusted Computing concept of Remote Attestation into Transport Layer Security (TLS). RATLS builds upon handshake extensions that are specified in version 1.3 of the TLS ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

STC '07: Proceedings of the 2007 ACM workshop on Scalable trusted computing

November 2007

82 pages

ISBN:9781595938886

DOI:10.1145/1314354

General Chair:
Peng Ning
NC State University, USA
,
Program Chairs:
Vijay Atluri
Rutgers University, USA
,
Shouhuai Xu
University of Texas, San Antonio, USA
,
Moti Yung
Columbia University, USA

Copyright © 2007 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 November 2007

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

CCS07

Sponsor:

CCS07: 14th ACM Conference on Computer and Communications Security 2007

November 2, 2007

Virginia, Alexandria, USA

Acceptance Rates

Overall Acceptance Rate 17 of 31 submissions, 55%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

67
Total Citations
View Citations
836
Total Downloads

Downloads (Last 12 months)33
Downloads (Last 6 weeks)2

Reflects downloads up to 28 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Wagner PBirnstill PBeyerer J(2024)DDS Security+: Enhancing the Data Distribution Service With TPM-based Remote AttestationProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3670442(1-11)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3670442
Hamidy GYulianti SPhilippaerts PJoosen W(2023)TC4SE: A High-Performance Trusted Channel Mechanism for Secure Enclave-Based Trusted Execution EnvironmentsInformation Security10.1007/978-3-031-49187-0_13(246-264)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1007/978-3-031-49187-0_13
Niemi ASovio SEkberg J(2022)Towards Interoperable Enclave Attestation: Learnings from Decades of Academic Work2022 31st Conference of Open Innovations Association (FRUCT)10.23919/FRUCT54823.2022.9770907(189-200)Online publication date: 27-Apr-2022
https://doi.org/10.23919/FRUCT54823.2022.9770907
Shepherd CMarkantonakis KJaloyan G(2021)LIRA-V: Lightweight Remote Attestation for Constrained RISC-V Devices2021 IEEE Security and Privacy Workshops (SPW)10.1109/SPW53761.2021.00036(221-227)Online publication date: May-2021
https://doi.org/10.1109/SPW53761.2021.00036
Niemi APop VEkberg J(2021)Trusted Sockets Layer: A TLS 1.3 Based Trusted Channel ProtocolSecure IT Systems10.1007/978-3-030-91625-1_10(175-191)Online publication date: 13-Nov-2021
https://doi.org/10.1007/978-3-030-91625-1_10
Wagner PBirnstill PBeyerer J(2020)Establishing Secure Communication Channels Using Remote Attestation with TPM 2.0Security and Trust Management10.1007/978-3-030-59817-4_5(73-89)Online publication date: 16-Sep-2020
https://doi.org/10.1007/978-3-030-59817-4_5
Akram RMarkantonakis KMayes KBonnefoi PCherif ASauveron DChaumette S(2018)A Secure and Trusted Channel Protocol for UAVs FleetsInformation Security Theory and Practice10.1007/978-3-319-93524-9_1(3-24)Online publication date: 21-Jun-2018
https://doi.org/10.1007/978-3-319-93524-9_1
Walsh KManferdelli JAnjum ASill AFox GChen Y(2017)Mechanisms for Mutual Attested Microservice CommunicationCompanion Proceedings of the10th International Conference on Utility and Cloud Computing10.1145/3147234.3148102(59-64)Online publication date: 5-Dec-2017
https://dl.acm.org/doi/10.1145/3147234.3148102
Shepherd CAkram RMarkantonakis K(2017)Establishing Mutually Trusted Channels for Remote Sensing Devices with Trusted Execution EnvironmentsProceedings of the 12th International Conference on Availability, Reliability and Security10.1145/3098954.3098971(1-10)Online publication date: 29-Aug-2017
https://dl.acm.org/doi/10.1145/3098954.3098971
Eldefrawy KRattanavipanon NTsudik GNoubir GConti MKasera S(2017)HYDRAProceedings of the 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks10.1145/3098243.3098261(99-110)Online publication date: 18-Jul-2017
https://dl.acm.org/doi/10.1145/3098243.3098261
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten