Integrity Challenge Mechanism

The Integrity Challenge protocol describes how challenging parties securely retrieve measurements and validation information from the attesting system. The protocol must protect against the following major threats when retrieving attestation information:

• Replay attacks: a malicious attesting system can replay attestation information (measurement list + TPM aggregate) from before the system was corrupted.
• Tampering: a malicious attesting system or intermediate attacker can tamper with the measurement list and TPM aggregate before or when it is transmitted to the challenging party.
• Masquerading: a malicious attesting system or intermediate attacker can replace the original measurement list and TPM aggregate with the measurement list and TPM aggregate of another (non-compromised) system.

We assume that this mechanism is used over a secure (e.g., SSL-authenticated and protected) connection to guarantee authenticity and confidentiality requirements. Fig. 3 depicts the integrity challenge protocol used by the challenging party $C$ to securely validate integrity claims of the attesting system $AS$. In steps 1 and 2, $C$ creates a non-predictable 160bit random $nonce$ and sends it in a challenge request message $ChReq$ to $AS$. In step 3, the attesting system loads a protected RSA key $AIK$ into the TPM. This $AIK$ is encrypted with the so-called Storage Root Key (SRK), a key known only to the TPM. The TPM specification [11] describes, how a 2048-bit AIK is created securely inside the TPM and how the corresponding public key $AIK_{pub}$ can be securely certified by a trusted party. This trusted party certificate links the signature of the PCR to a specific TPM chip in a specific system. Then, the $AS$ requests a $Quote$ from the TPM chip that now signs the selected $PCR$ (or multiple PCRs) and the $nonce$ originally provided by $C$ with the private key $AIK_{priv}$. To complete step 3, the $AS$ retrieves the ordered list of all measurements (in our case from the kernel). Then, $AS$ responds with a challenge response message $ChRes$ in step 4, including the signed aggregate and nonce in $Quote$, together with the claimed complete measurement list $ML$.

Figure 3: Integrity Challenge Protocol

In step 5a, $C$ first retrieves a trusted certificate $cert(AIK_{pub})$. This AIK certificate binds the verification key $AIK_{pub}$ of the $QUOTE$ to a specific system and states that the related secret key is known only to this TPM and never exported unprotected. Thus masquerading can be discovered by the challenging party by comparing the unique identification of $AS$ with the system identification given in $cert(AIK_{pub})$. This certificate must be verified to be valid, e.g., by checking the certificate revocation list at the trusted issuing party. $C$ then verifies the signature in step 5b.

In step 5c, $C$ validates the freshness of the $QUOTE$ and thus the freshness of the $PCR$ (the measurement aggregate). Freshness is guaranteed if the nonces match as long the $nonce$ in step 2 is unique and not predictable. As soon as $AS$ receives a nonce twice or can predict the nonce (or predict even a small enough set into which the nonce will fall), it can decide to replay old measurements or request TPM-signed quotes early using predicted nonces. In both cases, the quoted integrity measurements $ML$ might not reflect the actual system status, but a past one. If the nonce offers insufficient security, then the validity of the signature keys can be restricted, because the replay window for signed aggregates is also bound to using a valid signature key.

Validating the signature in step 5b, $C$ can detect tampering with the TPM aggregate, because it will invalidate the signature (assuming cryptographic properties of a digital 2048-bit signature today, assuming the secret key is known only to the TPM, and assuming no hardware tampering of the TPM). Tampering with the measurement list is made visible in step 5c by walking through the measurement list $ML$ and re-computing the TPM aggregate (simulating the TPM extend operations as described in Section 4.2) and comparing the result with the TPM aggregate $PCR$ that is included in the signed $Quote$ received in step 4. If the computed aggregate matches the signed aggregate, then the measurement list is valid and untampered, otherwise it is invalid.