Skip to main content
SpringerLink
Log in
Book cover

International Conference on Financial Cryptography and Data Security

FC 2010: Financial Cryptography and Data Security pp 150–165Cite as

Extending IPsec for Efficient Remote Attestation

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6054))

Abstract

When establishing a VPN to connect different sites of a network, the integrity of the involved VPN endpoints is often a major security concern. Based on the Trusted Platform Module (TPM), available in many computing platforms today, remote attestation mechanisms can be used to evaluate the internal state of remote endpoints automatically. However, existing protocols and extensions are either unsuited for use with IPsec or impose considerable additional implementation complexity and protocol overhead.

In this work, we propose an extension to the IPsec key exchange protocol IKEv2. Our extension (i) allows for continuous exchange of attestation data while the IPsec connection is running, (ii) supports highly efficient exchange of attestation data and (iii) requires minimal changes to the IKEv2 protocol logic. The extension is fully backwards compatible and mostly independent of the employed low-level attestation protocol. Our solution has much less overhead than the TCG TNC design, however, we also discuss integration with TNC deployments.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD   54.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (2008)

    Google Scholar 

  2. Kent, S., Seo, K.: Security Architecture for the Internet Protocol. RFC 4301 (2005)

    Google Scholar 

  3. Trusted Computing Group (TCG): Tcg homepage (2009), https://www.trustedcomputing.org

  4. Trusted Computing Group: TCG Architecture Overview, v1.4 (2007)

    Google Scholar 

  5. Trusted Computing Group: TPM Main Specification, v1.2 (2005)

    Google Scholar 

  6. Microsoft TechNet: Bitlocker drive encryption technical overview (2008), http://technet.microsoft.com/en-us/library/cc732774.aspx

  7. Sirrix AG security technologies: Homepage (2009), http://www.sirrix.com

  8. Sailer, R., Zhang, X., Jaeger, T., van Doorn, L.: Design and implementation of a TCG-based integrity measurement architecture. Research Report RC23064, IBM Research (2004)

    Google Scholar 

  9. McCune, J.M., Parno, B., Perrig, A., Reiter, M.K., Seshadri, A.: Minimal TCB code execution. In: Proceedings of the IEEE Symposium on Research in Security and Privacy, Oakland, CA. Technical Committee on Security and Privacy, IEEE Computer Society, Los Alamitos (2007)

    Google Scholar 

  10. Chen, L., Landfermann, R., Loehr, H., Rohe, M., Sadeghi, A.R., Stüble, C.: A protocol for property-based attestation. In: [45]

    Google Scholar 

  11. Korthaus, R., Sadeghi, A.R., Stüble, C., Zhan, J.: A practical property-based bootstrap architecture. In: STC 2009: Proceedings of the 2009 ACM workshop on Scalable trusted computing, pp. 29–38. ACM, New York (2009)

    Chapter  Google Scholar 

  12. Alam, M., Zhang, X., Nauman, M., Ali, T., Seifert, J.P.: Model-based behavioral attestation. In: SACMAT 2008: Proceedings of the 13th ACM Symposium on Access Control Models and Technologies, pp. 175–184. ACM, New York (2008)

    Chapter  Google Scholar 

  13. Peng, G., Pan, X., Zhang, H., Fu, J.: Dynamic trustiness authentication framework based on software’s behavior integrity. In: 9th International Conference for Young Computer Scientists, pp. 2283–2288. IEEE Computer Society, Los Alamitos (2008)

    Chapter  Google Scholar 

  14. Nauman, M., Alam, M., Zhang, X., Ali, T.: Remote attestation of attribute updates and information flows in a ucon system. In: [46], pp. 63–80

    Google Scholar 

  15. Loscocco, P.A., Wilson, P.W., Pendergrass, J.A., McDonell, C.D.: Linux kernel integrity measurement using contextual inspection. In: [47], pp. 21–29

    Google Scholar 

  16. Petroni Jr., N.L., Hicks, M.: Automated detection of persistent kernel control-flow attacks. In: CCS 2007: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 103–115. ACM, New York (2007)

    Chapter  Google Scholar 

  17. Baiardi, F., Cilea, D., Sgandurra, D., Ceccarelli, F.: Measuring semantic integrity for remote attestation. In: [46], pp. 81–100

    Google Scholar 

  18. Buchanan, E., Roemer, R., Shacham, H., Savage, S.: When good instructions go bad: generalizing return-oriented programming to RISC. In: CCS 2008: Proceedings of the 15th ACM conference on Computer and communications security, pp. 27–38. ACM, New York (2008)

    Chapter  Google Scholar 

  19. England, P., Lampson, B., Manferdelli, J., Peinado, M., Willman, B.: A trusted open platform. IEEE Computer 36, 55–63 (2003)

    Google Scholar 

  20. EMSCB Project Consortium: The European Multilaterally Secure Computing Base (EMSCB) project (2004), http://www.emscb.org

  21. The OpenTC Project Consortium: The Open Trusted Computing (OpenTC) project (2005), http://www.opentc.net

  22. Sailer, R., Valdez, E., Jaeger, T., Perez, R., van Doorn, L., Griffin, J.L., Berger, S.: sHype: Secure hypervisor approach to trusted virtualized systems. Technical Report RC23511, IBM Research Division (2005)

    Google Scholar 

  23. Schulz, S., Sadeghi, A.R.: Secure VPNs for trusted computing environments. In: [46], pp. 197–216

    Google Scholar 

  24. Goldman, K., Perez, R., Sailer, R.: Linking remote attestation to secure tunnel endpoints. In: [45], pp. 21–24

    Google Scholar 

  25. Asokan, N., Ekberg, J.E., Sadeghi, A.R., Stüble, C., Wolf, M.: Enabling Fairer Digital Rights Management with Trusted Computing. Research Report HGI-TR-2007-002, Horst-Görtz-Institute for IT-Security (2007)

    Google Scholar 

  26. Stumpf, F., Tafreschi, O., Röder, P., Eckert, C.: A robust integrity reporting protocol for remote attestation. Revised version (2006)

    Google Scholar 

  27. Gasmi, Y., Sadeghi, A.R., Stewin, P., Unger, M., Asokan, N.: Beyond secure channels. In: [47], pp. 30–40

    Google Scholar 

  28. Armknecht, F., Gasmi, Y., Sadeghi, A.R., Stewin, P., Unger, M., Ramunno, G., Vernizzi, D.: An efficient implementation of trusted channels based on OpenSSL. In: Xu, S., Nita-Rotaru, C., Seifert, J.P. (eds.) STC, pp. 41–50. ACM, New York (2008)

    Chapter  Google Scholar 

  29. Trusted Computing Group: TNC IF-T: Protocol Bindings for Tunneled EAP Methods, v1.1 (2007)

    Google Scholar 

  30. Kaufman, C.: Internet Key Exchange (IKEv2) Protocol. RFC 4306 (2005)

    Google Scholar 

  31. Trusted Computing Group: Subject Key Attestation Evidence Extension, v1.0 (2005)

    Google Scholar 

  32. Krawczyk, H., Bellare, M., Canetti, R.: HMAC: Keyed-Hashing for Message Authentication. RFC 2104 (1997)

    Google Scholar 

  33. Paterson, K.G.: A Cryptographic Tour of the IPsec Standards (2006), http://citeseer.ist.psu.edu/737404.html

  34. Doraswamy, N., Harkins, D.: IPsec: The new Security Standard for the Internet, Intranets and Virtual Private Networks, 2nd edn. Prentice-Hall, Englewood Cliffs (2003)

    Google Scholar 

  35. Trusted Computing Group: TNC IF-TNCCS: Trusted Network Connect Client-Server, v1.2 (2009)

    Google Scholar 

  36. Kent, S.: IP Encapsulating Security Payload (ESP). RFC 4303 (2005)

    Google Scholar 

  37. Chen, L., Löhr, H., Manulis, M., Sadeghi, A.R.: Property-based attestation without a trusted third party. In: Wu, T.-C., Lei, C.-L., Rijmen, V., Lee, D.-T. (eds.) ISC 2008. LNCS, vol. 5222, pp. 31–46. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  38. Trusted Computing Group: TNC Architecture for Interoperability, v1.3 (2008)

    Google Scholar 

  39. Trusted Computing Group: TNC TNC IF-IMC Specification, v1.2 (2007)

    Google Scholar 

  40. Trusted Computing Group: TNC TNC IF-IMV Specification, v1.2 (2007)

    Google Scholar 

  41. Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., Levkowetz, H.: Extensible Authentication Protocol (EAP). RFC 3748 (2004) (Updated by RFC 5247)

    Google Scholar 

  42. Trusted Computing Group: TNC IF-T: Binding to TLS, v1.0 (2009)

    Google Scholar 

  43. Pfitzmann, B., Riordan, J., Stüble, C., Waidner, M., Weber, A.: The PERSEUS system architecture. In: Fox, D., Köhntopp, M., Pfitzmann, A. (eds.) VIS 2001, Sicherheit in komplexen IT-Infrastrukturen, pp. 1–18. DuD Fachbeiträge, Vieweg Verlag (2001)

    Google Scholar 

  44. Alkassar, A., Stüble, C.: Die Sicherheitsplattform Turaya, pp. 86–96. Vieweg+Teubner (2008) (German)

    Google Scholar 

  45. Juels, A., Tsudik, G., Xu, S., Yung, M. (eds.): Proceedings of the 1st ACM Workshop on Scalable Trusted Computing (STC 2006). ACM Press, New York (2006)

    Google Scholar 

  46. Chen, L., Mitchell, C.J., Martin, A. (eds.): Trust 2009. LNCS, vol. 5471. Springer, Heidelberg (2009)

    Google Scholar 

  47. Ning, P., Atluri, V., Xu, S., Yung, M. (eds.): Proceedings of the 1st ACM Workshop on Scalable Trusted Computing (STC 2007). ACM Press, New York (2007)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. System Security Group, Ruhr-University Bochum,  

    Ahmad-Reza Sadeghi & Steffen Schulz

Authors
  1. Ahmad-Reza Sadeghi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Steffen Schulz
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Computer Science Department, Stony Brook University, 11794, Stony Brook, NY, USA

    Radu Sion

  2. Department of Computer Science, New Jersey Institute of Technology, 218 Central Ave, 07102, Newark, NJ, USA

    Reza Curtmola

  3. Computer Science Department, Castle Point on Hudson, Stevens Institute of Technology, 07030, Hoboken, NJ, USA

    Sven Dietrich

  4. Computer Science and Engineering, University of Connecticut,, 372 Fairfield Way, 06269, Storrs, CT, USA

    Aggelos Kiayias

  5. Departamento de Matemáticas, Universidad de Lleida, Jaume II, 69, 25001, Lleida, Spain

    Josep M. Miret

  6. NEC Central Research Labs, 1753 Shimonumabe, Nakahara, 211-8666, Kawasaki, Japan

    Kazue Sako

  7. Departamento de Matemáticas, Dept. of Computer Engineering and Universidad de Lleida, Jaume II, 69, 25001, Lleida, Spain

    Francesc Sebé

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Sadeghi, AR., Schulz, S. (2010). Extending IPsec for Efficient Remote Attestation. In: Sion, R., et al. Financial Cryptography and Data Security. FC 2010. Lecture Notes in Computer Science, vol 6054. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-14992-4_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-14992-4_14

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-14991-7

  • Online ISBN: 978-3-642-14992-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation