METHOD FOR INTEGRITY ATTESTATION OF A COMPUTING PLATFORM HIDING ITS CONFIGURATION INFORMATION

Abstract

A method for providing integrity attestation while hiding configuration information is provided. At an integrity attestation target system, the method comprises: creating a measurement value by measuring a component related to an event whenever an event influencing the integrity occurs while the computing platform is driven; hiding information which components are related to the created measurement value; recording the hidden measurement value at a PCR with a measurement list including information about all measurement values measured after the platform is driven; receiving an integrity attestation request transferred from an external system; composing data including the hidden measurement value and information for confirming whether the hidden measurement value is created from integrity sustained components; and transmitting the data to the integrity attestation request external system.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

The above and other objects, features and other advantages of the present invention will be more clearly understood from the following detailed description taken in conjunction with the accompanying drawings, in which:

FIG. 1 is a block diagram illustrating a system providing integrity attestation defined in TCG;

FIG. 2A and FIG. 2B are flowcharts illustrating a method for attesting an integrity defined in TCG;

FIG. 3 is a flowchart of an integration attestation in FIG. 2A and FIG. 2B;

FIG. 4 is a block diagram illustrating a system employing a method for attesting integrity of a computing platform according to an exemplary embodiment of the present invention;

FIG. 5A and FIG. 5B are flowcharts illustrating a method for attesting the integrity of the computing platform according to an embodiment of the present invention; and

FIG. 6 is a flowchart illustrating a method for attesting integrity according to an embodiment of the present invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT

Preferred embodiments of the present invention will now be described in detail with reference to the accompanying drawings.

FIG. 4 is a block diagram illustrating a system employing a method for attesting integrity of a computing platform according to an exemplary embodiment of the present invention.

Referring to FIG. 4, the integrity attestation system according to the present embodiment includes an integrity attestation target system 210 for providing data to verify integrity, which is hidden to prevent related component from being opened, in response to an integrity attestation request, and a verification server 220 for requesting integrity attestation to the integrity attestation target system 210, verifying the integrity of the target system 210 after releasing the hidden data obtained therefrom, and providing the verification result to the other external system.

That is, the integrity attestation request and verification thereof are performed through the verification service 220, and then, the verification result is distributed to other systems that confirm the target system 210.

The integrity attestation target system 210 includes an integrity measuring module 211, a PCR 212, a measurement record storing unit 213 and an integrity attestation service module 213, as like that defined in TCG. However, the functions of these constitutional elements are newly defined to protect the configuration information of a platform.

In more detail, the integrity measuring module 211 creates measurement values by measuring component related to events that influences the integrity when the events are occur. The measurement value is hidden not to open information about components that form the measurement value. The hidden measurement value reflects to the PCR 212 and the measurement record storing unit 213. Also, the integrity measuring module 211 provides a hidden key to the integrity attestation service module 214. The hidden key is a parameter used to hide the measurement value.

The PCR 212 receives and stores a new hidden measurement value from the integrity measurement module 211. The PCT 212 performs a hash calculation on the recorded PCR value and the newly input hidden measurement value, and updates the recorded PCR value with the result of the hash calculation.

The measurement record storing unit 213 stores the hidden measurement value with information for identifying the hidden measurement value in an order of inputting the hidden measurement value.

The integrity attestation service module 214 provides data to attest the integrity to the verification server 220 in response to the integrity attestation request from the verification server 220. When the data is provided, the integrity attestation service module 214 also provides a measurement list stored in the measurement record storing unit 213, a PCR value recorded in the PCR 212, a sign for the PCR value, a certification including a key verifying the sign, and a hidden key which is an encoded parameter to confirm the integrity of the component from the hidden measurement value.

According to the present embodiment, since the component information related to the measurement value is hidden in the data transferred to the verification server 220, the other systems cannot obtain the platform configuration of the target system 210 except the target system 210.

The verification server 220 must have information about the integrity verified components previously in order to confirm whether the integrity of the target system 210 is sustained or not from the data from the integrity attestation service module 214. The verification server 220 determines whether the integrity is sustained or not by verifying the sign for the transmitted data and the PCR value, and verifying the hidden measurement value is made of integrity sustained components using the information about integrity verified components. If the integrity is sustained, the certification data is distributed to other systems. The verification server 220 uses the hash value of each component to identify the component of the hidden measurement value because the probability that the hash values of two components are identical is very low. In order to increase a process speed, the hash value of the component is processed. The hash value processing will be described in more detail later.

FIG. 5A and FIG. 5B are flowcharts illustrating a method for attesting the integrity of the computing platform according to an embodiment of the present invention. The method for attesting the integrity according to the present embodiment is embodied through the integrity attestation target system 210 and the verification server 220. FIG. 5A shows an integrity attestation method in the integrity attestation target system 210, and FIG. 5B shows an integrity attestation method in the verification server.

Referring to FIG. 5A, whenever an event influencing the integrity occurs in the computing platform, the integrity attestation target system 210 measures components related to an event and creates the measurement value at step S310. As described above, the measurement value may be created by performing a hash calculation on the related component. Furthermore, it is preferable to record the components having the identical hash value, which is created when the measurement value is created, once. The integrity measurement module 211 creates the measurement value.

In order to prevent the configuration information of the computing platform from being opened in the integration attestation step, it hides components that the created measurement value is made of at step S320. At the step S320, the measurement value is transformed to hide the components information of the created measurement value. Herein, a variable generated using a random value is used. The hiding method will be described in detail in later.

Afterward, the hidden measurement value is stored in the measurement list that stores information about all measurement values measured after the platform starts, and a PCR value is recorded in TPM at step S330.

The steps S310 to S330 are performed when events influencing the integrity occur after the computing platform starts and until the computing platform is terminated, and collects information to attest the integrity of the integrity attestation target system 210.

When the integrity attestation target system 210 receives the integrity attestation request including a random number from the verification server 220 at step S340, the integrity attestation target system 210 creates a sign for PCR value stored until now using the PCR value at step S350. That is, the integrity attestation service module 214 provides the integrity attestation request including the random number, which is provided from the verification server 220, to the TPM, and the TPM creates the sign for the PCR value.

Furthermore, the integrity attestation target system 210 creates a parameter for the verification server 220 to confirm whether the hidden measurement value is created from the verified components or not, and encodes the created parameter in order to be recognized by the verification server only at step S360. Since the integrity attestation target system is protected by hiding information about components forming the measurement value in the present embodiment, the verification server 220 does not confirm which components form the hidden measurement value. That is, the verification server 220 confirms whether the hidden measurement value is generated from the integrity verified components or not, and the verification server 220 provides the related information for confirming through the step S360.

When the data for verifying the integrity are prepared from the verification server 220, the integrity attestation target system 210 transmits the prepared data to the verification server 220 for the verification server 220 to verify the integrity of itself at step S370. The data transferred to the verification server for attesting the integrity includes a measurement list, a PCR value, a sign for the PCR value, a certification including a key for confirming the sign, and an encryption value of a hidden parameter for confirming whether the hidden measurement value is created from the integrity verified components or not. As described above, the measurement list includes hidden measurement values and information for identifying each of the hidden measurement values. Whenever the hidden measurement value is created, the PCR value is updates with a value generated by performing a hash operation on the previous PCR value with the created hidden measurement value.

The verification server 220 attests the integrity of the target system 210 from information formed of hidden measurement value transferred from the integrity attestation target system 210 as shown in FIG. 5B.

Referring to FIG. 5B, at step S410 the verification server 330 previously stores information about integrity verified components to verify the integrity by confirming the hidden measurement value is created from the integrity verified components instead of confirming whether related components are searched from the hidden measurement value so as to hide the components. Since the probability that two different components have the same hash value is very low, the hash value of each component is used as information for identifying the component. That is, the verification server 330 previously stores hash values of integrity verified components. Since the verification process for all target systems is concentrated to the verification server 220, the process may be delayed. In order to prevent such a delay, the processing speed must increase. In order to increase the processing speed, it is preferable that the hash value of each component is modified through an additional process without storing the hash value of each component as it is.

After storing the previous information as described above, the verification server transmits an integrity attestation request to corresponding integrity target system 210 when the integrity attestation is required for a predetermined target system at step S420. The integrity attestation request includes a random number set by the verification server 220 for generating a sign for the PCR value. The random number is used to verify the sign for the PCR value transmitted from an integrity attestation target system 210.

When the verification server 220 receives the response from the integrity attestation target system 210, the verification server 220 extracts data for verifying the integrity from the received response message at step S440. That is, the verification server 220 extracts the measurement list, the PCR value, the sign for the PCR value, the certification including a key for confirming the sign, and the encrypted parameters from the received response, which were transferred from the integrity attestation target system 210 previously.

Then, the verification server 220 verifies the extracted data. At first, the verification server 220 verifies the sign for the PCR value at step S450. Then, the verification server 220 recomposes the PCR value using the values of the measurement list and verifies whether the recomposed PCR value is identical to the extracted PCR value at steps S460 and S470. After decoding the encoded parameter, the hidden measurement value in the measurement list is transformed using the encoded parameter, and the hidden measurement value is created from the integrity verified components or not by comparing the transformed value with the integrity verified component at step S480.

If three verifications are all success, the verification server 220 determines that the integrity of the target system 210 is sustained at step S490. If at least one of the three verifications is failed, the verification server 220 determines that the integrity of the integrity attestation target system 210 is not sustained at step S510.

When the verification server 220 determines that the integrity of the target system 210 is sustained, the verification server 220 creates certification data for certifying that the integrity of the target system 210 is sustained so as to open this information to the other external system at step S500. The certification data may include information for identifying an integrity attestation target system and the certification thereof. Also, the certification data may include a certification for a PCR value embodied as the hidden measurement value. The certification data may be formed in various formats.

FIG. 6 is a flowchart illustrating a method for attesting integrity according to an embodiment of the present invention.

In this embodiment, it assumes that the verification server 220 and the integrity attestation target system 210 share a large decimal number P and a generator g of a group Z_P*. The integrity attestation method according to the present embodiment will be described under that assumption that TPM include only one PCR.

Furthermore, the verification server 220 must have information about integrity verified components previously in order to confirm whether the integrity of the target systems is sustained or not. Among the information, the identification information of each component is embodied by the hash value of the component, and the identification information is modified through additional process for increasing the speed of the verification process as follows.

At the first step, hash values of all of integrity verified components are obtained for known components. That is, if n denotes the number of the integrity verified components, Equation 1 below is calculated.

m _j=Hash(component_j)  (Equation 1)

where 1≦j≧n, and n is an natural number greater than 1.

At the second step, B_j is calculated for the calculated hash value m_j using the shared large decimal number P and the generator g of z_P*, as like Equation 2 below.

β_j=g^mj mod P  (Equation 2)

where a bit text sequence m_j is treated as an integer. P is a factor of P−1 according to the definition of discrete logarithm problem and a decimal number q must be larger than the maximum value of when value are treated as large integers.

At the third step, a set (β1, β2, β3, . . . , βn) is obtained by repeating the second step for all components. Then, a feature value for known combinations among combinations made from the elements of the set is calculated through the P. The calculated feature value is stored as the previous information for the integrity verified components. For example, if the elements of a combination is (β1, β3, β7, βn), the feature value of the combination is (β1×β3×β7×βn)mod P. Accordingly, the previous information is prepared for verifying integrity without verifying components from the hidden measurement value.

When the integrity attestation target system 210 is driven by supplying the power thereto, the values for integrity attestation are initialized. For example, the value of PCR 212 is set to 0 and the measurement list variable ML is initialized.

When an event influencing the integrity occurs in the integrity attestation target system 210, the integrity measuring module 211 creates a measurement value of a component related to the corresponding event. When the measurement value is crated, the hash value of the component i is calculated as like equation m_i=H(component_i). Then, using the m_i and the shared decimal number P, β_i=g^mj mod P is calculated. Then, βi is set as the measurement value of the component i. The integrity measuring module 211 stores information about the measured component i. If the corresponding component i is already measured and the hash value thereof does not change, the creation of the measurement value for the corresponding component i is interrupted. That is, the component having an identical hash value is recorded only once.

Although the hash value of the component i is processed to βi using the information shared with the verification server 220 without using the hash value of the component i as it is easy to detect which components are related to the βi, because the P is already opened and the hash value of the component can be calculated by anyone.

In the present embodiment, it hides that the created measurement value is measured from a component i as like the step S320 in FIG. 5A. That is, the integrity measuring module 211 generates a random number ri, calculates a variable α_i=g^rj mod P for hiding the measurement value of the component i, and multiplies the calculated measurement value βi to the variable, thereby calculating the hidden measurement value λ₁=(α_i×β_i)mod p.

After calculating the hidden measurement value, the hidden measurement value λ_i and the hash value thereof H(λ_i) are added in the measurement list ML as like ML=ML+{λ_i,H(λ_i)}.

Herein, the hash value H(λ_i) is used as the identification value of the hidden measurement value.

Furthermore, the hash value H(λ_i) of the hidden measurement value is transmitted to TPM and updates the PCR value. Herein, the updated PCR value is PCR=H(PCR,H(λ_i)).

Then, when the integrity attestation request (ChReq(nonce)) is received from the verification server 220, the integrity attestation service module 214 prepares data for the verification server 200 to verify the integrity of the target system. That is, a random number (nonce) include in the request is transferred to the TPM of the integrity attestation target system 210, and the TPM creates a sign for a PCR value and a random number as like quote=sig_AIK(PCR,nonce)). The integrity measurement module 211 calculates

$\alpha =\left(\prod _{i=1}^k{\alpha }_i\right)\mathrm{mod}p$

for all parameters generated for hiding the measurement values measured until now. Then, the reverse element α⁻¹ of the calculated α, and transferred to the integrity service module 214. Then, the integrity attestation service module 214 encodes the parameter α⁻¹ for the verification server 220. For example, the public key of the verification server 220 is used to encode the parameter α⁻¹.

The integrity attestation service module 214 transmits a response message (ChRes) to the verification server 220 with the PCR value, the sign (quoto) thereof, the measurement list ML, the certification including a key for verifying the sign, and the parameter {α⁻¹}server_pubkey for verifying the integrity.

The verification server 220 verifies the sign for the PCR value using the certification, and recomposes the PCR value using the hash value of the hidden measurement values in the ML, and determines whether the signed PCR value is identical to the recomposed PCR value. Then, the verification server decodes the encoded parameter {α⁻¹}server_pubkey for confirming whether the hidden measurement values in the ML are calculated from the integrity verified components or not. Then, the verification server 220 calculates

$\lambda =\left(\prod _{i=1}^k{\lambda }_i\right)\mathrm{mod}p$

for all hidden measurement values in the ML. Then, using the decode α⁻¹, the feature values (λ×α⁻¹)mod p are calculated for all hidden measurement values in the ML. Then, the calculated feature value is compared with the previously stored information. If one of the previously stored information is matched with the calculated feature value, it determines that the hidden measurement values are calculated from the integrity verified components.

If the verification server 220 confirms that the integrity of the target system 210 is sustained, the verification server 220 creates data that certifies that the integrity of the platform having the PCR value is sustained. Accordingly, the other systems can verify the integrity of the integrity attestation target system 210.

As set forth above, according to preferred (certain) embodiments of the invention, the method for attesting integrity of computing platform hides internal information of a target platform from attackers that taps the communication line as well as an integrity attestation request system. Therefore, the information of the integrity attestation target system is protected from being harmfully used.

Furthermore, the method for attestation integrity of a computing platform according to the present invention minimizes the calculation amount in a verification server while verifying the integrity of a target system through the verification server. Therefore, it prevents the overall processing speed for integrity attestation from being delayed by eliminating the cause of the bottle neck problem in the verification server.

While the present invention has been shown and described in connection with the preferred embodiments, it will be apparent to those skilled in the art that modifications and variations can be made without departing from the spirit and scope of the invention as defined by the appended claims.

Claims

1. A method for attesting integrity while hiding configuration information of a computing platform at an integrity attestation target system, the method comprising: creating a measurement value by measuring a component related to an event whenever an event influencing the integrity occurs while the computing platform is driven;hiding information which components are related to the created measurement value;recording the hidden measurement value at a PCR (platform configuration register) with a measurement list including information about all measurement values measured after the platform is driven;receiving an integrity attestation request transferred from an external system;composing data including the hidden measurement value and information for confirming whether the hidden measurement value is created from integrity sustained components; andtransmitting the data to the integrity attestation request external system.

2. The method according to claim 1, further comprising sharing a decimal number P and a generator g of a group ZP*, which are required for hiding the measurement value and verifying an integrity from the hidden measurement value, with the external system requesting the integrity attestation.

3. The method according to claim 2, wherein in the creating a measurement value, a hash value mi of a corresponding component componenti is calculated as like mi=Hash(componenti), βi=gmi mod P is calculated using the hash value mi, the decimal number P and the generator g, the calculated, and the βi is used as the measurement value of a corresponding component.

4. The method according to claim 3, wherein the creating a measurement value, the creation of a measurement value is interrupted if a measurement value of components related to an event influencing the integrity had been created, and if the hash value of the component is identical to a previously created hash value.

5. The method according to claim 3, wherein the hiding information includes: creating a random number ri;calculating a parameter for hiding measurement values of a corresponding component using the created random number, the shared decimal number and the generator g;calculating a hidden measurement value by calculating λi=(αi×βi)mod P with a hash value βi of a corresponding component and the parameter.

6. The method according to claim 5, wherein in the recording the hidden measurement value, the hidden measurement value λi and the hash value H(λi) thereof are added in to a measurement list ML.

7. The method according to claim 5, wherein in the recording the hidden measurement value, a hash value H(λi) of the hidden measurement value is hash-calculated with a previous PCR value, and the result thereof is recorded as a new PCR value.

8. The method according to claim 7, wherein in the receiving an integrity attestation request, a random number created from the external system is received with the integrity attestation request.

9. The method according to claim 8, wherein the composing data includes: creating a sign for a PCR value using the random number received with the integrity attestation request; andcreating a parameter for an integrity attestation request system to confirm whether the hidden measurement value is created from an integrity verified component of not, and encoding the created parameter,wherein the data is formed of the measurement list, the PCR value, the sign for the PCR, a certification including a key to confirm the sign, and an encryption value of the parameter for confirming whether the hidden measurement value is created from integrity verified components or not for verifying the integrity attestation.

10. A method for attesting integrity while hiding configuration information of a computing platform at a verification system, comprising: storing information about integrity verified components previously;transmitting an integrity attestation request to a target system for confirming the integrity thereof;receiving a response including a hidden measurement value from the target system;verifying whether the hidden measurement value is created from an integrity sustained component of not by comparing the previously stored information and the hidden measurement value; andcreating certification data certifying that the integrity of the target system is sustained if the verification is success, and providing the created certification data.

11. The method according to claim 10, further comprising sharing a decimal number P and a generator g of a group ZP*, which are required for hiding the measurement value and verifying an integrity from the hidden measurement value, with an integrity attestation target system.

12. The method according to claim 11, wherein the storing information about integrity verified components previously includes: calculating hash values of all of integrity verified components among known components;calculating the hash values through βi=gmj mod P using shared decimal numbers P and a generator g of a group ZP*;calculating a feature value for a corresponding combination from the calculated values βi for components included in the corresponding combination according to combinations known as existed on a real computing platform among combinations made from the integrity verified components; andstoring the calculated feature values as previous information about the integrity verified components.

13. The method according to claim 12, wherein the feature value of each of the combinations is (βa×βb× . . . βn)mod P where βa, βb, . . . , βn denote the values calculating the hash values using shared decimal numbers P and a generator g of a group ZP*) for the components in each combination.

14. The method according to claim 12, wherein in the receiving a response, a measurement list of a corresponding integrity attestation target system, a PCR value, a sign for a PCR value, and an encoded parameter for verifying whether a hidden measurement value is created from integrity verified components are received.

15. The method according to claim 14, wherein the verifying whether the hidden measurement value is created from an integrity sustained component of not comprises: decoding the encoded parameter;calculating

16. The method according to claim 15, wherein the verifying whether the hidden measurement value is created from an integrity sustained component of not further comprising: verifying a sign for the PCR value;determining that the integrity of a corresponding integrity attestation target system is not sustained if the verification of the sign is fail.

17. The method according to claim 15, wherein the measurement list includes measurement values with entries hidden, and hash values of the hidden measurement values.

18. The method according to claim 17, wherein the verifying whether the hidden measurement value is created from an integrity sustained component of not further comprising: recomposing a PCR value using the hash value of the measurement list and verifying whether the recomposed PCR value is matched with a PCR value transferred from the integrity attestation target system; anddetermining that the integrity of the integrity attestation target system is not sustained if the verification is failed.

19. The method according to the claim 10, wherein the certification data includes information for identifying a corresponding integrity attestation target system and a certification thereof.

20. The method according to claim 17, wherein the certification data includes a certification for a PCR value made of the hidden measurement value.