oat(2.0) trust agent - 01.org · 2019-06-27 · 4 flowchart - client preparation start install...
TRANSCRIPT
OAT(2.0) Trust Agent
Nov 7, 2013
2
Trust-agent components
trust-agent
TrustAgentLinuxInstaller
his-clients
HisPrivacyCAWebServices2
PrivacyCA
TrustAgent
HisPrivacyCAWebServices2-client.jar
HisPrivacyCAWebServices2.war
HisPrivacyCAWebServices2-client.jar
aikquote
openssh.sh
NIARL_TPM_MODULE
tagent.sh
Pcakey
functions
aikquote: generate quote info (merged into
NIARL_TPM_MODULE)
openssl.sh: generate certificate from p12
file
NIARL_TPM_MODULE: communicate with
TPM
tagent.sh: open socket connection and run
in agent
pcakey: download the Privacy CA client
files, get Privacy CA certificate, generate
trustagent ssl certificate, and import Privacy
CA SSL certificate into Trust Agent’s
keystore.
functions: common functions
HisPrivacyCAWebServices2
PrivacyCA is used to generate AIC.
His-clients is used to install
HisPrivacyCAWebServices2-client.jar to
maven repo and name this jar package as
his-clients-1.0-HisPrivacyCAWebServices2-
client.jar.
TrustAgent provides a socket connection
for server, and generates AIC and quote.
3
AIC generation
TrustAgent HisPrivacyCAWebServices2TPM
(1)Generate PrivacyCA.p12, endorsement.p12 and corresponding certificates
(2)Get PrivacyCA.cer and endorsement.p12
(3)Take ownership
(4)Get EK
(4)Generate EC signed by endorsement.p12
(5)Write EC to NVRAM
(6)Get EC and AIK
(7)Encrypt EC and AIK with PrivacyCA.cer
(8)Send ciphertext to PrivacyCA
(9) Decrypt EC and AIK
(10)Genarate AIC signed by PrivacyCA.p12
(11)Encrypt AIC with EC(12)Return encrypted AIC
(13)Request decrypt AIC
(14)Get decrypted AIC
(15)Store AIC and AIK in local
4
Flowchart - Client preparation
Start
Install Linux utilities, JDK, Trust Agent files;Compile aikquote, NIARL_TPM_Module
Get the PCA key and generate an SSL certificate for the trust agent
Create socket and wait for connections
End
5
Flowchart - TrustAgent Start
Create socket connection
Take tpm ownership
While(true)
Accept()
Read()
Read AIC
Create nonce file
Is quote request?
Y
N
Generate quote by calling aikquote
Build quote Xml
Is AIC generation request?
Y
N
Bad request
Create AIC
Build AIC Xml
Write()
Return result and waiting for the next connection
6
Flowchart - Add Host
Get AIC from trust agent
Start
Socket() Socket()
Trust Agent
Attestation Service
Check whether the host is existed?
Throw AS_HOST_EXISTS exception
End
Y
Bind()
Connect()
Listen()
Accept()
Establish connection
Write()
Read()
Write()
Read()
Close()
Send AIC generation
request
Receive AIC
Read()
Close connection
Verify AIC with PrivacyCA.cer
Save host to DB
End
Generate AIC
7
Flowchart - Poll Host
Start
Throw AS_INTEL_TXT_NOT_ENABLE
exception
Generate nonce
Save AIC with sessionId
Generate sessionId
Get Quote from TrustAgent
Is TPM available?
N
Y
End
Send quote generation request
Receive quote signed by AIK and AIC
Generate quote
Save nonce with sessionId
Verify quote with AIC,nonce and get
pcr
Trust Agent
Get good known pcr(gkv)
Compare pcr from agent with gkv and
get trust status
End
8
Sequence diagram – AIC generation
TrustAgent:TASecureServer PrivacyCA:ProvisionTPMASCommon:TrustAgentSecureClien
t
1:getAIKCertificate()
6:response
TrustAgent:TrustAgent
2:CreateIdentityCmd(context).execute()
4:BuildIdentityXMLCmd(context).execute()
5:context.getResponseXML()
3:CreateIdentity.createIdentity()
9
Sequence diagram - Get quote
TrustAgent:TASecureServer PrivacyCA:ProvisionTPMASCommon:TrustAgentSecureClien
t
1:sendQuoteRequest()
2:takeOwnership()
8:clientRequestType
TrustAgent:TrustAgent
3:CreateNonceFileCmd(context).execute()
5:GenerateQuoteCmd(context).execute()
4:ReadIdentityCmd(context).execute()
6:BuildQuoteXMLCmd(context).execute()
7:processQuoteRequestInput(String xmlInput)
10
Message format - AIC request
<?xml version="1.0" encoding="utf-8"?>
<xsd:schema attributeFormDefault="unqualified"
elementFormDefault="qualified" version="1.0"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<xsd:element name="identity_request ">
</xsd:element>
</xsd:schema>
<identity_request></identity_request>
<?xml version="1.0" encoding="utf-8"?>
<xsd:schema attributeFormDefault="unqualified"
elementFormDefault="qualified" version="1.0"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<xsd:element name="client_request" type="client_requestType" />
<xsd:complexType name="client_requestType">
<xsd:sequence>
<xsd:element name="vtime" type="xsd:string" />
<xsd:element name="clientIp" type="xsd:string" />
<xsd:element name="error_code" type="xsd:int" />
<xsd:element name="error_message" type="xsd:string" />
<xsd:element name="aikcert" type="xsd:string" />
</xsd:sequence>
</xsd:complexType>
</xsd:schema> <client_request>
<vtime>Wed Nov 06 04:09:40 GMT-05:00 2013</vtime>
<clientIp>10.239.1.1</clientIp>
<error_code>0</error_code>
<error_message>OK</error_message>
<aikcert>-----BEGIN CERTIFICATE-----
MIICuzCCAaOgAwIBAgIGAUIvPfQBMA0GCSqGSIb3DQEBBQUAMBkxFzAVBgNVBAMMDkhJU19Qcml2
YWN5X0NBMB4XDTEzMTEwNjIxMDczOFoXDTIzMTEwNjIxMDczOFowADCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAIt2Go6b6ulSLHzb6z1jzSZHJqFL2G6YJaC3sB9xOBMfxhnAcXQbeUQ3
oeSyaZz9aMarqHaXBP38kd2tCk448HdZd9TeVqZ5UHzv6sqMW7hO3RJ6gv908FjUhVJ9ycpPrISN
WnGj38HdPJI4ZIkp/ooDtF49Nl02mOo7OgFAvD+pU/KxVUxakCuHzktCv9iUb9Jt9F09XXKvxkIq
074Y2t9LZunZGoqmXyc3FECBb3klP9aK5V0Z7kf+JdJpu+iO6NF7gNzABMjMt9N400tLF3XlV6ZS
5Oa63a541iSbTiISOMmGyS06nCHX7uxbkT1lVeomuJPE09Qqb3prsJpJLp8CAwEAAaMiMCAwHgYD
VR0RAQH/BBQwEoEQSElTIElkZW50aXR5IEtleTANBgkqhkiG9w0BAQUFAAOCAQEACqlHMqcBQQmy
92CgRc8vFgbqQYuMBhG8RftcIZj8bwrUdSWErpf7TPMdECLufSdg6xeLOjQ96DH8M9Q7xaT6qij5
3jGXxjmMM0MFLbTKx/42zSJ7P2QLQFRBYvC6R/Squ6A2m98COMrCtm8QbjWOh69gQO9/kedbWvvq
VW036lD/l1ItzdMDiqBnW+TEkWLlpWnpBWwEgE12bNr0CUzkSlvF56oS+TMquq40tdkpUVJe268e
HAGaGlW9OQUHSOddcYbEmsQhHwK+arbtX0jbhNVZeMUb9zyTragcbFUBR1sC62TxW0ddktFpxGZ0
UtiYIUXn9CYUdXOq/7P69ZtaNw==
-----END CERTIFICATE-----</aikcert> </client_request>
Request Response
11
Message format - Quote request
<?xml version="1.0" encoding="utf-8"?>
<xsd:schema attributeFormDefault="unqualified"
elementFormDefault="qualified" version="1.0"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<xsd:element name="quote_request">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="nonce" type="xsd:string" />
<xsd:element name="pcr_list" type="xsd:string" />
</xsd:sequence>
</xsd:complexType>
</xsd:element>
</xsd:schema>
<quote_request>
<nonce>ut/o67E3E/Nh6OkAxjMRSw==</nonce>
<pcr_list>0,18</pcr_list>
</quote_request>
<?xml version="1.0" encoding="utf-8"?>
<xsd:schema attributeFormDefault="unqualified"
elementFormDefault="qualified" version="1.0"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<xsd:element name="client_request" type="client_requestType" />
<xsd:complexType name="client_requestType">
<xsd:sequence>
<xsd:element name="vtime" type="xsd:string" />
<xsd:element name="clientIp" type="xsd:string" />
<xsd:element name="error_code" type="xsd:int" />
<xsd:element name="error_message" type="xsd:string" />
<xsd:element name="aikcert" type="xsd:string" />
<xsd:element name="quote" type="xsd:string" />
</xsd:sequence>
</xsd:complexType>
</xsd:schema> <client_request>
<vtime>Wed Nov 06 04:09:46 GMT-05:00 2013</vtime>
<clientIp>10.239.1.1</clientIp>
<error_code>0</error_code>
<error_message>OK</error_message>
<aikcert>-----BEGIN CERTIFICATE-----
MIICuzCCAaOgAwIBAgIGAUIvPfQBMA0GCSqGSIb3DQEBBQUAMBkxFzAVBgNVBAMMDkhJU19Qcml2
YWN5X0NBMB4XDTEzMTEwNjIxMDczOFoXDTIzMTEwNjIxMDczOFowADCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAIt2Go6b6ulSLHzb6z1jzSZHJqFL2G6YJaC3sB9xOBMfxhnAcXQbeUQ3
oeSyaZz9aMarqHaXBP38kd2tCk448HdZd9TeVqZ5UHzv6sqMW7hO3RJ6gv908FjUhVJ9ycpPrISN
WnGj38HdPJI4ZIkp/ooDtF49Nl02mOo7OgFAvD+pU/KxVUxakCuHzktCv9iUb9Jt9F09XXKvxkIq
074Y2t9LZunZGoqmXyc3FECBb3klP9aK5V0Z7kf+JdJpu+iO6NF7gNzABMjMt9N400tLF3XlV6ZS
5Oa63a541iSbTiISOMmGyS06nCHX7uxbkT1lVeomuJPE09Qqb3prsJpJLp8CAwEAAaMiMCAwHgYD
VR0RAQH/BBQwEoEQSElTIElkZW50aXR5IEtleTANBgkqhkiG9w0BAQUFAAOCAQEACqlHMqcBQQmy
92CgRc8vFgbqQYuMBhG8RftcIZj8bwrUdSWErpf7TPMdECLufSdg6xeLOjQ96DH8M9Q7xaT6qij5
3jGXxjmMM0MFLbTKx/42zSJ7P2QLQFRBYvC6R/Squ6A2m98COMrCtm8QbjWOh69gQO9/kedbWvvq
VW036lD/l1ItzdMDiqBnW+TEkWLlpWnpBWwEgE12bNr0CUzkSlvF56oS+TMquq40tdkpUVJe268e
HAGaGlW9OQUHSOddcYbEmsQhHwK+arbtX0jbhNVZeMUb9zyTragcbFUBR1sC62TxW0ddktFpxGZ0
UtiYIUXn9CYUdXOq/7P69ZtaNw==
-----END CERTIFICATE-----</aikcert>
<quote>AAMBAAQAAAAo8MF5NnCMHuPe9A4mh+L3wmuuwqL//////////////////////////0CPxidZ0rViiShEi3ntlnn06+GC/sLsA6VVi
HcIDf3kT63t2xr2ov471b8tFoaCIkognmxGMYpahh/cAZSDmq1tOaEz5vZzK3+t674ziJYyzKO5kkU2IUethHIgl1TOJBFGKnh5
NV7Le1DCDJyPzC4wpa5kH66LsE2b9h8D/VGG6ErGNv3/szZci2rXZBN77t7y7YaxktyiniyIgMSIxlfBz6gbj1rgeMsrnJceE8vsB
WoI7n2Bp+UnPNi6fvJRJAv31wyvw9KaVafLw7ObmI2RSpRCWCodLLsN1W293WGNw+P/WT+Tl9dQCoHok+2ZIrudIt0ExSR
t39GiUGDFz+w=</quote>
</client_request>
Request Response
