With the development of informatization, the problem of malicious software such as viruses and worms gets worse. Currently, more than 35,000 forms of malicious software have emerged, and more than 40,000,000 computers are infected each year. In order to prevent these attacks, not only secure transmission and data input check need to be solved, but also the defense has to start from the source, that is, each terminal connected to the network. However, conventional security defense technologies can no longer defend against various malicious attacks.
Regarding the above problem, the international trusted computing group (TCG) specifically enacts a network connection criterion based on trusted computing technologies—trusted network connect (TNC), briefly referred to TCG-TNC, which includes an open terminal integrity architecture and a set of standards for ensuring secure interoperation. The set of standards may protect one network as required by a user to a user-defined level. Substantially, the TCG-TNC is to establish a connection based on integrity of the terminals. Firstly, a set of policies of internal system operational state in the trusted network are established. Only terminals complying with the enacted policies of network can access the network, and equipment not complying with the policies will be isolated and located by the network. Due to the use of a trusted platform module (TPM), attacks by root kits may be blocked. The root kits, which are adapted to illegally obtain the maximum control authority in a target system, are an attack script, a modified system program, or a whole set of attack scripts and tools.
One complete information transmission process for a trusted network connection in the TCG-TNC architecture is shown in FIG. 1. Before the network connection is established, a TNC client needs to prepare required platform integrity information and transmit the information to an integrity measurement collector (IMC). In a terminal provided with the TPM, platform information required by the network policy is hashed and then stored into respective platform configuration registers (PCRs), and a TNC server needs to predefine a platform integrity verification requirement and transmit the requirement to an integrity measurement verifier (IMV). The specific process is as follows.
(1) A network access requestor initiates an access request to a policy enforcer.
(2) The policy enforcer sends an access request description to a network access authority.
(3) After receiving the access request description of the network access requestor, the network access authority performs a user authentication protocol with the network access requestor. When the user authentication is successful, the network access authority sends the access request and information indicating that the user authentication is successful to the TNC server.
(4) After receiving the access request and the information indicating that the user authentication is successful sent by the network access authority, the TNC server performs mutual platform credential authentication with the TNC client, verifying, for example, an attestation identity key (AIK) of the platform.
(5) When the platform credential authentication is successful, the TNC client indicates to the integrity measurement collector that one new network connection is started and an integrity handshake protocol needs to be carried out. The integrity measurement collector returns required platform integrity information through an interface of integrity measurement collector (IF-IMC). The TNC server transmits the platform integrity information to the integrity measurement verifier through an interface of integrity measurement verifier (IF-IMV).
(6) During the process of the integrity handshake protocol, the TNC client and the TNC server need to exchange data one or more times until the TNC server is satisfied.
(7) When the TNC server has completed the integrity handshake protocol with the TNC client, the TNC server sends a recommendation to the network access authority to require granting access. A policy decision point may still do not grant access for the access requestor (AR) if other security policies need to be considered.
(8) The network access authority sends an access decision to the policy enforcer, and finally, the policy enforcer enforces the decision to control the access of the access requestor.
Currently, no mature TCG-TNC architecture product is available on the market. Some important technologies for the TCG-TNC architecture are still at the stage of research and specification development, and the TCG-TNC architecture mainly has the following disadvantages:
1. Poor extensibility. Since a predefined secure channel exists between a policy enforcement point and a policy decision point, and the policy decision point may manage a large number of policy enforcement points, which causes the policy decision point has to configure a large number of secure channels, and thus the management becomes complex, resulting in poor extensibility.
2. Complex key agreement process. Since security protection is required for data in the network access layer, a secure channel needs to be established between the access requestor and the policy decision point, that is, session key agreement needs to be implemented between the access requestor and the policy decision point. However, since data protection is also required between the access requestor and the policy enforcement point, session key agreement needs to be implemented again between the access requestor and the policy enforcement point, resulting in that the key agreement process is complex.
3. Low security. A master key that the access requestor and the policy decision point agree upon is transmitted to the policy enforcement point by the policy decision point. New points of attack are introduced because of the transmission of the key over the network, so that the security is degraded. In addition, as the same master key is used in the two session key agreement procedures, the security of the entire TNC architecture is also degraded.
4. The access requestor may fail to verify validity of the AIK certificate of the policy decision point. During the process of the platform credential authentication, the access requestor and the policy decision point performs mutual platform credential authentication by using AIK private keys and certificates, and both endpoints need to verify the validity of the AIK certificates. If the policy decision point is an Internet service provider of the access requestor, the access requestor cannot access the network and cannot verify the validity of the AIK certificate of the policy decision point, until a trusted network connection is established, which results in insecurity.
5. Platform integrity evaluation is not peer-to-peer. In the TCG-TNC architecture, the policy decision point performs platform integrity evaluation on the access requestor, but the access requestor does not perform platform integrity evaluation on the policy decision point. If the platform of the policy decision point is not trusted, connection of the access requestor to an untrusted device is not secure. However, peer-to-peer trust is critical in Ad hoc networks.