The issue of malicious software, e.g., viruses, worms, etc., has become highly prominent along with the informatization development. There have been more than thirty-five thousand kinds of malicious software at present, and more than forty million computers have been infected annually. It is required for inhibition of such attacks to not only address secured transport and a check for data input but also defend from the origin, i.e., each terminal connected to a network. However, traditional security defending approaches have failed to defend against numerous malicious attacks.
The international Trusted Computing Group (TCG) has established specifically for this issue a trusted-computing based network connect specification—Trusted Network Connect (TNC) or simply TCG-TNC, which includes an open terminal integrity architecture and a set of standards for guaranteeing secure interoperations. This set of standards can protect a network as demanded for a user to a protection extent defined by the user himself. The TCG-TNC is essentially intended to establish a connection starting with integrity of a terminal. Firstly, it is required to create a set of policies for the operation condition of a system in the trusted network. Only a terminal complying with a policy which is set for the network can access the network, and the network will isolate and locate those devices that do not comply with the policy. An attack of root kits can also be blocked due to the use of a Trusted Platform Module (TPM). The root kits are a kind of attack scripts, modified system program or a set of attack scripts and kits, and are intended in a target system to acquire illegally a highest control privilege of the system.
The existing TCG-TNC architecture as illustrated in FIG. 1 includes three logic entities of an Access Requester AR, a Policy Enforcement Point PEP and a Policy Decision Point PDP, which can be distributed anywhere throughout the network. This TCG-TNC architecture can be divided longitudinally into three layers of a network access layer, an integrity evaluation layer and an integrity measurement layer. The network access layer includes three components of a Network Access Requester NAR, a Policy Enforcer PE and a Network Access Authorizer NAA as well as a Network Authorization Transport Protocol Interface IF-T and a Policy Enforcement Point Interface IF-PEP. The network access layer is intended to support a traditional network access technology. The integrity evaluation layer is responsible for evaluating integrity of all entities requesting for an access to the network. This layer includes two important interfaces: an Integrity Measurement Collection Interface IF-IMC and an Integrity Measurement Verification Interface IF-IMV. Also an integrity evaluation TNC Client-Server Interface IF-TNCCS is provided between a TNC client and a TNC server. The integrity measurement layer includes two components of an Integrity Measurement Collector IMC and an Integrity Measurement Verifier IMV, which are responsible for collecting and verifying integrity-related information of an access requester.
Complete transmission of information on a trusted network connection in the existing TCG-TNC architecture is as follows: the TNC Client TNCC shall prepare and submit required platform integrity information to the Integrity Measurement Collector IMC prior to establishment of a network connection. In a terminal provided with a trusted platform module, this also means that platform information required for a network policy is hashed and then stored in respective platform configuration registers, and the TNC Server TNCS shall pre-establish and submit a platform integrity verification request to the Integrity Measurement Verifier IMV. A specific process thereof is as follows: (1) the Network Access Requestor NAR initiates an access request to the policy enforcer. (2) The policy enforcer transmits a description of the access request to the network access authorizer. (3) The network access authorizer executes a user authentication protocol with the Network Access Requester NAR upon reception of the description of the access request from the network access requester. The network access authorizer transmits the access request and user authentication success information to the TNC Server TNCS upon successful user authentication. (4) The TNC Server TNCS commences on executing bidirectional platform credential authentication with the TNC Client TNCC, e.g., an Attestation Identity Key AIK for platform verification, upon reception of both the access request and the user authentication success information transmitted from the network access authorizer. (5) The TNC Client TNCC notifies the Integrity Measurement Collector IMC about both commencement of a new network connection and a need to perform an integrity handshake protocol upon successful platform credential authentication. The Integrity Measurement Collector IMC returns required platform integrity information via the Integrity Measurement Collection Interface IF-IMC. The TMC Server TNCS submits such platform integrity information to the Integrity Measurement Verifier IMV via the Integrity Measurement Verification Interface IF-IMV. (6) The TNC Client TNCC and the TNC server TNCS perform one or more exchange of data during execution of the integrity handshake protocol until the TNC Server TNCS satisfies. (7) The TNC Server TNCS completes execution of the integrity handshake protocol on the TNC Client TNCC and transmits a recommendation to the network access authorizer to request for an access to be permitted. If there is an additional security consideration, then the policy decision point still may not permit any access of the Access Requester AR. (8) The network access authorizer passes an access decision to the policy enforcer, and the policy enforcer finally executes the decision to control the access of the Access Requester AR.
No mature product of the TCG-TNC architecture has ever been put into the market at present. Some important techniques of the TCG-TNC architecture have been still in a phase of research and standardization and generally suffer from the following drawbacks:
1. Poor extendibility. Since a predefined secure channel exists between the policy enforcement point and the policy decision point and the policy decision point possibly manages a large number of policy enforcement points, the policy decision point has to configure a large number of secure channels, thereby causing complicated management and consequential poor extendibility.
2. A complicated key negotiation process. Since data on a network access layer has to be protected for security, a secure channel has to be established between the Access Requester AR and the policy decision point, that is, session key negotiation has to be performed there. However, data protection is also required between the Access Requester AR and the policy enforcement point, so session key negotiation has to be performed again between the Access Requester AR and the policy enforcement point, thus complicating the key negotiation process.
3. Relatively low security. A primary key resulting from negotiation between the Access Requester AR and the policy decision point is passed from the policy decision point to the policy enforcement point. Passing of the key over the network may introduce a new security attack point to lower security. Furthermore, the dual session key negotiation uses the same primary key, which may also lower security throughout the trusted network connect architecture.
4. The Access Requester AR may be unable to verify an AIK certificate of the policy decision point for validity. During the platform credential authentication process, the Access Requester AR and the policy decision point use AIK private keys and certificates for bidirectional platform credential authentication and both of them have to verify the AIK certificates for validity. If the policy decision point is a network access service provider of the Access Requester AR, then the Access Requester AR can not access any network without trusted network connection, that is, the AIK certificate of the policy decision point can not be verified for validity, which would be insecure.
5. Platform integrity evaluation is not peer-to-peer. In the TCG-TNC architecture, the policy decision point performs platform integrity evaluation on the Access Requester AR, but the Access Requester AR will not perform platform integrity evaluation on the policy decision point. If the policy decision point has an untrusted platform, then it will be insecure for the Access Requester AR to be connected to an untrusted device, but a peer-to-peer trust is necessary in an Ad Hoc network.