The issue of malicious software, e.g., viruses, worms, etc., has become extremely prominent along with the informationization development. At present there have been more than thirty-five thousand kinds of malicious software, and over forty million computers have been infected annually. It is required for inhibition of such attacks to not only address secured transmission and a check for data input but also prevent from a source, that is, each terminal connected to a network. However, traditional security preventions have failed to defend various types of malicious attacks.
The international Trusted Computing Group (TCG) has established specifically for this issue a trusted computing based network connection specification—Trusted Network Connection (TNC), simply denoted as TCG-TNC, which includes an open terminal integrity framework and a set of standards for guaranteeing secure interoperations. Reference is made to FIG. 1 for a TCG-TNC architecture. The TCG-TNC architecture illustrated in FIG. 1 includes three entities: an access requester, a policy enforcement point and a policy decision point. The TCG-TNC architecture is divided into three layers: a network access layer, an integrity evaluation layer and an integrity measurement layer. The access requester includes components which are an integrity measurement collector, a TNC client and a network access requester, where the integrity measurement collector above the TNC client may be one or more. The policy decision point includes components which are an integrity measurement verifier, a TNC server and a network access authorizer, where the integrity measurement verifier above the TNC server may be one or more. A Policy Enforcement Point Interface (IF-PEP) is an interface between the policy enforcement point and the network access authorizer. A Network Authorization Transport Protocol Interface (IF-T) is an interface between the network access requester and the network access authorizer. A TNC Client-Server Interface (IF-TNCCS) is an interface between the TNC client and the TNC server. A Vendor-Specific IMC-IMV Message Interface (IF-M) is an interface between the integrity measurement collector and the integrity measurement verifier. An Integrity Measurement Collector Interface (IF-IMC) is an interface between the TNC client and the integrity measurement collector. An Integrity Measurement Verifier Interface (IF-IMV) is an interface between the TNC server and the integrity measurement verifier.
Since the policy enforcement point in the TCG-TNC architecture is located at the edge of a network and the access requester performs no platform authentication on the policy enforcement point, the architecture suffers from the problem of the policy enforcement point being not trusted. In order address this problem, there is proposed a TNC architecture based upon Tri-element Peer Authentication (TePA), which is simply referred to as a Trusted Connection Architecture (TCA). Reference is made to FIG. 2 for the TCA. The TCA illustrated in FIG. 2 includes three entities: an access requester, an access controller and a policy manager. The TCA is divided into three layers: a network access control layer, a trusted platform evaluation layer and an integrity measurement layer. The access requester includes components which are an integrity measurement collector, a TNC client and a network access requester, where the integrity measurement collector above the TNC client may be one or more. The access controller includes components which are an integrity measurement collector, a TNC access point and a network access controller, where the integrity measurement collector above the TNC access point may be one or more. The policy manager includes components which are an integrity measurement verifier, an evaluation policy server and an authentication policy server, where the integrity measurement verifier above the evaluation policy server may be one or more. An Authentication Policy Server Interface (IF-APS) is an interface between the network access controller and the authentication policy server. A Trusted Network Transport Interface (IF-TNT) is an interface between the network access requester and the network access controller. An Evaluation Policy Server Interface (IF-EPS) is an interface between the TNC access point and the evaluation policy server. A TNC Client-TNC Access Point Interface (IF-TNCCAP) is an interface between the TNC client and the TNC access point. An Integrity Measurement Interface (IF-IM) is an interface between the integrity measurement collector and the integrity measurement verifier. An Integrity Measurement Collector Interface (IF-IMC) is an interface between the TNC client and the integrity measurement collector and between the TNC access point and the integrity measurement collector. An Integrity Measurement Verifier Interface (IF-IMV) is an interface between the evaluation policy server and the integrity measurement verifier.
In the TCA illustrated in FIG. 2, a method of performing platform authentication is implemented as follows: the integrity Measurement Collector (IMC), the Integrity Measurement Verifier (IMV), the TNC client, the TNC access point and the evaluation policy server perform one or more platform authentication processes, where the platform authentication processes other than the first platform authentication process are platform authentication processes performed after a platform is remedied, and each platform authentication process includes one or more rounds of a platform authentication protocol. Platform authentication policy management is performed throughout the method of performing platform authentication in the TCA and is an important component part of performing platform authentication in the TCA. However a corresponding solution to platform authentication policy management has been absent in the existing method of performing platform authentication in the TCA.