The issue of network security has been challenged severely along with gradual development of computer network. Existing security solutions in the field tend to be focused on preventing the hazards from the outside firstly and then from the inside, that is, firstly preventing the hazards from a service facility and then from a terminal facility. However, trusted computing runs to the contrary by firstly ensuring security of all terminals, that is, by building a larger security system through ensuring secured components. Higher-level precaution is taken at an underlying layer of a trusted computing platform, and an enhanced protection space and scope of selections can be provided for users by preventing a soft-level attack through trustworthy hardware.
A Challenger (CH) has to evaluate the trusted computing platform by a certain platform attribute to verify trustworthiness of the trusted computing platform. In trusted computing specification established by the Trusted Computing Group (TCG), the Challenger CH evaluates the trusted computing platform by platform integrity, where the evaluated trusted computing platform is referred to an Attesting System (AS), and FIG. 1 illustrates a corresponding trusted platform evaluation protocol as follows:
1) The Challenger CH generates a random number NCH and transmits a message 1=NCH to the Attesting System AS.
2) Upon reception of the message 1, the Attesting System AS firstly transports the random number NCH to a Trusted Platform Module (TPM) thereof and then extracts Platform Configuration Register values PCRsAS of the Attesting System AS by the Trusted Platform Module TPM of the Attesting System AS, extracts the measurement logs LogAS corresponding to the Platform Configuration Register values PCRsAS of the Attesting System AS from the Store Measurement Log (SML) of the Attesting System AS using a signature [PCRsAS, NCH]Sig performed with a private key of an Attesting Identity Key (AIK) of the Attesting System AS on the Platform Configuration Register values PCRsAS of the Attesting System AS and the random number NCH, and finally transmits a message 2=PCRsAS∥LogAS∥[PCRsAS, NCH]Sig to the Challenger CH, where ∥ represents concatenation of character strings.
3) Upon reception of the message 2, the Challenger CH firstly verifies the signature against a public key of the Attesting Identity Key AIK of the Attesting System AS, the random number NCH and the Platform Configuration Register values PCRsAS of the Attesting System AS in the message 2 and discards the message 2 if the signature is invalid, otherwise verifies correctness of the measurement logs LogAS corresponding to the Platform Configuration Register values PCRsAS of the Attesting System AS in the message 2 against the Platform Configuration Register values PCRsAS of the Attesting System AS in the message 2 and terminates the protocol process if it is incorrect, otherwise verifies trustworthiness of the Attesting System AS against the measurement logs LogAS corresponding to the Platform Configuration Register values PCRsAS of the Attesting System AS in the message 2 and reference integrity values of respective components in the measurement logs LogAS.
In the foregoing trusted platform evaluation protocol, messages exchanged between the Attesting System AS and the Challenger CH are transmitted over a secure channel. As can be apparent from the trusted platform evaluation protocol illustrated in FIG. 1, this protocol is applicable only to unidirectional trusted platform evaluation, and the Challenger CH has to be capable of verifying the Attesting Identity Key AIK and platform integrity of the Attesting System AS, where the Challenger CH can verify the Attesting Identity Key AIK of the Attesting System AS based upon Trusted Third Party (TTP) or through Direct Anonymous Attestation (DAA). When Attesting Systems AS have to be mutually verified trustworthiness of opposite platform, however, if one of the Attesting Systems AS is incapable of verifying the Attesting Identity Key AIK and platform integrity of the opposite Attesting System AS, then the Attesting Identity Key AIK and platform integrity of the Attesting System AS can not be verified in the prior art.