1. Field of the Invention
Aspects of the present invention relate to a system and method for providing security, and more particularly, to a system and method for issuing a secret key according to the validity of a security module of a user device in an authentication server, and anonymously implementing the integrity attestation of a user device and a service providing server through a security protocol in order to use a security protocol for implementing the integrity attestation.
2. Description of the Related Art
With the development of communication technology and computers, multiple problems related to computer security have arisen. A variety of methods have been suggested to solve these problems, and among them, a method of guaranteeing the integrity of the corresponding system is widely used. Integrity attestation is a process of checking the authority of a device or person for data or network security. In contrast to the integrity attestation, alternative security methods are used to strictly control data access or a physical environment of a network terminal and/or a server.
The integrity attestation is implemented for authentication between a user device and a server that provides a predetermined service. The authentication of the corresponding device is implemented by confirming a measurement with respect to a composition or a setting of software and hardware on a specific platform or on a system, through the other certificate authority, and attesting the integrity of the corresponding devices.
FIG. 1 illustrates an integrity attestation system using v1.1 of a trusted platform module (TPM) of a trusted computing group (TCG). Referring to FIG. 1, the integrity attestation system includes a user device 100, an authentication server 120, and a service providing server 130. The user device 100 includes a security module 110 so that general online services can be safely used. An integrity attestation of the user device 100 is implemented by the service providing server 130.
The security module 110 of the user device 100 serves as a security hardware device on a system platform, storing a key generated for encryption of data. A solution based on hardware helps prevent attacks, and the security module 110 prevents the system platform from being modified by a user (not illustrated) or a software application.
The TPM is one example of the security module 110 capable of providing computing to run cryptographic protocols and capable of safely storing significant information (such as a secret key for encryption). The TPM includes an endorsement key (EK) and an attestation identity key (AIK). The EK includes a secret/public key pair as a key value that is stored in the security module 110 in advance. These values are originally stored in the security module 110. Once stored, the secret key included in the EK is issued by a trusted third party (3rd) and cannot be known by any entity outside of the security module 110. The EK is verified in the illustrated authentication server 120 or in an authentication server of FIG. 2 using the key values based on a validity verification with respect to the security module 110.
The AIK is a secret/public key pair that is created in the security module 110. An AIK secret key is not exposed to the outside of the security module 110.
The service providing server 130 remotely implements the integrity attestation in the user device 100. The service providing server 130 provides a predetermined service that a user requests within the verified user device 100 by attesting the integrity of the authenticated user device 100.
The integrity-attestation system, including the components shown in FIG. 1, transmits an optional AIKi among the AIKs created in the security module 110 of the user device 100, along with the EK to the authentication server 120 so as to receive a predetermined service of the service providing server 130 in the user device 100. The authentication server 120 determines the validity of the security module 110 in the user device 100 based on receipt of the EK.
When the security module 110 is determined to be valid, the authentication server 120 digitally signs the AIKi(Sig(AIKi)) received with the EK by using the secret key of the authentication server 120.
When the digital signature is completed, the corresponding signature is transmitted to the user device 100 and stored in the security module 110. The user device 100 that receives the digital signature requests a predetermined service from the service providing server 130, and the service providing server 130 requests the integrity attestation of the user device 100.
The integrity attestation of the user device 100 is achieved by comparing a measurement metric (M) (for example, the hash value) with respect to hardware and software information (version information, serial number, manufacturer, and binary code) of the user device 100 (target of the integrity attestation).
After the digital signature (SigAIKi(M)) is performed by using the AIK secret key on the measurement metric (M) calculated in the security module 110, the integrity attestation of the user device 100 and the service providing server 130 transmits the public key of AIKi and the digital signature (Sig(AIKi)) received from the authentication server 120 to the service providing server 130.
The service providing server 130 determines if the digital signature (Sig(AIKi)) performed by the authentication server 120 is valid through the received information, and implements the integrity attestation by comparing the measurement metrics (M).
Since the AIKi transmitted from the security module 110 to the authentication server 120 and the AIKi transmitted to the service providing server 130 are identical in the conventional art, there is a problem of private information outflow (when and what kinds of services are received through the user device 100) in a plurality of business models included in a service provider with an identical authentication server 120 and service providing server 130.
That is, in the conventional TPM v1.1, the integrity attestation is implemented with respect to the user device 100 and the service providing server 130 within the scope where the anonymity can be guaranteed. The user device 100 that receives specific services can be easily distinguished through the EK included in the security module 110 of the user device 100 and the AIK corresponding to the EK.
FIG. 2 illustrates an integrity attestation system operated through an anonymous authentication using TPM v1.2 of TCG. Referring to FIG. 2, the integrity attestation device includes a user device 200, an authentication server 220, and a service providing server 230. The user device includes a security module 210 that has the EK, the AIK, and a direct anonymous attestation (DAA).
The authentication server 220, as a trusted third party, determines the validity of the corresponding security module 210 through the validity verification of the EK stored in the TPM, and provides the digital signature (SigDI(DAA)) by using a secret key of the authentication server 220 on the DAA public key transmitted along with the result of the validity determination.
After the validity of the security module 210 is determined through the authentication server 220 and a specific service is requested from the service providing server 230 by the user device 200, the service providing server 230 requests the integrity attestation with respect to the security module 210.
When the integrity attestation is requested, the security module 210 creates the ALKi and the measurement metric (M) signed using the AIKi is transmitted to the service providing server 230. The service providing server 230 that receives predetermined sets of information implements the integrity attestation by determining if the M is the DAA public key included in the valid security module 210 signed by the authentication server 220 or if the M is the AIK signed by the corresponding key. The integrity attestation is described in “Direct Anonymous Attestation” written by E. Brickell, J. Camenisch, and L. Chen.
Since the information (EK and DAA) provided to the authentication server 220 and that provided to the service providing server 230 are different in the conventional art, the anonymity is guaranteed. However, the separate authentication of the service providing server 230 is not made, and, as a result, the possibility of hacking or phishing attacks is high.
Further, a protocol for the authentication of the service providing server 230 should be performed separately on the user device 200 and on the service providing server 230, and therefore, there is a problem that session-key sharing and channel protection are additionally required.