摘要
国际可信计算组织(Trusted Computing Group,TCG)所定义的可信计算平台支持远程证明功能,即向一个远程实体证明本地平台的完整性信息,称为完整性报告。由于现有的完整性报告方案都是基于Client/Server模型,所以它们用于实现双向完整性报告时存在一些问题。为了克服这些问题,本文提出了一种面向远程证明的双向完整性报告方案。该双向完整性报告方案通过将平台身份证明密钥(Attestation Identity Key,AIK)证书的有效性验证功能和平台完整性的校验,及评估功能集中实现于网络中的可信中心,可有效地减小完整性报告双方的计算负荷和保护完整性报告双方的平台配置。此外,该双向完整性报告方案还通过设置平台组件隐私保护策略来防止完整性报告双方互相探询对方的平台配置。
The trusted computing platform defined by the Trusted Computing Group (TCG) provides the functionality of remote attestation, i.e. attesting the integrity information of the local platform to a remote entity, which is referred as integrity reporting. Since the existing integrity reporting schemes are based on Client/Server model, there are some problems if the existing integrity schemes are used to implement mutual integrity reporting. To overcome these problems, a mutual integrity reporting scheme for remote attestation is proposed in this paper. This mutual integrity reporting scheme can decrease the computing load over both reporting parties and protect platform configuration for them because it centralizes Attestation Identity Key (AIK) certificates validation function, and platform integrity verification and evaluation function at a trusted center in the networki Moreover, the mutual integrity reporting scheme can prevent both reporting parties from probing each other's platform configuration by setting the privacy protection policies of platform components.
关键词
可信计算平台
远程证明
完整性报告
可信平台模块
平台配置
trusted computing platform
remote attestation
integrity reporting
trusted platform module
platform configuration
