A Protocol for Property-Based Attestation Liqun Chen ∗ HP Laboratories Filton Road, Stoke Gifford Bristol, BS34 8QZ, UK Rainer Landfermann, Hans L¨ ohr, Markus Rohe, Ahmad-Reza Sadeghi, and Christian St ¨ uble † Horst G ¨ ortz Institute for IT-Security Applied Data Security Group Ruhr-Universit¨ at Bochum, Germany ABSTRACT The Trusted Computing Group (TCG) has issued several specifications to enhance the architecture of common com- puting platforms by means of new functionalities, amongst others the (binary) attestation to verify the integrity of a (remote) computing platform/application. However, as pointed out recently, the binary attestation has some short- comings, in particular when used for applications: First, it reveals information about the configuration of a platform (hardware and software) or application. This can be mis- used to discriminate certain configurations (e.g., operating systems) and the corresponding vendors, or be exploited to mount attacks. Second, it requires the verifier to know all possible “trusted” configurations of all platforms as well as managing updates and patches that change the configura- tion. Third, it does not necessarily imply that the platform complies with desired (security) properties. A recent pro- posal to overcome these problems is to transform the bi- nary attestation into property-based attestation, which re- quires to only attest whether a platform or an application fulfills the desired (security) requirements without revealing the specific software or/and hardware configuration. Based on previous works, we propose a concrete efficient property-based attestation protocol within an abstract model for the main functionalities provided by TCG-compli- ant platforms. We prove the security of this protocol under the strong RSA assumption and the discrete logarithm as- sumption in the random oracle model. Our scheme allows blind verification and revocation of mappings between prop- erties and configurations. Categories and Subject Descriptors: D.4.6: Security and Protection General Terms: Algorithms, Design, Security, Verification ∗ liqun.chen@hp.com † {landfermann,hloehr,rohe,sadeghi}@crypto.rub.de Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. STC’06, November 3, 2006, Alexandria, Virginia, USA. Copyright 2006 ACM 1-59593-548-7/06/0011 ...$5.00. Keywords: TCG binary attestation, security kernels, pro- perty-based attestation, zero-knowledge proof of knowledge 1. INTRODUCTION Today, distributed applications processing security critical data pose sophisticated functional and security requirements on the underlying computing platforms – in particular, in open network scenarios such as the Internet. Distributed applications involve different parties (companies, end-users, content providers, etc.) with possibly conflicting (security) requirements and interests. To cope with this situation, we need mechanisms which provide and maintain the re- quired security services in the sense of multilateral security. Obviously, the applications and the underlying computing platforms need to provide a certain degree of “trustworthi- ness” that each of the involved parties requires. In practice, this trustworthiness may be determined by verifying the in- tegrity of the corresponding platform/application where a positive result should imply that the platform/application has not been tampered with, and hence, the critical infor- mation processed will not leave the intended trust domains. Verifying the integrity of a platform or an application lo- cally can be implemented, e.g., by a secure boot process and a trusted Graphical User Interface (tGUI) that ensures a trusted path to the application. However, these solutions are insufficient for remote platform or application integrity verification. Remote integrity verification mechanisms may also enable an external party (a remote machine) to verify whether a platform/application behaves according to certain security policies. In this context, Trusted Computing (TC) technology pro- vides the basis for a new generation of computing platforms with new security-relevant architectures both in hardware and software. A well-known initiative promoting this tech- nology is TCG (Trusted Computing Group), an alliance of a large number of IT enterprises 1 . The stated goal of TCG is to provide mechanisms for improving the security and trustworthiness of computing platforms [21, 22, 31, 30]. TCG has published a number of specifications, in partic- ular for the core components, the Trusted Platform Mod- ule (TPM) [36, 35] and its library Trusted Software Stack (TSS) [15]. The current implementation of the TPM is a tamper-evident hardware chip that provides a limited num- ber of cryptographic functionalities. Currently, many ven- dors ship their computer platforms with a TPM chip. The 1 www.trustedcomputinggroup.org