WO2014038926A1 - A system and method of mutual trusted authentication and identity encryption - Google Patents

A system and method of mutual trusted authentication and identity encryption Download PDF

Info

Publication number
WO2014038926A1
WO2014038926A1 PCT/MY2013/000161 MY2013000161W WO2014038926A1 WO 2014038926 A1 WO2014038926 A1 WO 2014038926A1 MY 2013000161 W MY2013000161 W MY 2013000161W WO 2014038926 A1 WO2014038926 A1 WO 2014038926A1
Authority
WO
WIPO (PCT)
Prior art keywords
platform
client
server
integrity
server platform
Prior art date
Application number
PCT/MY2013/000161
Other languages
French (fr)
Inventor
Abd Aziz Norazah
Bhagyalaxmi AAKULA
Abdullah KILAUSURIA
Original Assignee
Mimos Berhad
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mimos Berhad filed Critical Mimos Berhad
Publication of WO2014038926A1 publication Critical patent/WO2014038926A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • H04L9/3073Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves involving pairings, e.g. identity based encryption [IBE], bilinear mappings or bilinear pairings, e.g. Weil or Tate pairing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token

Definitions

  • the present invention relates to a system and method for mutual trusted authentication and identity encryption utilizing transport layer security extension with properties based attestation mechanism.
  • TLS Transport Layer Security
  • SSL Secure Socket Layer
  • the TLS and SSL protocols ensure secure transmission of data and authentication of involved endpoints using digital certificates.
  • TLS protocol it is difficult to ensure endpoint integrity. As such, the protocol can generally not assure the trustworthiness of involved endpoints. Lack of trustworthiness of client-server systems may lead to a Reply Illusion Attack on SSL and TLS Protocols. Such attacks may expose the private key to the attacker.
  • it is necessary to enhance the security of TLS communication by enabling platform integrity between client and server to ensure no malware or spyware can be installed.
  • the present invention utilizes enhance TLS extension with identity-based encryption to protect the end point integrity by integrating property-based attestation to guarantee the trustworthiness and privacy of remote platform.
  • Identity-Based Encryption is a cryptographic scheme which claims to be more secure and require less key management compared with Public-Key Infrastructure (PKI).
  • IBE is another alternative to public-key encryption that makes publicly available the mapping between identities, public keys and the validity of the latter. Senders using an IBE do not need to look up the public keys and the corresponding certificates of the receivers because the identities (e.g. MAC, emails or IP addresses) together with common public parameters are sufficient for encryption.
  • Integrity measurement is based on property-based attestation mechanisms which use Trusted Computer Group (TCG) technologies. Attestation is a process of assuring that information is accurate, a critical concept for the trusted platform. This is because the trust in the system is based on taking measurements and checking those measurements. If a system is not able to attest to the accuracy of that information, then the trust in the platform does not exists.
  • TCG Trusted Computer Group
  • Attestation is closely related to authentication in that the client itself proves its trustworthiness to the remote server.
  • Remote server attestation uses TCG technology, specifically the Trusted Platform Module (TPM) "quote" function.
  • TPM Trusted Platform Module
  • the quote creates a signature of the current platform software state. This state is reported though a log of software events, such as calling a higher software layer, starting a service, or reading a properties configuration file. These events are recorded as "measurements", which are cryptographically protected by extending them into Platform Configuration Registers (PCRs). Signing the PCRs effectively signs the event log. Signing the Attestation Identity Key (AIK) used in the quote obtains a certificate signed by a Trusted Third Party. That certificate attests to the Trust properties of the platform.
  • AIK Attestation Identity Key
  • the AIK is generated on and remains locked to the TPM, which is itself physically attached to the platform. Nobody can steal the Private Key which is in the TPM hardware. This ensures secure communication between the trusted endpoints.
  • the present invention includes an embodiment of Interceptor Module (IPCM), SSIJTLS Extension module and Trusted Authority (TA) to establish mutual trusted authentication and identity encryption.
  • IPCM Interceptor Module
  • SSIJTLS Extension module and Trusted Authority
  • the present invention relates to a system and method for mutual trusted authentication and identity encryption utilizing transport layer security extension with properties based attestation mechanism.
  • One aspect of the present invention provides a system (100) for mutual trusted authentication and identity encryption, the system comprising at least one server platform (104) installed with at least one integrity measurement architecture (IMA) module (104b); at least one trusted authority module (TA) (104d) associated with said server platform) 104); at least one integrity properties collection module (IPCM) (104e) in communication with said trusted authority module (TA) (104d); at least one client platform (102) that is in communication with and registrable to said server platform (104); at least one transport layer security extension module (TLS extension module) (104a, 102c) and associated with said server platform (104) and said client platform (102) respectively; and at least one trusted platform module (TPM) (102b, 104c)associated with said server platform (104) and said client platform (102).
  • IMA integrity measurement architecture
  • IPCM integrity properties collection module
  • TLS extension module transport layer security extension module
  • the at least one trusted authority module (TA) (104d) associated with said server platform (104) further establishes identity-based encryption of said server platform (104) and having means for generating system identity information (SIDs) of said server platform; integrating with said integrity properties collection module (IPCM) (104e) to obtain integrity properties list (IPLs) of said server platform and generating integrity property hash value (IPHs) for server platform based on said integrity properties list (IPLs); generating a server private key based on said system identification information (SIDs) and said integrity property hash value (IPHs) and master secret key (MS); and generating and installing said TLS extension modules embedded with said integrity properties list (IPLs).
  • IPCM integrity properties collection module
  • Another aspect of the present invention provides further means of the at least one trusted platform module (TPM) (102b, 104c) wherein said trusted platform module (TPM) (102b, 104c) is associated with said server platform (104) and said client platform (102) and generates a root key pair to establish security and integrity of said server platform.
  • TPM trusted platform module
  • a further aspect of the present invention provides for the at least one trusted authority module (TA) (104d) wherein said trusted authority module (TA) (104d) further having means for generating a master public key (MB) and a master secret key (MS) based on said root key pair generated by said trusted platform module (102b, 104c) and storing the said master public key (MB) and master secret key (MS) in a server encrypted directory.
  • MB master public key
  • MS master secret key
  • a further aspect of the present invention provides for the at least one client platform (102) that is in communication with and registrable to said server platform (104), said client platform further having means for receiving and installing said client private key and said master public key (MB) in a client encrypted directory; storing said integrity property hash value (IPHs) into said property configuration register (PCR); and installing said TLS extension module (102c).
  • Another aspect of the present invention provides a method for mutual trusted authentication and identity encryption utilizing transport layer security extension with properties based attestation mechanism.
  • the method comprising steps of establishing security and integrity of a server platform (402); establishing identity-based encryption of said server platform in a TLS extension module associated with said server platform and integrated with a trusted authority (TA) associated with said server platform (404); and securing data transmission channel using mutual identity encryption between a client platform and said server platform (406).
  • TA trusted authority
  • the methodology for establishing identity-based encryption of said server platform in a TLS extension module associated with said server platform and integrated with a trusted authority (TA) associated with said server platform further comprises steps of generating unique system identity information (SIDs) of said server platform (502); integrating said trusted authority (TA) with an integrity properties collection module (IPCM) associated with said server platform to obtain an integrity properties list (IPLs) of said server platform and generating an integrity property hash value (IPHs) for the server platform based in the integrity properties list (IPLs) (504); generating a server private key based on said system identification information (SIDs) and said master secret key (MS) using said trusted authority (TA) (506); generating and installing said TLS extension module embedded with said integrity properties list (IPLs) using said trusted authority (TA) (508); and storing said system identity information (SIDs), master public key (MB), master private key (MS) and server private key are stored in a server encrypted directory (510).
  • a further aspect of the invention provides a method for establishing security and integrity of said server platform.
  • the said method further comprises steps of establishing trustworthiness of said server platform by installing Integrity Measurement Architecture (IMA) (602); generating a root key pair using a trusted platform module (TPM) (604); generating a master public key (MB) and a master secret key (MS) based on said root key pair using said trusted authority (TA) (606); and storing said master public key (MB) and said master secret key (MS) at a server secure storage (608).
  • IMA Integrity Measurement Architecture
  • TPM trusted platform module
  • MS master secret key
  • TA trusted authority
  • MB master public key
  • MS master secret key
  • a further aspect of the invention provides a method for securing data transmission channel using mutual identity encryption between a client platform and said server platform.
  • the said method further comprises steps of receiving a request signal from said client platform (702); and establishing a handshake process between said client platform and said server platform (704).
  • Another aspect of the invention provides a method for receiving a request signal from said client platform.
  • the said method further comprises steps of creating unique system identity information (SIDc) of said client platform (802); integrating said trusted authority (TA) with said integrity properties collection module (IPCM) to obtain an integrity properties list (IPLc) of said client platform and generating an integrity property hash value (IPHc) for the client platform based on the integrity properties list (IPLc) (804); generating a client private key based on said system identity information (SIDc) and said master secret key (MS) using said trusted authority (TA) (806); generating TLS extension module embedded with said integrity properties list (IPLc) (808); storing said integrity property hash value (IPHc) into a platform configuration register (PCR) (810); sending said client private key, master public key (MB), integrity properties hash value (IPHs) and TLS extension module to said client platform (812); installing said client private key and said master public key (MB) in a client encrypted directory of said client platform (814); storing said integrity property hash value (IPHs) into said property configuration register (PCR) of
  • a further aspect of the present invention provides a method for establishing a handshake process between said client platform and said server platform.
  • the said method further comprises steps of sending a client hello with encrypted integrity properties list (IPLc) from said client platform to said server platform (902); decrypting received integrity properties list (IPLc) with said private key and generate integrity properties hash value (IPHs) and verifies with client integrity properties hash value (IPHc) (904); verifying integrity properties list (IPLc) and, if valid, said server platform sends a server hello with encrypted integrity properties list (IPLs) and TPM certificate to said client platform (906, 910); verifying integrity properties list (IPLs) by said client platform by decrypting received integrity properties hash value (IPHs) with said private key and generate integrity properties hash value (IPH) (912); verifying integrity properties list (IPL) and, if valid said client platform verifies TPM certificate and sends client TPM certificate to said server platform 11 and said server platform verifies received client TPM certificate (914, 9
  • FIG. 1.0 illustrates the architecture of the system of an embodiment of the invention.
  • FIG. 2.0 illustrates TLS protocol layers.
  • FIG. 3.0 illustrates a comparison of full TLS handshake with normal certificate extension with a full handshake with identity encryption extension in accordance with embodiments of the invention.
  • FIG. 4.0 illustrates a general process of the invention.
  • FIG. 5.0 illustrates the process flow of establishing security and integrity of the server platform 100 of the process of FIG. 4.0.
  • FIG. 6.0 illustrates the process flow of establishing identity encryption of the process of FIG. 4.0.
  • FIG. 7.0 illustrates the process flow of securing a data transmission channel of FIG. 4.0.
  • FIG. 8.0 illustrates the process flow for receiving a request signal from said client platform of FIG. 7.0.
  • FIG. 9.0 illustrates the process flow for establishing a handshake process between said client platform and said server platform of FIG. 8.0.
  • the present invention provides a system and method for mutual trusted authentication and identity encryption utilizing transport layer security extension with properties based attestation mechanism.
  • this specification will describe the present invention according to the preferred embodiments. It is to be understood that limiting the description to the preferred embodiments of the invention is merely to facilitate discussion of the present invention and it is envisioned without departing from the scope of the appended claims.
  • FIG. 1.0 illustrates the architecture of a system (100) according to various embodiments of the invention.
  • This includes an integrity properties collection module (IPCM) (104e), SSL/TLS extension modules (102c and 104a), and trusted authority module (TA) (104d).
  • IPCM integrity properties collection module
  • SSL/TLS extension modules 102c and 104a
  • TA trusted authority module
  • the system (100) comprises of the following establishment:
  • TA Based on unique System Identity Info of the server (SIDs), TA generates a server private key, Integrity Property List of the server (IPLs) and Integrity Property Hash Value of the server (IPHs), corresponding with Integrity Property Collection Module (IPCM) (104e) which act as policy.
  • IPLs Integrity Property List of the server
  • IPHs Integrity Property Hash Value of the server
  • IPCM Integrity Property Collection Module
  • TA Based on unique System Identity Info of the client (SIDs), TA also generates the private key, Integrity Property List of the client (IPLc) and Integrity Property Hash Value of the client (IPHc), corresponding with the Integrity Property Collection Module (IPCM) (104e).
  • IPLc Integrity Property List of the client
  • IPHc Integrity Property Hash Value of the client
  • IPCM Integrity Property Collection Module
  • the server stores the IPHc into PCR.
  • Server then instructs client to install embedded TLS extension, IPHs, MB and client private key at client secure storage.
  • Client stores the IPHs into a platform configuration register (PCR). 3) Securing data transmission channel using mutual identity encryption in TLS extension between client and server by using TPM cert for verification process.
  • PCR platform configuration register
  • the SSL/TLS authentication protocol suite is based on public key cryptography. All secure protocols are based on a client/server model. Client (102) sends a message to a server (104e), and the server (104) responds with the information needed to authenticate itself. The client (102) and server ( 04) perform an additional exchange of session keys, and the authentication dialogue ends. When authentication is completed, secure communication can begin between the server (104) and the client (102) using the secret keys established during the authentication process.
  • TLS/SSL security protocol is layered between the application protocol layer and the TCP/IP layer, where it can secure and send application data to the transport layer. Because it works between the application layer and the transport layer, TLS/SSL can support multiple application layer protocols.
  • TLS/SSL assumes that a connection-oriented transport, typically TCP, is in use.
  • the protocol allows client/server applications to detect the following security risks:
  • the TLS/SSL protocol can be divided into two layers.
  • the first layer consists of the application protocol and the three Handshake sub-protocols: the Handshake Protocol, the Change Cipher Spec Protocol, and the Alert Protocol.
  • the second layer is the Record Protocol.
  • FIG. 2.0 illustrates the various layers and their components.
  • the present invention involves TLS protocol (also known as SSL3.0). This advanced protocol has additional option called Extensions. By default there are five extensions that exist to make communication more secure, but all are optional.
  • TLS protocol also known as SSL3.0
  • Extensions By default there are five extensions that exist to make communication more secure, but all are optional.
  • the Client 12 sends Extension data during Client Hello.
  • Server (104) will receive the extension and send back the ServerHello to Client (102).
  • FIG. 3.0 illustrates the comparison between normal certificate extensions with those of embodiments of the invention which use identity encryption extension in a full TLS handshake scenario.
  • the extension instead of using certificates, uses encrypted Integrity Properties Lists (IPL) represented as integrity measurements of the host platform.
  • IPL Integrity Properties Lists
  • the encryption uses identity-based encryption mechanisms which provide some capabilities that are much simpler and less expensive than PKI.
  • the client (102) sends the extension with embed encrypted IPL to Server (104).
  • Server (104) receives the extension and verifies the IPL, if valid, then it sends the ServerHello with embed encrypted IPL extension and TPM certificate to client (102).
  • the client (102) then verifies the IPL of server (104) and, if valid, it sends the TPM certificate to server (104).
  • the TPM certificates present as ClientKeyExchange and ServerKeyExchange which are used to encrypt data after establishment of the handshake process.
  • the general process of invention comprises three main components, as illustrated in FIG 4.
  • the first stage (402) establishes the security and integrity of the server platform (104).
  • the next step is to establish identity encryption in the SSUTLS extension and establish property-based attestation integrated with the Trusted Authority (TA) in the server platform (404).
  • TA Trusted Authority
  • communication is performed with secure data transmission using mutual trusted identity encryption between client and server (406).
  • Detailed process flows of 402, 404 and 406 are described in FIGs. 5, 6 and 7 respectively.
  • FIG. 6.0 illustrates the general process (462) which starts installation (602) to secure and establishes trustworthiness of the server platform at least using Integrity Measurement Architecture (IMA).
  • IMA Integrity Measurement Architecture
  • TPM During the TPM ownership process, in order to initiate the IMA module, TPM (104c) generates a pair of root keys (604). After the integrity of the server platform (104f) is protected using the IMA (104b), the Trusted Authority (TA) 14 and Integrity Properties Collection Module (IPCM) are installed and configured with specified secure storage which is encrypted with the TPM root key.
  • the TA 14 using the TPM root key creates a master public key (MB) and master secret key (MS) (606) and stores the keys at secure storage (608).
  • MB master public key
  • MS master secret key
  • FIG. 5.0 illustrates the general process (500) and continuing process of (404).
  • the TA receives a request signal generation of new platform and automatic creates the SID for the server and client platforms (502).
  • the TA integrates with the IPCM to obtain an Integrity Properties List (IPL) of the server and client platforms and generate Integrity Property Hash values (IPH) based on the IPL's (504).
  • the TA also generates private keys of the server and client platforms based on SID and MS (506).
  • the TA encrypts the IPL's using an identity-based encryption mechanism and builds a new TLS extension library (508).
  • the TLS extension library is embedded with the encrypted IPL's.
  • the process continues with the TA sending a bundle of data consisting of the TLS extension library, private key, IPH's and MB. All the data install into the secure storage but IPH's of verifier are stored into the PCR at the server or client platform (510).
  • the process establishment of (500) ends after the installation process is complete and the host platform of server or client is ready to use.
  • FIG. 7.0 illustrates the general process of (700) when the secure communication between client and server is started.
  • a request signal from said client platform is received (702) and a handshake protocol is established to prioritise exchange of the certificates and keys to ensure the authentication and encryption of data (704).
  • FIG. 8.0 illustrates the process flow of (800) for receiving a request signal from said client platform.
  • SI Dc unique system identity information
  • TA is integrated with integrity properties collection module (IPCM) to obtain an integrity properties list (IPLc) of client platform and an integrity property hash value (IPHc) is generated for client platform based on integrity properties list (IPLc) (804).
  • IPCM integrity properties collection module
  • IPLc integrity properties list
  • IPHc integrity property hash value
  • a client private key is generated based on system identity information (SIDc) and said master secret key (MS) using the said TA (806).
  • TLS extension module is generated and embedded with said integrity properties list (IPLc) (808) and said integrity property hash value (IPHc) is stored into a platform configuration register (PCR) (810).
  • Client private key, master public key (MB), integrity properties hash value (IPHs) and TLS extension module is sent to said client platform (812) and said client private key and said master public key (MB) is installed in a client encrypted directory of said client platform (814).
  • said integrity property hash value (IPHs) is stored into said property configuration register (PCR) of said client platform (816) and the TLS extension module is installed onto said client platform (818).
  • FIG.9.0 illustrates the establishment of the handshake protocol to prioritise exchange of the certificates and keys to ensure the authentication and encryption of data.
  • the process begins with the Client sending a ClientHello+Extension (contains the encrypted IPL) to the Server (902). Then the Server receives the extension and decrypts it with the Private Key from the TA and generates the IPH based on the IPL and verifies this with the Client IPH (904). If integrity fails, it will show the Error message (908) and exit. If integrity is valid, the Server sends a Server Hello+Extension (contains encrypted IPL), the server TPM Certificate (906, 910) and a "Server Hello Done" message. The Client receives the Extension and decrypts it with the Private Key from the TA and generates the IPH based on the IPL and compares this with the server IPH value (912).
  • Integrity is not valid, it will display an error message (908) and exit. If integrity is valid, the Client verifies the TPM Certificate and sends the Client TPM Certificate to the Server (914). The Server receives the Client TPM Certificate and verifies the Certificate (916). Then, both the Client and Server start the secure communication using TPM Keys (918). They use the TPM Public key to encrypt the data and the TPM Private Key to decrypt the data which resides in the TPM Hardware 310.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Algebra (AREA)
  • Computing Systems (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Physics (AREA)
  • Mathematical Optimization (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

Mutual trusted authentication and identity encryption is provided by utilizing transport layer security extension with properties based attestation mechanism. The system of the present invention comprising a server platform (104) installed with an integrity measurement architecture (IMA) module (104b); a trusted authority module (TA) (104d) associated with a server platform) 104); an integrity properties collection module (IPCM) (104e) in communication with the trusted authority module (TA) (104d); a client platform (102) that is in communication with and registrable to the server platform (104); a transport layer security extension module (TLS extension module) (104a, 102c) associated with the server platform (104) and the client platform (102); and a trusted platform module (TPM) (102b, 104c) associated with the server platform (104) and said client platform (102). The general process of the present invention comprises three main components, wherein the first stage (402) establishes the security and integrity of the server platform. After the establishment of process (402), the next step is to establish identity encryption in the SSL/TLS extension and establish property-based attestation integrated with the Trusted Authority (TA) in the server platform (404). Upon completion of the processes of establishment, communication is performed with secure data transmission using mutual trusted identity encryption between client and server (406) wherein a handshake protocol is established to prioritise exchange of the certificates and keys to ensure the authentication and encryption of data (704).

Description

A SYSTEM AND METHOD OF MUTUAL TRUSTED AUTHENTICATION
AND IDENTITY ENCRYPTION
FIELD OF INVENTION
The present invention relates to a system and method for mutual trusted authentication and identity encryption utilizing transport layer security extension with properties based attestation mechanism. BACKGROUND ART
Client-Server applications have become the backbone of the Internet and are processing increasingly sensitive information. A common method of establishing secure communication between the client and the server is through secure channel technologies, such as Transport Layer Security (TLS). TLS and its predecessor, Secure Socket Layer (SSL), are cryptographic protocols which provide secure communications on the Internet for such things as web browsing, instant messaging, email and other data transfer. The TLS and SSL protocols ensure secure transmission of data and authentication of involved endpoints using digital certificates. However, using existing TLS protocol it is difficult to ensure endpoint integrity. As such, the protocol can generally not assure the trustworthiness of involved endpoints. Lack of trustworthiness of client-server systems may lead to a Reply Illusion Attack on SSL and TLS Protocols. Such attacks may expose the private key to the attacker. Hence, it is necessary to enhance the security of TLS communication by enabling platform integrity between client and server to ensure no malware or spyware can be installed.
The present invention utilizes enhance TLS extension with identity-based encryption to protect the end point integrity by integrating property-based attestation to guarantee the trustworthiness and privacy of remote platform. Identity-Based Encryption (I BE) is a cryptographic scheme which claims to be more secure and require less key management compared with Public-Key Infrastructure (PKI). IBE is another alternative to public-key encryption that makes publicly available the mapping between identities, public keys and the validity of the latter. Senders using an IBE do not need to look up the public keys and the corresponding certificates of the receivers because the identities (e.g. MAC, emails or IP addresses) together with common public parameters are sufficient for encryption.
Integrity measurement is based on property-based attestation mechanisms which use Trusted Computer Group (TCG) technologies. Attestation is a process of assuring that information is accurate, a critical concept for the trusted platform. This is because the trust in the system is based on taking measurements and checking those measurements. If a system is not able to attest to the accuracy of that information, then the trust in the platform does not exists.
Attestation is closely related to authentication in that the client itself proves its trustworthiness to the remote server. Remote server attestation uses TCG technology, specifically the Trusted Platform Module (TPM) "quote" function. The quote creates a signature of the current platform software state. This state is reported though a log of software events, such as calling a higher software layer, starting a service, or reading a properties configuration file. These events are recorded as "measurements", which are cryptographically protected by extending them into Platform Configuration Registers (PCRs). Signing the PCRs effectively signs the event log. Signing the Attestation Identity Key (AIK) used in the quote obtains a certificate signed by a Trusted Third Party. That certificate attests to the Trust properties of the platform. The AIK is generated on and remains locked to the TPM, which is itself physically attached to the platform. Nobody can steal the Private Key which is in the TPM hardware. This ensures secure communication between the trusted endpoints. The present invention includes an embodiment of Interceptor Module (IPCM), SSIJTLS Extension module and Trusted Authority (TA) to establish mutual trusted authentication and identity encryption. The subject matter claimed herein is not limited to embodiments that solve any disadvantages or that operate only in environments such as those described above. Rather, this background is only provided to illustrate one exemplary technology area where some embodiments described herein may be practice.
SUMMARY OF INVENTION
The present invention relates to a system and method for mutual trusted authentication and identity encryption utilizing transport layer security extension with properties based attestation mechanism. One aspect of the present invention provides a system (100) for mutual trusted authentication and identity encryption, the system comprising at least one server platform (104) installed with at least one integrity measurement architecture (IMA) module (104b); at least one trusted authority module (TA) (104d) associated with said server platform) 104); at least one integrity properties collection module (IPCM) (104e) in communication with said trusted authority module (TA) (104d); at least one client platform (102) that is in communication with and registrable to said server platform (104); at least one transport layer security extension module (TLS extension module) (104a, 102c) and associated with said server platform (104) and said client platform (102) respectively; and at least one trusted platform module (TPM) (102b, 104c)associated with said server platform (104) and said client platform (102).
The at least one trusted authority module (TA) (104d) associated with said server platform (104) further establishes identity-based encryption of said server platform (104) and having means for generating system identity information (SIDs) of said server platform; integrating with said integrity properties collection module (IPCM) (104e) to obtain integrity properties list (IPLs) of said server platform and generating integrity property hash value (IPHs) for server platform based on said integrity properties list (IPLs); generating a server private key based on said system identification information (SIDs) and said integrity property hash value (IPHs) and master secret key (MS); and generating and installing said TLS extension modules embedded with said integrity properties list (IPLs).
Another aspect of the present invention provides further means of the at least one trusted platform module (TPM) (102b, 104c) wherein said trusted platform module (TPM) (102b, 104c) is associated with said server platform (104) and said client platform (102) and generates a root key pair to establish security and integrity of said server platform. A further aspect of the present invention provides for the at least one trusted authority module (TA) (104d) wherein said trusted authority module (TA) (104d) further having means for generating a master public key (MB) and a master secret key (MS) based on said root key pair generated by said trusted platform module (102b, 104c) and storing the said master public key (MB) and master secret key (MS) in a server encrypted directory.
A further aspect of the present invention provides for the at least one client platform (102) that is in communication with and registrable to said server platform (104), said client platform further having means for receiving and installing said client private key and said master public key (MB) in a client encrypted directory; storing said integrity property hash value (IPHs) into said property configuration register (PCR); and installing said TLS extension module (102c). Another aspect of the present invention provides a method for mutual trusted authentication and identity encryption utilizing transport layer security extension with properties based attestation mechanism. The method comprising steps of establishing security and integrity of a server platform (402); establishing identity-based encryption of said server platform in a TLS extension module associated with said server platform and integrated with a trusted authority (TA) associated with said server platform (404); and securing data transmission channel using mutual identity encryption between a client platform and said server platform (406). The methodology for establishing identity-based encryption of said server platform in a TLS extension module associated with said server platform and integrated with a trusted authority (TA) associated with said server platform further comprises steps of generating unique system identity information (SIDs) of said server platform (502); integrating said trusted authority (TA) with an integrity properties collection module (IPCM) associated with said server platform to obtain an integrity properties list (IPLs) of said server platform and generating an integrity property hash value (IPHs) for the server platform based in the integrity properties list (IPLs) (504); generating a server private key based on said system identification information (SIDs) and said master secret key (MS) using said trusted authority (TA) (506); generating and installing said TLS extension module embedded with said integrity properties list (IPLs) using said trusted authority (TA) (508); and storing said system identity information (SIDs), master public key (MB), master private key (MS) and server private key are stored in a server encrypted directory (510). The said integrity properties lists (IPLs, IPLc) are encrypted before embedding in said TLS extension modules such as using identity-based encryption.
A further aspect of the invention provides a method for establishing security and integrity of said server platform. The said method further comprises steps of establishing trustworthiness of said server platform by installing Integrity Measurement Architecture (IMA) (602); generating a root key pair using a trusted platform module (TPM) (604); generating a master public key (MB) and a master secret key (MS) based on said root key pair using said trusted authority (TA) (606); and storing said master public key (MB) and said master secret key (MS) at a server secure storage (608).
A further aspect of the invention provides a method for securing data transmission channel using mutual identity encryption between a client platform and said server platform. The said method further comprises steps of receiving a request signal from said client platform (702); and establishing a handshake process between said client platform and said server platform (704). Another aspect of the invention provides a method for receiving a request signal from said client platform. The said method further comprises steps of creating unique system identity information (SIDc) of said client platform (802); integrating said trusted authority (TA) with said integrity properties collection module (IPCM) to obtain an integrity properties list (IPLc) of said client platform and generating an integrity property hash value (IPHc) for the client platform based on the integrity properties list (IPLc) (804); generating a client private key based on said system identity information (SIDc) and said master secret key (MS) using said trusted authority (TA) (806); generating TLS extension module embedded with said integrity properties list (IPLc) (808); storing said integrity property hash value (IPHc) into a platform configuration register (PCR) (810); sending said client private key, master public key (MB), integrity properties hash value (IPHs) and TLS extension module to said client platform (812); installing said client private key and said master public key (MB) in a client encrypted directory of said client platform (814); storing said integrity property hash value (IPHs) into said property configuration register (PCR) of said client platform (816); and installing said TLS extension module onto said client platform (818).
A further aspect of the present invention provides a method for establishing a handshake process between said client platform and said server platform. The said method further comprises steps of sending a client hello with encrypted integrity properties list (IPLc) from said client platform to said server platform (902); decrypting received integrity properties list (IPLc) with said private key and generate integrity properties hash value (IPHs) and verifies with client integrity properties hash value (IPHc) (904); verifying integrity properties list (IPLc) and, if valid, said server platform sends a server hello with encrypted integrity properties list (IPLs) and TPM certificate to said client platform (906, 910); verifying integrity properties list (IPLs) by said client platform by decrypting received integrity properties hash value (IPHs) with said private key and generate integrity properties hash value (IPH) (912); verifying integrity properties list (IPL) and, if valid said client platform verifies TPM certificate and sends client TPM certificate to said server platform 11 and said server platform verifies received client TPM certificate (914, 916); and initiating data transmission between client and server platform encrypted with TPM public key (918). The present invention consists of features and a combination of parts hereinafter fully described and illustrated in the accompanying drawings, it being understood that various changes in the details may be made without departing from the scope of the invention or sacrificing any of the advantages of the present invention.
BRIEF DESCRIPTION OF ACCOMPANYING DRAWINGS
To further clarify various aspects of some embodiments of the present invention, a more particular description of the invention will be rendered by references to specific embodiments thereof, which are illustrated in the appended drawings. It is appreciated that these drawings depict only typical embodiments of the invention and are therefore not to be considered limiting of its scope. The invention will be described and explained with additional specificity and detail through the accompanying drawings in which:
FIG. 1.0 illustrates the architecture of the system of an embodiment of the invention.
FIG. 2.0 illustrates TLS protocol layers.
FIG. 3.0 illustrates a comparison of full TLS handshake with normal certificate extension with a full handshake with identity encryption extension in accordance with embodiments of the invention.
FIG. 4.0 illustrates a general process of the invention.
FIG. 5.0 illustrates the process flow of establishing security and integrity of the server platform 100 of the process of FIG. 4.0.
FIG. 6.0 illustrates the process flow of establishing identity encryption of the process of FIG. 4.0. FIG. 7.0 illustrates the process flow of securing a data transmission channel of FIG. 4.0.
FIG. 8.0 illustrates the process flow for receiving a request signal from said client platform of FIG. 7.0. FIG. 9.0 illustrates the process flow for establishing a handshake process between said client platform and said server platform of FIG. 8.0. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
The present invention provides a system and method for mutual trusted authentication and identity encryption utilizing transport layer security extension with properties based attestation mechanism. Hereinafter, this specification will describe the present invention according to the preferred embodiments. It is to be understood that limiting the description to the preferred embodiments of the invention is merely to facilitate discussion of the present invention and it is envisioned without departing from the scope of the appended claims.
FIG. 1.0 illustrates the architecture of a system (100) according to various embodiments of the invention. This includes an integrity properties collection module (IPCM) (104e), SSL/TLS extension modules (102c and 104a), and trusted authority module (TA) (104d). The system (100) comprises of the following establishment:
1) Establishing the integrity measurement of the server platform (104), initiated with TPM (104c) to generate a root key. TA (104d) then generates a Master Public Key (MB) and Master Secret Key (MS) based on the root key and those keys are stored at secure storage;
2) Establishing identity-based encryption and properties-based attestation to embed in SSL/TLS extensions:
• Based on unique System Identity Info of the server (SIDs), TA generates a server private key, Integrity Property List of the server (IPLs) and Integrity Property Hash Value of the server (IPHs), corresponding with Integrity Property Collection Module (IPCM) (104e) which act as policy.
• Based on unique System Identity Info of the client (SIDs), TA also generates the private key, Integrity Property List of the client (IPLc) and Integrity Property Hash Value of the client (IPHc), corresponding with the Integrity Property Collection Module (IPCM) (104e).
• Then, the server stores the IPHc into PCR.
• Server then instructs client to install embedded TLS extension, IPHs, MB and client private key at client secure storage. Client stores the IPHs into a platform configuration register (PCR). 3) Securing data transmission channel using mutual identity encryption in TLS extension between client and server by using TPM cert for verification process.
The SSL/TLS authentication protocol suite is based on public key cryptography. All secure protocols are based on a client/server model. Client (102) sends a message to a server (104e), and the server (104) responds with the information needed to authenticate itself. The client (102) and server ( 04) perform an additional exchange of session keys, and the authentication dialogue ends. When authentication is completed, secure communication can begin between the server (104) and the client (102) using the secret keys established during the authentication process.
The TLS/SSL security protocol is layered between the application protocol layer and the TCP/IP layer, where it can secure and send application data to the transport layer. Because it works between the application layer and the transport layer, TLS/SSL can support multiple application layer protocols.
TLS/SSL assumes that a connection-oriented transport, typically TCP, is in use. The protocol allows client/server applications to detect the following security risks:
• Message tampering
· Message interception
• Message forgery
The TLS/SSL protocol can be divided into two layers. The first layer consists of the application protocol and the three Handshake sub-protocols: the Handshake Protocol, the Change Cipher Spec Protocol, and the Alert Protocol. The second layer is the Record Protocol. FIG. 2.0 illustrates the various layers and their components.
The present invention involves TLS protocol (also known as SSL3.0). This advanced protocol has additional option called Extensions. By default there are five extensions that exist to make communication more secure, but all are optional. In the client-server architecture, the Client 12 sends Extension data during Client Hello. Server (104) will receive the extension and send back the ServerHello to Client (102). FIG. 3.0 illustrates the comparison between normal certificate extensions with those of embodiments of the invention which use identity encryption extension in a full TLS handshake scenario. According to embodiments of the invention, instead of using certificates, the extension uses encrypted Integrity Properties Lists (IPL) represented as integrity measurements of the host platform. The encryption uses identity-based encryption mechanisms which provide some capabilities that are much simpler and less expensive than PKI. During Client Hello, the client (102) sends the extension with embed encrypted IPL to Server (104). Server (104) receives the extension and verifies the IPL, if valid, then it sends the ServerHello with embed encrypted IPL extension and TPM certificate to client (102). The client (102) then verifies the IPL of server (104) and, if valid, it sends the TPM certificate to server (104). The TPM certificates present as ClientKeyExchange and ServerKeyExchange which are used to encrypt data after establishment of the handshake process. The general process of invention comprises three main components, as illustrated in FIG 4. The first stage (402) establishes the security and integrity of the server platform (104). After the establishment of process (402), the next step is to establish identity encryption in the SSUTLS extension and establish property-based attestation integrated with the Trusted Authority (TA) in the server platform (404). After these two processes of establishment, communication is performed with secure data transmission using mutual trusted identity encryption between client and server (406). Detailed process flows of 402, 404 and 406 are described in FIGs. 5, 6 and 7 respectively.
FIG. 6.0 illustrates the general process (462) which starts installation (602) to secure and establishes trustworthiness of the server platform at least using Integrity Measurement Architecture (IMA). During the TPM ownership process, in order to initiate the IMA module, TPM (104c) generates a pair of root keys (604). After the integrity of the server platform (104f) is protected using the IMA (104b), the Trusted Authority (TA) 14 and Integrity Properties Collection Module (IPCM) are installed and configured with specified secure storage which is encrypted with the TPM root key. The TA 14 using the TPM root key creates a master public key (MB) and master secret key (MS) (606) and stores the keys at secure storage (608). Finally, the TA generates System Identity Info (SIDs) for the server which is illustrated in FIG. 8.0. FIG. 5.0 illustrates the general process (500) and continuing process of (404). The TA receives a request signal generation of new platform and automatic creates the SID for the server and client platforms (502). Then, the TA integrates with the IPCM to obtain an Integrity Properties List (IPL) of the server and client platforms and generate Integrity Property Hash values (IPH) based on the IPL's (504). The TA also generates private keys of the server and client platforms based on SID and MS (506). After that, the TA encrypts the IPL's using an identity-based encryption mechanism and builds a new TLS extension library (508). The TLS extension library is embedded with the encrypted IPL's. The process continues with the TA sending a bundle of data consisting of the TLS extension library, private key, IPH's and MB. All the data install into the secure storage but IPH's of verifier are stored into the PCR at the server or client platform (510). The process establishment of (500) ends after the installation process is complete and the host platform of server or client is ready to use. FIG. 7.0 illustrates the general process of (700) when the secure communication between client and server is started. In the secure TLS communication 301 , a request signal from said client platform is received (702) and a handshake protocol is established to prioritise exchange of the certificates and keys to ensure the authentication and encryption of data (704).
FIG. 8.0 illustrates the process flow of (800) for receiving a request signal from said client platform. Upon receipt of a request signal from said client platform, unique system identity information (SI Dc) of said client platform is created (802). Thereafter, TA is integrated with integrity properties collection module (IPCM) to obtain an integrity properties list (IPLc) of client platform and an integrity property hash value (IPHc) is generated for client platform based on integrity properties list (IPLc) (804). Subsequently, a client private key is generated based on system identity information (SIDc) and said master secret key (MS) using the said TA (806). TLS extension module is generated and embedded with said integrity properties list (IPLc) (808) and said integrity property hash value (IPHc) is stored into a platform configuration register (PCR) (810). Client private key, master public key (MB), integrity properties hash value (IPHs) and TLS extension module is sent to said client platform (812) and said client private key and said master public key (MB) is installed in a client encrypted directory of said client platform (814). Thereafter, said integrity property hash value (IPHs) is stored into said property configuration register (PCR) of said client platform (816) and the TLS extension module is installed onto said client platform (818). FIG.9.0 illustrates the establishment of the handshake protocol to prioritise exchange of the certificates and keys to ensure the authentication and encryption of data. The process begins with the Client sending a ClientHello+Extension (contains the encrypted IPL) to the Server (902). Then the Server receives the extension and decrypts it with the Private Key from the TA and generates the IPH based on the IPL and verifies this with the Client IPH (904). If integrity fails, it will show the Error message (908) and exit. If integrity is valid, the Server sends a Server Hello+Extension (contains encrypted IPL), the server TPM Certificate (906, 910) and a "Server Hello Done" message. The Client receives the Extension and decrypts it with the Private Key from the TA and generates the IPH based on the IPL and compares this with the server IPH value (912). If Integrity is not valid, it will display an error message (908) and exit. If integrity is valid, the Client verifies the TPM Certificate and sends the Client TPM Certificate to the Server (914). The Server receives the Client TPM Certificate and verifies the Certificate (916). Then, both the Client and Server start the secure communication using TPM Keys (918). They use the TPM Public key to encrypt the data and the TPM Private Key to decrypt the data which resides in the TPM Hardware 310.
Unless the context requires otherwise or specifically stated to the contrary, integers, steps or elements of the invention recited herein as singular integers, steps or elements clearly encompass both singular and plural forms of the recited integers, steps or elements.
Throughout this specification, unless the context requires otherwise, the word "comprise", or variations such as "comprises" or "comprising", will be understood to imply the inclusion of a stated step or element or integer or group of steps or elements or integers, but not the exclusion of any other step or element or integer or group of steps, elements or integers. Thus, in the context of this specification, the term "comprising" is used in an inclusive sense and thus should be understood as meaning "including principally, but not necessarily solely". It will be appreciated that the foregoing description has been given by way of illustrative example of the invention and that all such modifications and variations thereto as would be apparent to persons of skill in the art are deemed to fall within the broad scope and ambit of the invention as herein set forth.

Claims

1. A system (100) for mutual trusted authentication and identity, the system comprising:
at least one server platform ( 04) installed with at least one integrity measurement architecture (IMA) module (104b) ;
at least one trusted authority module (TA) (104d) associated with said server platform (104);
at least one integrity properties collection module (IPCM) (104e) in communication with said trusted authority module (TA) (104d);
at least one client platform (102) that is in communication with and registrable to said server platform (104);
at least one transport layer security extension module (TLS extension module) (104a, 102c) and associated with said server platform (104) and said client platform (102) respectively; and
at least one trusted platform module (TPM) (102b, 104c)associated with said server platform (104) and said client platform (102)
characterized in that the at least one trusted authority module (TA) (104d) associated with said server platform ( 04) further establishes identity- based encryption of said server platform (104) with the following means: generating system identity information (SIDs) of said server platform;
integrating with said integrity properties collection module (IPCM) (104e) to obtain integrity properties list (IPLs) of said server platform and generating integrity property hash value (IPHs) for server platform based on said integrity properties list (IPLs);
generating a server private key based on said system
identification information (SIDs) and said integrity property hash value (IPHs) and master secret key (MS); and generating and installing said TLS extension modules embedded with said integrity properties list (IPLs)
which the system is encryption utilizing transport layer security extension with properties based attestation mechanism
2. A system (100) according to claim 1 , wherein the at least one trusted platform module (TPM) (102b, 104c) is associated with said server platform (104) and said client platform (102) and further having means for generating a root key pair to establish security and integrity of said server platform and storing said root key pair in a server encrypted directory.
3. A system (100) according to claim 1 , wherein the at least one client platform (102) that is in communication with and registrable to said server platform (104), said client platform further having means for receiving and installing said client private key and said master public key (MB) in a client encrypted directory; storing said integrity property hash value (IPHs) into said property configuration register (PCR); and installing said TLS extension module (102c).
4. A method (400) for mutual trusted authentication and identity encryption the method comprising steps of:
establishing security and integrity of a server platform (402); establishing identity-based encryption of said server platform by utilizing transport layer security extension with properties based attestation mechanism in a TLS extension module associated with said server platform and integrated with a trusted authority (TA) associated with said server platform (404); and
securing data transmission channel using mutual identity encryption between a client platform and said server platform (406)
characterized in that establishing identity-based encryption of said server platform by utilizing transport layer security extension with properties based attestation mechanism in a TLS extension module associated with said server platform and integrated with a trusted authority (TA) associated with said server platform further comprises steps of:
generating unique system identity information (SIDs) of said server platform (502);
integrating said trusted authority (TA) with an integrity
properties collection module (IPCM) associated with said server platform to obtain an integrity properties list (IPLs) of said server platform and generating an integrity property hash value (IPHs) for the server platform based in the integrity properties list (IPLs) (504);
generating a server private key based on said system identification information (SIDs) and said master secret key (MS) using said trusted authority (TA) (506);
generating and installing said TLS extension module embedded with said integrity properties list (IPLs) using said trusted authority (TA) (508); and
storing said system identity information (SIDs), master public key (MB), master private key (MS) and server private key are stored in a server encrypted directory (510).
A method (600) according to claim 4, wherein establishing security and integrity of said server platform further comprises steps of establishing trustworthiness of said server platform by installing Integrity Measurement Architecture (IMA) (602); generating a root key pair using a trusted platform module (TPM) (604); generating a master public key (MB) and a master secret key (MS) based on said root key pair using said trusted authority (TA) (606); and storing said master public key (MB) and said master secret key (MS) at a server secure storage (608).
A method (700) according to Claim 4, wherein securing data transmission channel using mutual identity encryption between a client platform and said server platform further comprises steps of receiving a request signal from said client platform (702); and establishing a handshake process between said client platform and said server platform (704).
A method (800) according to claim 6, wherein receiving a request signal from said client platform, further comprises steps of:
creating unique system identity information (SIDc) of said client platform
(802); integrating said trusted authority (TA) with said integrity properties collection module (IPCM) to obtain an integrity properties list (IPLc) of said client platform and generating an integrity property hash value (IPHc) for the client platform based on the integrity properties list (IPLc) (804); generating a client private key based on said system identity information (SIDc) and said master secret key (MS) using said trusted authority (TA) (806);
generating TLS extension module embedded with said integrity properties list (IPLc) (808);
storing said integrity property hash value (IPHc) into a platform configuration register (PCR) (810);
sending said client private key, master public key (MB), integrity properties hash value (IPHs) and TLS extension module to said client platform (812);
installing said client private key and said master public key (MB) in a client encrypted directory of said client platform (814);
storing said integrity property hash value (IPHs) into said property configuration register (PCR) of said client platform (816); and
installing said TLS extension module onto said client platform (818).
8. A method (900) according to Claim 6, wherein establishing a handshake process between said client platform and said server platform further comprises steps of: sending a client hello with encrypted integrity properties list (IPLc) from said client platform to said server platform (902);
decrypting received integrity properties list (IPLc) with said private key and generate integrity properties hash value (IPHs) and verifies with client integrity properties hash value (IPHc) (904);
verifying integrity properties list (IPLc) and, if valid, said server platform sends a server hello with encrypted integrity properties list (IPLs) and TPM certificate to said client platform (906, 910);
verifying integrity properties list (IPLs) by said client platform by decrypting received integrity properties hash value (IPHs) with said private key and generate integrity properties hash value (IPH) (912); verifying integrity properties list (IPL) and, if valid said client platform verifies TPM certificate and sends client TPM certificate to said server platform 11 and said server platform verifies received client TPM certificate (914, 916); and
initiating data transmission between client and server platform encrypted with TPM public key (918).
A method according to any of claim 4, wherein said integrity properties lists (IPLs, IPLc) are encrypted before embedding in said TLS extension modules such as using identity-based encryption.
PCT/MY2013/000161 2012-09-07 2013-09-06 A system and method of mutual trusted authentication and identity encryption WO2014038926A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
MYPI2012003999 2012-09-07
MYPI2012003999A MY166563A (en) 2012-09-07 2012-09-07 A system and method of mutual trusted authentication and identity encryption

Publications (1)

Publication Number Publication Date
WO2014038926A1 true WO2014038926A1 (en) 2014-03-13

Family

ID=49304264

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/MY2013/000161 WO2014038926A1 (en) 2012-09-07 2013-09-06 A system and method of mutual trusted authentication and identity encryption

Country Status (2)

Country Link
MY (1) MY166563A (en)
WO (1) WO2014038926A1 (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104038478A (en) * 2014-05-19 2014-09-10 瑞达信息安全产业股份有限公司 Embedded platform identity authentication trusted network connection method and system
CN106060070A (en) * 2016-07-01 2016-10-26 中国人民解放军国防科学技术大学 TLS handshake protocol for identity-based cryptosystem
WO2017172033A1 (en) * 2016-03-31 2017-10-05 Qualcomm Incorporated Transport layer security token binding and trusted signing
CN108563953A (en) * 2018-03-26 2018-09-21 南京微可信信息技术有限公司 A kind of trusted application development approach of secure extensible
DE102017212474A1 (en) * 2017-07-20 2019-01-24 Siemens Aktiengesellschaft Method and communication system for checking connection parameters of a cryptographically protected communication connection during connection establishment
US10320786B2 (en) 2015-09-14 2019-06-11 Samsung Electronics Co., Ltd. Electronic apparatus and method for controlling the same
EP3304412B1 (en) * 2015-09-14 2019-11-06 Samsung Electronics Co., Ltd. Electronic apparatus and method for controlling the same
CN110688638A (en) * 2018-07-04 2020-01-14 ***通信有限公司研究院 Service authentication method, device, medium and equipment
CN111147233A (en) * 2019-11-26 2020-05-12 北京八分量信息科技有限公司 Reliable implementation method and node for ABE attribute encryption
US11050562B2 (en) 2016-01-29 2021-06-29 Hewlett Packard Enterprise Development Lp Target device attestation using a trusted platform module
CN113810422A (en) * 2021-09-18 2021-12-17 四川中电启明星信息技术有限公司 Emqx browser architecture-based secure connection method for data of internet of things platform device
US11321465B2 (en) * 2019-04-04 2022-05-03 Cisco Technology, Inc. Network security by integrating mutual attestation

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
"New Approaches for Security, Privacy and Trust in Complex Environments", vol. 232, 1 January 2007, SPRINGER US, Boston, MA, ISBN: 978-0-38-772366-2, article SRIJITH K. NAIR ET AL: "A Hybrid PKI-IBC Based Ephemerizer System", pages: 241 - 252, XP055094271, DOI: 10.1007/978-0-387-72367-9_21 *
CHI WENTAO ET AL: "Trusted remote attestation scheme based on property", COMPUTER APPLICATION AND SYSTEM MODELING (ICCASM), 2010 INTERNATIONAL CONFERENCE ON, IEEE, PISCATAWAY, NJ, USA, 22 October 2010 (2010-10-22), pages V5 - 52, XP031788082, ISBN: 978-1-4244-7235-2 *
YACINE GASMI ET AL: "Beyond secure channels", PROCEEDINGS OF THE 2007 ACM WORKSHOP ON SCALABLE TRUSTED COMPUTING , STC '07, 1 January 2007 (2007-01-01), New York, New York, USA, pages 30, XP055093608, ISBN: 978-1-59-593888-6, DOI: 10.1145/1314354.1314363 *

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104038478A (en) * 2014-05-19 2014-09-10 瑞达信息安全产业股份有限公司 Embedded platform identity authentication trusted network connection method and system
US10320786B2 (en) 2015-09-14 2019-06-11 Samsung Electronics Co., Ltd. Electronic apparatus and method for controlling the same
EP3304412B1 (en) * 2015-09-14 2019-11-06 Samsung Electronics Co., Ltd. Electronic apparatus and method for controlling the same
US11050562B2 (en) 2016-01-29 2021-06-29 Hewlett Packard Enterprise Development Lp Target device attestation using a trusted platform module
WO2017172033A1 (en) * 2016-03-31 2017-10-05 Qualcomm Incorporated Transport layer security token binding and trusted signing
CN106060070A (en) * 2016-07-01 2016-10-26 中国人民解放军国防科学技术大学 TLS handshake protocol for identity-based cryptosystem
CN106060070B (en) * 2016-07-01 2019-05-10 中国人民解放军国防科学技术大学 The tls handshake protocol of ID-based cryptosystem system
DE102017212474A1 (en) * 2017-07-20 2019-01-24 Siemens Aktiengesellschaft Method and communication system for checking connection parameters of a cryptographically protected communication connection during connection establishment
CN108563953B (en) * 2018-03-26 2021-12-21 南京微可信信息技术有限公司 Safe and extensible trusted application development method
CN108563953A (en) * 2018-03-26 2018-09-21 南京微可信信息技术有限公司 A kind of trusted application development approach of secure extensible
CN110688638A (en) * 2018-07-04 2020-01-14 ***通信有限公司研究院 Service authentication method, device, medium and equipment
US11321465B2 (en) * 2019-04-04 2022-05-03 Cisco Technology, Inc. Network security by integrating mutual attestation
US20220222347A1 (en) * 2019-04-04 2022-07-14 Cisco Technology, Inc. Network security by integrating mutual attestation
US11934525B2 (en) 2019-04-04 2024-03-19 Cisco Technology, Inc. Network security by integrating mutual attestation
CN111147233A (en) * 2019-11-26 2020-05-12 北京八分量信息科技有限公司 Reliable implementation method and node for ABE attribute encryption
CN113810422A (en) * 2021-09-18 2021-12-17 四川中电启明星信息技术有限公司 Emqx browser architecture-based secure connection method for data of internet of things platform device

Also Published As

Publication number Publication date
MY166563A (en) 2018-07-16

Similar Documents

Publication Publication Date Title
WO2014038926A1 (en) A system and method of mutual trusted authentication and identity encryption
CN111416807B (en) Data acquisition method, device and storage medium
US20190089527A1 (en) System and method of enforcing a computer policy
US20200358764A1 (en) System and method for generating symmetric key to implement media access control security check
US8843740B2 (en) Derived certificate based on changing identity
EP2954448B1 (en) Provisioning sensitive data into third party network-enabled devices
KR100843081B1 (en) System and method for providing security
US8281127B2 (en) Method for digital identity authentication
US11683170B2 (en) Implicit RSA certificates
US8555069B2 (en) Fast-reconnection of negotiable authentication network clients
US7849318B2 (en) Method for session security
EP2173055A1 (en) A method, a system, a client and a server for key negotiating
TW201334493A (en) Secure key generation
US9197610B1 (en) Packet authentication and encryption in virtual networks
JP2008250931A (en) System for restoring distributed information, information utilizing device, and verification device
WO2013081441A1 (en) A system and method for establishing mutual remote attestation in internet protocol security (ipsec) based virtual private network (vpn)
Hlauschek et al. Prying Open Pandora's Box:{KCI} Attacks against {TLS}
Han et al. A survey on MITM and its countermeasures in the TLS handshake protocol
Zhou et al. Trusted channels with password-based authentication and TPM-based attestation
WO2023151427A1 (en) Quantum key transmission method, device and system
CN116527261A (en) Key recovery method, electronic device and storage medium
JP2010028689A (en) Server, method, and program for providing open parameter, apparatus, method, and program for performing encoding process, and apparatus, method, and program for executing signature process
KR100883442B1 (en) Method of delivering direct proof private keys to devices using an on-line service
EP2600647B1 (en) Derived certificate based on changing identity
Gilchrist The Concise Guide to SSL/TLS for DevOps

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13773418

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13773418

Country of ref document: EP

Kind code of ref document: A1