Abstract
This paper is motivated by the observation that existing security models for direct anonymous attestation (DAA) have problems to the extent that insecure protocols may be deemed secure when analysed under these models. This is particularly disturbing as DAA is one of the few complex cryptographic protocols resulting from recent theoretical advances actually deployed in real life. Moreover, standardization bodies are currently looking into designing the next generation of such protocols. Our first contribution is to identify issues in existing models for DAA and explain how these errors allow for proving security of insecure protocols. These issues are exhibited in all deployed and proposed DAA protocols (although they can often be easily fixed). Our second contribution is a new security model for a class of “pre-DAA scheme”, that is, DAA schemes where the computation on the user side takes place entirely on the trusted platform. Our model captures more accurately than any previous model the security properties demanded from DAA by the trusted computing group (TCG), the group that maintains the DAA standard. Extending the model from pre-DAA to full DAA is only a matter of refining the trust models on the parties involved. Finally, we present a generic construction of a DAA protocol from new building blocks tailored for anonymous attestation. Some of them are new variations on established ideas and may be of independent interest. We give instantiations for these building blocks that yield a DAA scheme more efficient than the one currently deployed, and as efficient as the one about to be standardized by the TCG which has no valid security proof.
Highlights
Direct Anonymous Attestation (DAA) [4] is one of the most complex cryptographic protocols deployed in the real world
This paper is motivated by the observation that all existing security models for DAA are deficient: they are either unrealisable in the standard model, do not capture some of the required functionality of the scheme or, worse, do not cover all realistic attack scenarios
In more detail the first part is structured as follows: In Section 2 we first discuss issues and problems in existing security models for DAA protocols, we present an overview of why our security model corrects, simplifies and expands on previous models
Summary
Direct Anonymous Attestation (DAA) [4] is one of the most complex cryptographic protocols deployed in the real world. Our model for pre-DAA schemes does not explicitly capture how an issuer authenticates a TPM, as this question is somehow orthogonal to the main functionality of a DAA protocol As this is an important issue for the use of TPMs in practice, we discuss various ways of authenticating this channel, paying particular attention to the types of authentication which have been opted for by the TCG group in relation to DAA. All existing pairing-based DAA schemes [6, 5, 7, 8, 18, 20, 19, 21, 22, 17] use exactly the same tag derived from BLS signatures [9]; our abstraction of the required functionality may lead to new constructions. A key issue which still needs to be addressed is how the TPM authenticates itself to the host; so to ensure a complete treatment in Section 5 we briefly turn to this issue and show how existing solutions for this fit
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
