TNC Client with PTS-IMC » History » Version 16
« Previous -
Version 16/69
(diff) -
Next » -
Current version
Andreas Steffen, 29.11.2011 16:58
TNC Client with PTS-IMC¶
This HOWTO explains in a step-for-step fashion how a strongSwan IPsec client with integrated TNC client functionality and an attached Platform Trust Service Integrity Measurement Collector (PTS-IMC) can provide remote attestation measurement data to a TNC server via the IKEv2 EAP-TTLS protocol.
- Table of contents
- TNC Client with PTS-IMC
Installation and Configuration¶
The following steps describe the installation of the strongSwan software
tar xjf strongswan-4.6.2dr1.tar.bz2
cd strongswan-4.6.2dr1
./configure --prefix=/usr --sysconfdir=/etc --disable-pluto --enable-openssl --enable-curl
--enable-eap --enable-eap-identity --enable-eap-md5 --enable-eap-ttls
--enable-eap-tnc --enable-tnccs-20 --enable-tnc-imc --enable-imc-attestation
make
[sudo] make install
The connection between IPsec client carol and IPsec gateway moon is defined in the /etc/ipsec.conf file:
# ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="tnc 3, imc 3, pts 3"
conn home
left=%any
leftid=carol@strongswan.org
leftauth=eap
right=192.168.0.1
rightid=@moon.strongswan.org
rightsendcert=never
rightsubnet=10.1.0.0/16
auto=start
The debug levels for the TNC, IMC, and PTS components are increased to 3, so that HEX dumps of PB-TNC (IF-TNCCS 2.0) messages and PA-TNC (IF-M) attributes will be included in the log file.
The IKEv2 client carol is going to use EAP-based authentication with the user credentials being stored in the /etc/ipsec.secrets file:
# /etc/ipsec.secrets - strongSwan IPsec secrets file carol@strongswan.org : EAP "Ar3etTnp"
The following IKEv2 charon and Attestation IMC options are defined in the /etc/strongswan.conf file
# strongswan.conf - strongSwan configuration file
charon {
load = sha1 random gmp pkcs1 pem x509 pubkey openssl hmac revocation curl kernel-netlink socket-default eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 eap-identity resolve stroke
plugins {
eap-tnc {
protocol = tnccs-2.0
}
tnc-imc {
preferred_language = en
}
}
}
libimcv {
plugins {
imc-attestation {
aik_cert = /home/andi/privacyca/AIK_3_Cert.der
aik_blob = /home/andi/privacyca/AIK_3_Blob.bin
pcr17_meas = d537d437f058136eb3d7be517dbe7647b623c619
pcr17_before = 1717171717171717171717171717171717171717
pcr17_after = ffffffffffffffffffffffffffffffffffffffff
pcr18_meas = 160d2b04d11eb225fb148615b699081869e15b6c
pcr18_before = 1818181818181818181818181818181818181818
pcr18_after = ffffffffffffffffffffffffffffffffffffffff
}
}
}
IKEv2 Negotiation¶
The command
ipsec start
starts the TNC-enabled IPsec client:
Nov 29 07:39:21 merthyr charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.6.2dr1) Nov 29 07:39:21 merthyr charon: 00[KNL] listening on interfaces: Nov 29 07:39:21 merthyr charon: 00[KNL] wlan0 Nov 29 07:39:21 merthyr charon: 00[KNL] 10.35.167.97 Nov 29 07:39:21 merthyr charon: 00[KNL] fe80::221:6aff:fe06:cf4c Nov 29 07:39:21 merthyr charon: 00[KNL] umlbr0 Nov 29 07:39:21 merthyr charon: 00[KNL] 192.168.0.254 Nov 29 07:39:21 merthyr charon: 00[KNL] fe80::103c:e8ff:fec0:db34
The file /etc/tnc_config
IMC configuration file for strongSwan client IMC "Attestation" /usr/lib/ipsec/imcvs/imc-attestation.so
defines which IMCs are loaded by the TNC client:
Nov 29 07:39:21 merthyr charon: 00[TNC] loading IMCs from '/etc/tnc_config' Nov 29 07:39:21 merthyr charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA1[sha1] available Nov 29 07:39:21 merthyr charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA256[openssl] available Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS measurement algorithm HASH_SHA384[openssl] available Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS DH group MODP_2048[gmp] available Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS DH group MODP_1536[gmp] available Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS DH group MODP_1024[gmp] available Nov 29 07:39:21 merthyr charon: 00[PTS] mandatory PTS DH group ECP_256[openssl] available Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS DH group ECP_384[openssl] available Nov 29 07:39:21 merthyr charon: 00[TNC] added IETF attributes Nov 29 07:39:21 merthyr charon: 00[TNC] added ITA-HSR attributes Nov 29 07:39:21 merthyr charon: 00[LIB] libimcv initialized Nov 29 07:39:21 merthyr charon: 00[IMC] IMC 1 "Attestation" initialized Nov 29 07:39:21 merthyr charon: 00[TNC] added TCG attributes Nov 29 07:39:21 merthyr charon: 00[PTS] added TCG functional component namespace Nov 29 07:39:21 merthyr charon: 00[PTS] added ITA-HSR functional component namespace Nov 29 07:39:21 merthyr charon: 00[PTS] added ITA-HSR functional component 'Trusted GRUB Boot Loader' Nov 29 07:39:21 merthyr charon: 00[PTS] added ITA-HSR functional component 'Trusted Boot' Nov 29 07:39:21 merthyr charon: 00[PTS] added ITA-HSR functional component 'Linux IMA' Nov 29 07:39:21 merthyr charon: 00[LIB] libpts initialized Nov 29 07:39:21 merthyr charon: 00[IMC] IMC 1 "Attestation" provided with bind function Nov 29 07:39:21 merthyr charon: 00[TNC] IMC 1 supports 1 message type: 0x00559701 Nov 29 07:39:21 merthyr charon: 00[TNC] IMC 1 "Attestation" loaded from '/usr/lib/ipsec/imcvs/imc-attestation.so'
Next the IKEv2 credentials and all necessary plugins are loaded
Nov 29 07:39:21 merthyr charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Nov 29 07:39:21 merthyr charon: 00[CFG] loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem' Nov 29 07:39:21 merthyr charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Nov 29 07:39:21 merthyr charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Nov 29 07:39:21 merthyr charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Nov 29 07:39:21 merthyr charon: 00[CFG] loading crls from '/etc/ipsec.d/crls' Nov 29 07:39:21 merthyr charon: 00[CFG] loading secrets from '/etc/ipsec.secrets' Nov 29 07:39:21 merthyr charon: 00[CFG] loaded EAP secret for carol@strongswan.org Nov 29 07:39:21 merthyr charon: 00[DMN] loaded plugins: sha1 random gmp pkcs1 pem x509 pubkey openssl hmac revocation curl kernel-netlink socket-default eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 eap-identity resolve stroke Nov 29 07:39:21 merthyr charon: 00[JOB] spawning 16 worker threads
Now the IKEv2 negotiation automatically starts with the IKE_SA_INIT exchange
Nov 29 07:39:22 merthyr charon: 04[CFG] received stroke: add connection 'home' Nov 29 07:39:22 merthyr charon: 04[CFG] left nor right host is our side, assuming left=local Nov 29 07:39:22 merthyr charon: 04[CFG] added configuration 'home' Nov 29 07:39:22 merthyr charon: 04[CFG] received stroke: initiate 'home' Nov 29 07:39:22 merthyr charon: 04[IKE] initiating IKE_SA home[1] to 192.168.0.1 Nov 29 07:39:22 merthyr charon: 04[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Nov 29 07:39:22 merthyr charon: 04[NET] sending packet: from 192.168.0.254[500] to 192.168.0.1[500] Nov 29 07:39:22 merthyr charon: 06[NET] received packet: from 192.168.0.1[500] to 192.168.0.254[500] Nov 29 07:39:22 merthyr charon: 06[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
followed by the IKE_AUTH exchange where the IKEv2 gateway proposes a mutual EAP-TTLS only authentication:
Nov 29 07:39:22 merthyr charon: 06[IKE] establishing CHILD_SA home Nov 29 07:39:22 merthyr charon: 06[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) ] Nov 29 07:39:22 merthyr charon: 06[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500] Nov 29 07:39:22 merthyr charon: 10[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500] Nov 29 07:39:22 merthyr charon: 10[ENC] parsed IKE_AUTH response 1 [ IDr EAP/REQ/TTLS ] Nov 29 07:39:22 merthyr charon: 10[IKE] server requested EAP_TTLS authentication (id 0xA8) Nov 29 07:39:22 merthyr charon: 10[TLS] EAP_TTLS version is v0 Nov 29 07:39:22 merthyr charon: 10[IKE] allow mutual EAP-only authentication
IKEv2 EAP-TTLS¶
The IKEv2 EAP-TTLS tunnel is set up with certificate-based server authentication
Nov 29 07:39:22 merthyr charon: 10[ENC] generating IKE_AUTH request 2 [ EAP/RES/TTLS ] Nov 29 07:39:22 merthyr charon: 10[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500] Nov 29 07:39:22 merthyr charon: 05[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500] Nov 29 07:39:22 merthyr charon: 05[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/TTLS ] Nov 29 07:39:22 merthyr charon: 05[ENC] generating IKE_AUTH request 3 [ EAP/RES/TTLS ] Nov 29 07:39:22 merthyr charon: 05[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500] Nov 29 07:39:22 merthyr charon: 15[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500] Nov 29 07:39:22 merthyr charon: 15[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/TTLS ] Nov 29 07:39:22 merthyr charon: 15[TLS] negotiated TLS version TLS 1.2 with suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Nov 29 07:39:22 merthyr charon: 15[TLS] received TLS server certificate 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' Nov 29 07:39:22 merthyr charon: 15[CFG] using certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" Nov 29 07:39:22 merthyr charon: 15[CFG] using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" Nov 29 07:39:22 merthyr charon: 15[CFG] checking certificate status of "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" Nov 29 07:39:22 merthyr charon: 15[CFG] fetching crl from 'http://crl.strongswan.org/strongswan.crl' ... Nov 29 07:39:22 merthyr charon: 15[CFG] using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" Nov 29 07:39:22 merthyr charon: 15[CFG] crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" Nov 29 07:39:22 merthyr charon: 15[CFG] crl is valid: until Dec 02 09:19:24 2011 Nov 29 07:39:22 merthyr charon: 15[CFG] certificate status is good Nov 29 07:39:22 merthyr charon: 15[CFG] reached self-signed root ca with a path length of 0 Nov 29 07:39:22 merthyr charon: 15[ENC] generating IKE_AUTH request 4 [ EAP/RES/TTLS ] Nov 29 07:39:22 merthyr charon: 15[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Tunneled EAP-Identity¶
Via the IKEv2 EAP-TTLS tunnel the server requests the EAP client identity
Nov 29 07:39:23 merthyr charon: 14[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500] Nov 29 07:39:23 merthyr charon: 14[ENC] parsed IKE_AUTH response 4 [ EAP/REQ/TTLS ] Nov 29 07:39:23 merthyr charon: 14[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/ID] Nov 29 07:39:23 merthyr charon: 14[IKE] server requested EAP_IDENTITY authentication (id 0x00) Nov 29 07:39:23 merthyr charon: 14[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/ID] Nov 29 07:39:23 merthyr charon: 14[ENC] generating IKE_AUTH request 5 [ EAP/RES/TTLS ] Nov 29 07:39:23 merthyr charon: 14[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Tunneled EAP-MD5 Client Authentication¶
Next follows an EAP-MD5 client authentication
Nov 29 07:39:23 merthyr charon: 03[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500] Nov 29 07:39:23 merthyr charon: 03[ENC] parsed IKE_AUTH response 5 [ EAP/REQ/TTLS ] Nov 29 07:39:23 merthyr charon: 03[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/MD5] Nov 29 07:39:23 merthyr charon: 03[IKE] server requested EAP_MD5 authentication (id 0x36) Nov 29 07:39:23 merthyr charon: 03[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/MD5] Nov 29 07:39:23 merthyr charon: 03[ENC] generating IKE_AUTH request 6 [ EAP/RES/TTLS ] Nov 29 07:39:23 merthyr charon: 03[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Tunneled EAP-TNC Transport¶
Now the EAP-TNC transport protocol connecting the TNC client with the TNC server is started:
Nov 29 07:39:23 merthyr charon: 02[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500] Nov 29 07:39:23 merthyr charon: 02[ENC] parsed IKE_AUTH response 6 [ EAP/REQ/TTLS ] Nov 29 07:39:23 merthyr charon: 02[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/TNC] Nov 29 07:39:23 merthyr charon: 02[IKE] server requested EAP_TNC authentication (id 0x84) Nov 29 07:39:23 merthyr charon: 02[TLS] EAP_TNC version is v1
PB-TNC/IF-TNCCS 2.0 Connection¶
A new TNCCS connection is started on the TNC client and the IF-TNCCS 2.0 state machine is set to the Init state.
A first PB-TNC CDATA (IF-TNCCS 2.0 ClientData) batch is prepared and a PB-Language-Preference message for Englisch (en) is added:
Nov 29 07:39:23 merthyr charon: 02[TNC] assigned TNCCS Connection ID 1 Nov 29 07:39:23 merthyr charon: 02[TNC] creating PB-TNC CDATA batch Nov 29 07:39:23 merthyr charon: 02[TNC] adding PB-Language-Preference message
An instance of the Attestation PTS-IMC is created which in a first step determines the client operating systen
Nov 29 07:39:23 merthyr charon: 02[PTS] platform is 'Ubuntu 11.10 i686'
and then loads the AIK certificate and the matching AIK private key, the latter in the form of a TPM-encrypted binary blob
Nov 29 07:39:23 merthyr charon: 02[PTS] loaded AIK certificate from '/home/andi/privacyca/AIK_3_Cert.der'
Nov 29 07:39:23 merthyr charon: 02[PTS] loaded AIK Blob from '/home/andi/privacyca/AIK_3_Blob.bin'
Nov 29 07:39:23 merthyr charon: 02[PTS] AIK Blob: => 559 bytes @ 0x8266b24
Nov 29 07:39:23 merthyr charon: 02[PTS] 0: 01 01 00 00 00 12 00 00 00 04 00 00 00 00 01 00 ................
Nov 29 07:39:23 merthyr charon: 02[PTS] 16: 01 00 02 00 00 00 0C 00 00 08 00 00 00 00 02 00 ................
Nov 29 07:39:23 merthyr charon: 02[PTS] 32: 00 00 00 00 00 00 00 00 00 01 00 E9 1C 5F 57 5B ............._W[
Nov 29 07:39:23 merthyr charon: 02[PTS] 48: 73 5F 35 15 BD AF 29 89 13 F1 F9 8D 83 62 6C 73 s_5...)......bls
Nov 29 07:39:23 merthyr charon: 02[PTS] 64: C0 5F 8B 90 5A B8 1A 72 B9 D2 51 F8 DC 24 CF 0D ._..Z..r..Q..$..
Nov 29 07:39:23 merthyr charon: 02[PTS] 80: 9E E2 0B F8 8D 11 CD B2 E5 6B CB C2 AB FA BD F4 .........k......
Nov 29 07:39:23 merthyr charon: 02[PTS] 96: 74 D2 25 B3 AE CE 47 66 58 A6 65 A4 CA 36 24 1E t.%...GfX.e..6$.
Nov 29 07:39:23 merthyr charon: 02[PTS] 112: 6E 22 A4 9F 88 C5 63 78 AD 53 33 90 22 91 6F 83 n"....cx.S3.".o.
Nov 29 07:39:23 merthyr charon: 02[PTS] 128: 8F 2A A8 98 0C 15 3E 89 19 48 63 BE 4C 35 02 F4 .*....>..Hc.L5..
Nov 29 07:39:23 merthyr charon: 02[PTS] 144: 03 7E 10 8E 4D DB 5A D1 63 9A 3C D9 63 F5 7B C6 .~..M.Z.c.<.c.{.
Nov 29 07:39:23 merthyr charon: 02[PTS] 160: 73 0F 23 05 B6 00 30 3B 34 6C 3C 10 A9 A5 4A 79 s.#...0;4l<...Jy
Nov 29 07:39:23 merthyr charon: 02[PTS] 176: 2E 62 88 E3 CC 7F 7B A7 5A E3 6F 13 7A BD BF 86 .b....{.Z.o.z...
Nov 29 07:39:23 merthyr charon: 02[PTS] 192: 1D 3C E3 12 3A 8C 0E 7D 47 55 C6 76 A9 D3 61 16 .<..:..}GU.v..a.
Nov 29 07:39:23 merthyr charon: 02[PTS] 208: 22 8A 32 C5 E7 CD 17 DB 5F A1 67 CC 1D F5 D9 25 ".2....._.g....%
Nov 29 07:39:23 merthyr charon: 02[PTS] 224: 51 01 33 1E 05 45 85 53 2E 2C 2B 1D 59 E5 FE C2 Q.3..E.S.,+.Y...
Nov 29 07:39:23 merthyr charon: 02[PTS] 240: 61 26 36 12 05 F2 5C 95 F8 70 E6 6A DB BF 30 1E a&6...\..p.j..0.
Nov 29 07:39:23 merthyr charon: 02[PTS] 256: 46 05 E6 0E 94 3C 0C C6 1C 96 B4 59 AC 5C 63 15 F....<.....Y.\c.
Nov 29 07:39:23 merthyr charon: 02[PTS] 272: 8C 77 E8 45 91 6B 8B B1 0D DB 26 3C E5 34 1C E8 .w.E.k....&<.4..
Nov 29 07:39:23 merthyr charon: 02[PTS] 288: B9 B5 6E 7F 9B 6E 7D 24 82 6E 2B 00 00 01 00 22 ..n..n}$.n+...."
Nov 29 07:39:23 merthyr charon: 02[PTS] 304: 35 22 CB 61 E6 28 B9 53 4A EB 52 10 A9 CD 5A 2A 5".a.(.SJ.R...Z*
Nov 29 07:39:23 merthyr charon: 02[PTS] 320: 23 3A DD 32 77 53 44 8D 94 40 7E 6A 28 83 9D 9D #:.2wSD..@~j(...
Nov 29 07:39:23 merthyr charon: 02[PTS] 336: 1E 1B CE 7C CE D2 8A C9 04 BE 66 A5 A1 CA E3 03 ...|......f.....
Nov 29 07:39:23 merthyr charon: 02[PTS] 352: 7F 33 97 AD EF A8 E8 83 C9 65 CA 38 27 22 8A 26 .3.......e.8'".&
Nov 29 07:39:23 merthyr charon: 02[PTS] 368: 90 B1 1E B0 AE F6 B3 77 5E E3 C8 C2 C6 49 DC 74 .......w^....I.t
Nov 29 07:39:23 merthyr charon: 02[PTS] 384: EF 6E A4 31 DF 13 12 F0 4B 53 3D 85 5C 4F 98 C3 .n.1....KS=.\O..
Nov 29 07:39:23 merthyr charon: 02[PTS] 400: 32 7D 05 EB C1 D6 2A AC 6A 38 B8 C4 D4 B7 FE B7 2}....*.j8......
Nov 29 07:39:23 merthyr charon: 02[PTS] 416: 11 39 AD 14 39 EE C2 38 4D 31 86 D9 6F 10 85 90 .9..9..8M1..o...
Nov 29 07:39:23 merthyr charon: 02[PTS] 432: 07 43 AA DF AA 25 84 79 5D 01 7B 2B B1 DB 3D CA .C...%.y].{+..=.
Nov 29 07:39:23 merthyr charon: 02[PTS] 448: 34 A5 94 B6 35 3B 87 EC 77 56 8E B4 13 DD 3F 25 4...5;..wV....?%
Nov 29 07:39:23 merthyr charon: 02[PTS] 464: 12 F9 97 CB 23 CF B8 AB D5 1C 2A D6 2D 13 85 3B ....#.....*.-..;
Nov 29 07:39:23 merthyr charon: 02[PTS] 480: D3 77 48 B8 A4 C0 31 C6 68 C0 92 33 7C 5B AA 8E .wH...1.h..3|[..
Nov 29 07:39:23 merthyr charon: 02[PTS] 496: A5 86 05 EF 99 0D CA 02 5F 96 9A 68 C3 DA A2 A8 ........_..h....
Nov 29 07:39:23 merthyr charon: 02[PTS] 512: B7 4C C6 EC 09 98 45 E7 E6 E5 DC A6 E3 B3 54 2A .L....E.......T*
Nov 29 07:39:23 merthyr charon: 02[PTS] 528: F5 5A 94 78 3C 26 5B FD D0 01 4B A4 5D B2 C2 EC .Z.x<&[...K.]...
Nov 29 07:39:23 merthyr charon: 02[PTS] 544: B6 56 A0 DB EC C8 BA 0D E9 56 EC F0 77 7A AB .V.......V..wz.
Nov 29 07:39:23 merthyr charon: 02[IMC] IMC 1 "Attestation" created a state for Connection ID 1
Via the IF-IMC interface the PTS-IMC receives a 'Handshake' state change from the TNC client
Nov 29 07:39:23 merthyr charon: 02[IMC] IMC 1 "Attestation" changed state of Connection ID 1 to 'Handshake'
The PTS-IMC generates a PA-TNC message of type TCG/PTS targeted at the remote PTS-IMV, containing a single PA-TNC attribute of type 'IETF/Product Information' with the client operating system information:
Nov 29 07:39:23 merthyr charon: 02[TNC] creating PA-TNC message with ID 0x569e528e Nov 29 07:39:23 merthyr charon: 02[TNC] creating PA-TNC attribute type 'IETF/Product Information' 0x000000/0x00000002 Nov 29 07:39:23 merthyr charon: 02[TNC] => 22 bytes @ 0x82452bc Nov 29 07:39:23 merthyr charon: 02[TNC] 0: 00 00 00 00 00 55 62 75 6E 74 75 20 31 31 2E 31 .....Ubuntu 11.1 Nov 29 07:39:23 merthyr charon: 02[TNC] 16: 30 20 69 36 38 36 0 i686 Nov 29 07:39:23 merthyr charon: 02[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x01 Nov 29 07:39:23 merthyr charon: 02[TNC] adding PB-PA message
The PA-TNC message is received by the TNC client via the IF-IMC SendMessage call and is inserted together with the
PB-Language-Preference message into the PB-TNC CDATA batch which is then sent via the IKEv2 EAP-TTLS tunnel to the TNC server.
Nov 29 07:39:23 merthyr charon: 02[TNC] PB-TNC state transition from 'Init' to 'Server Working' Nov 29 07:39:23 merthyr charon: 02[TNC] sending PB-TNC CDATA batch (105 bytes) for Connection ID 1 Nov 29 07:39:23 merthyr charon: 02[TNC] => 105 bytes @ 0x82669a4 Nov 29 07:39:23 merthyr charon: 02[TNC] 0: 02 00 00 01 00 00 00 69 00 00 00 00 00 00 00 06 .......i........ Nov 29 07:39:23 merthyr charon: 02[TNC] 16: 00 00 00 1F 41 63 63 65 70 74 2D 4C 61 6E 67 75 ....Accept-Langu Nov 29 07:39:23 merthyr charon: 02[TNC] 32: 61 67 65 3A 20 65 6E 80 00 00 00 00 00 00 01 00 age: en......... Nov 29 07:39:23 merthyr charon: 02[TNC] 48: 00 00 42 00 00 55 97 00 00 00 01 00 01 FF FF 01 ..B..U.......... Nov 29 07:39:23 merthyr charon: 02[TNC] 64: 00 00 00 56 9E 52 8E 00 00 00 00 00 00 00 02 00 ...V.R.......... Nov 29 07:39:23 merthyr charon: 02[TNC] 80: 00 00 22 00 00 00 00 00 55 62 75 6E 74 75 20 31 ..".....Ubuntu 1 Nov 29 07:39:23 merthyr charon: 02[TNC] 96: 31 2E 31 30 20 69 36 38 36 1.10 i686 Nov 29 07:39:23 merthyr charon: 02[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/TNC] Nov 29 07:39:23 merthyr charon: 02[ENC] generating IKE_AUTH request 7 [ EAP/RES/TTLS ] Nov 29 07:39:23 merthyr charon: 02[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
As a response a PB-TNC SDATA (IF-TNCCS 2.0 ServerData) batch is received from the TNC server
Nov 29 07:39:23 merthyr charon: 13[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500] Nov 29 07:39:23 merthyr charon: 13[ENC] parsed IKE_AUTH response 7 [ EAP/REQ/TTLS ] Nov 29 07:39:23 merthyr charon: 13[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/TNC] Nov 29 07:39:23 merthyr charon: 13[TNC] received TNCCS batch (72 bytes) for Connection ID 1 Nov 29 07:39:23 merthyr charon: 13[TNC] => 72 bytes @ 0x826212e Nov 29 07:39:23 merthyr charon: 13[TNC] 0: 02 80 00 02 00 00 00 48 80 00 00 00 00 00 00 01 .......H........ Nov 29 07:39:23 merthyr charon: 13[TNC] 16: 00 00 00 40 00 00 55 97 00 00 00 01 FF FF 00 01 ...@..U......... Nov 29 07:39:23 merthyr charon: 13[TNC] 32: 01 00 00 00 10 FB C9 31 80 00 55 97 01 00 00 00 .......1..U..... Nov 29 07:39:23 merthyr charon: 13[TNC] 48: 00 00 00 10 00 00 00 0E 80 00 55 97 06 00 00 00 ..........U..... Nov 29 07:39:23 merthyr charon: 13[TNC] 64: 00 00 00 10 00 00 80 00 ........ Nov 29 07:39:23 merthyr charon: 13[TNC] PB-TNC state transition from 'Server Working' to 'Client Working' Nov 29 07:39:23 merthyr charon: 13[TNC] processing PB-TNC SDATA batch
containing a PB-PA message of type TCG/PTS to which the PTS-IMC is subscribed:
Nov 29 07:39:23 merthyr charon: 13[TNC] processing PB-PA message (64 bytes) Nov 29 07:39:23 merthyr charon: 13[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x01 Nov 29 07:39:23 merthyr charon: 13[TNC] processing PA-TNC message with ID 0x10fbc931
The PA-TNC message transferred via the IF-IMC interface to the PTS-IMC contains two PA-TNC attributes from the TCG/PTS namespace:
Nov 29 07:39:23 merthyr charon: 13[TNC] processing PA-TNC attribute type 'TCG/Request PTS Protocol Capabilities' 0x005597/0x01000000 Nov 29 07:39:23 merthyr charon: 13[TNC] => 4 bytes @ 0x8268da0 Nov 29 07:39:23 merthyr charon: 13[TNC] 0: 00 00 00 0E .... Nov 29 07:39:23 merthyr charon: 13[TNC] processing PA-TNC attribute type 'TCG/PTS Measurement Algorithm Request' 0x005597/0x06000000 Nov 29 07:39:23 merthyr charon: 13[TNC] => 4 bytes @ 0x8268db0 Nov 29 07:39:23 merthyr charon: 13[TNC] 0: 00 00 80 00 ....
namely the requests 'Request PTS Protocol Capabilities' and 'PTS Measurement Algorithm Request'. The PTS-IMV supports the Verification (V), DH Nonce Negotiation (D) and Trusted Platform Evidence (T) PTS protocol capabilities and the PTS-IMC does as well.
Nov 29 07:39:23 merthyr charon: 13[PTS] supported PTS protocol capabilities: .VDT. Nov 29 07:39:23 merthyr charon: 13[PTS] selected PTS measurement algorithm is HASH_SHA1
The PTS-IMV proposes SHA-1 only for the PTS measurement algorithm which is accepted by the PTS-IMC. These two selections are sent back to the PTS-IMV in a PA-TNC message containing the TCG attributes 'PTS Protocol Capabilities' and 'PTS Measurement Algorithm":
Nov 29 07:39:23 merthyr charon: 13[TNC] creating PA-TNC message with ID 0x0ed3f1f3 Nov 29 07:39:23 merthyr charon: 13[TNC] creating PA-TNC attribute type 'TCG/PTS Protocol Capabilities' 0x005597/0x02000000 Nov 29 07:39:23 merthyr charon: 13[TNC] => 4 bytes @ 0x8266b04 Nov 29 07:39:23 merthyr charon: 13[TNC] 0: 00 00 00 0E .... Nov 29 07:39:23 merthyr charon: 13[TNC] creating PA-TNC attribute type 'TCG/PTS Measurement Algorithm' 0x005597/0x07000000 Nov 29 07:39:23 merthyr charon: 13[TNC] => 4 bytes @ 0x825f17c Nov 29 07:39:23 merthyr charon: 13[TNC] 0: 00 00 80 00 .... Nov 29 07:39:23 merthyr charon: 13[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x01
This PA-TNC message is sent as a PB-PA payload in a PB-TNC CDATA batch to the TNC server:
Nov 29 07:39:23 merthyr charon: 13[TNC] creating PB-TNC CDATA batch Nov 29 07:39:23 merthyr charon: 13[TNC] adding PB-PA message Nov 29 07:39:23 merthyr charon: 13[TNC] PB-TNC state transition from 'Client Working' to 'Server Working' Nov 29 07:39:23 merthyr charon: 13[TNC] sending PB-TNC CDATA batch (72 bytes) for Connection ID 1 Nov 29 07:39:23 merthyr charon: 13[TNC] => 72 bytes @ 0x82679fc Nov 29 07:39:23 merthyr charon: 13[TNC] 0: 02 00 00 01 00 00 00 48 80 00 00 00 00 00 00 01 .......H........ Nov 29 07:39:23 merthyr charon: 13[TNC] 16: 00 00 00 40 00 00 55 97 00 00 00 01 00 01 FF FF ...@..U......... Nov 29 07:39:23 merthyr charon: 13[TNC] 32: 01 00 00 00 0E D3 F1 F3 00 00 55 97 02 00 00 00 ..........U..... Nov 29 07:39:23 merthyr charon: 13[TNC] 48: 00 00 00 10 00 00 00 0E 00 00 55 97 07 00 00 00 ..........U..... Nov 29 07:39:23 merthyr charon: 13[TNC] 64: 00 00 00 10 00 00 80 00 ........ Nov 29 07:39:23 merthyr charon: 13[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/TNC] Nov 29 07:39:23 merthyr charon: 13[ENC] generating IKE_AUTH request 8 [ EAP/RES/TTLS ] Nov 29 07:39:23 merthyr charon: 13[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]