TNC Client with PTS-IMC » History » Version 20
Andreas Steffen, 29.11.2011 18:44
| 1 | 16 | Andreas Steffen | h1. TNC Client with PTS-IMC |
|---|---|---|---|
| 2 | 15 | Andreas Steffen | |
| 3 | 15 | Andreas Steffen | This HOWTO explains in a step-for-step fashion how a strongSwan IPsec client with integrated TNC client functionality and an attached Platform Trust Service Integrity Measurement Collector (PTS-IMC) can provide remote attestation measurement data to a TNC server via the IKEv2 EAP-TTLS protocol. |
| 4 | 1 | Andreas Steffen | |
| 5 | 14 | Andreas Steffen | {{>toc}} |
| 6 | 14 | Andreas Steffen | |
| 7 | 13 | Andreas Steffen | h2. Installation and Configuration |
| 8 | 13 | Andreas Steffen | |
| 9 | 12 | Andreas Steffen | The following steps describe the installation of the strongSwan software |
| 10 | 12 | Andreas Steffen | <pre> |
| 11 | 12 | Andreas Steffen | tar xjf strongswan-4.6.2dr1.tar.bz2 |
| 12 | 12 | Andreas Steffen | cd strongswan-4.6.2dr1 |
| 13 | 12 | Andreas Steffen | ./configure --prefix=/usr --sysconfdir=/etc --disable-pluto --enable-openssl --enable-curl |
| 14 | 12 | Andreas Steffen | --enable-eap --enable-eap-identity --enable-eap-md5 --enable-eap-ttls |
| 15 | 12 | Andreas Steffen | --enable-eap-tnc --enable-tnccs-20 --enable-tnc-imc --enable-imc-attestation |
| 16 | 12 | Andreas Steffen | make |
| 17 | 12 | Andreas Steffen | [sudo] make install |
| 18 | 12 | Andreas Steffen | </pre> |
| 19 | 12 | Andreas Steffen | |
| 20 | 4 | Andreas Steffen | The connection between IPsec client *carol* and IPsec gateway *moon* is defined in the /etc/ipsec.conf file: |
| 21 | 4 | Andreas Steffen | <pre> |
| 22 | 4 | Andreas Steffen | # ipsec.conf - strongSwan IPsec configuration file |
| 23 | 4 | Andreas Steffen | |
| 24 | 4 | Andreas Steffen | config setup |
| 25 | 4 | Andreas Steffen | charondebug="tnc 3, imc 3, pts 3" |
| 26 | 4 | Andreas Steffen | |
| 27 | 4 | Andreas Steffen | conn home |
| 28 | 4 | Andreas Steffen | left=%any |
| 29 | 4 | Andreas Steffen | leftid=carol@strongswan.org |
| 30 | 4 | Andreas Steffen | leftauth=eap |
| 31 | 4 | Andreas Steffen | right=192.168.0.1 |
| 32 | 4 | Andreas Steffen | rightid=@moon.strongswan.org |
| 33 | 4 | Andreas Steffen | rightsendcert=never |
| 34 | 4 | Andreas Steffen | rightsubnet=10.1.0.0/16 |
| 35 | 4 | Andreas Steffen | auto=start |
| 36 | 4 | Andreas Steffen | </pre> |
| 37 | 4 | Andreas Steffen | |
| 38 | 5 | Andreas Steffen | The debug levels for the TNC, IMC, and PTS components are increased to 3, so that HEX dumps of PB-TNC (IF-TNCCS 2.0) messages and PA-TNC (IF-M) attributes will be included in the log file. |
| 39 | 4 | Andreas Steffen | |
| 40 | 4 | Andreas Steffen | The IKEv2 client *carol* is going to use EAP-based authentication with the user credentials being stored in the /etc/ipsec.secrets file: |
| 41 | 4 | Andreas Steffen | <pre> |
| 42 | 4 | Andreas Steffen | # /etc/ipsec.secrets - strongSwan IPsec secrets file |
| 43 | 4 | Andreas Steffen | |
| 44 | 4 | Andreas Steffen | carol@strongswan.org : EAP "Ar3etTnp" |
| 45 | 4 | Andreas Steffen | </pre> |
| 46 | 4 | Andreas Steffen | |
| 47 | 8 | Andreas Steffen | The following IKEv2 charon and Attestation IMC options are defined in the /etc/strongswan.conf file |
| 48 | 1 | Andreas Steffen | <pre> |
| 49 | 8 | Andreas Steffen | # strongswan.conf - strongSwan configuration file |
| 50 | 8 | Andreas Steffen | |
| 51 | 8 | Andreas Steffen | charon { |
| 52 | 8 | Andreas Steffen | load = sha1 random gmp pkcs1 pem x509 pubkey openssl hmac revocation curl kernel-netlink socket-default eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 eap-identity resolve stroke |
| 53 | 8 | Andreas Steffen | plugins { |
| 54 | 1 | Andreas Steffen | eap-tnc { |
| 55 | 1 | Andreas Steffen | protocol = tnccs-2.0 |
| 56 | 12 | Andreas Steffen | } |
| 57 | 12 | Andreas Steffen | tnc-imc { |
| 58 | 12 | Andreas Steffen | preferred_language = en |
| 59 | 8 | Andreas Steffen | } |
| 60 | 8 | Andreas Steffen | } |
| 61 | 8 | Andreas Steffen | } |
| 62 | 8 | Andreas Steffen | |
| 63 | 8 | Andreas Steffen | libimcv { |
| 64 | 8 | Andreas Steffen | plugins { |
| 65 | 8 | Andreas Steffen | imc-attestation { |
| 66 | 8 | Andreas Steffen | aik_cert = /home/andi/privacyca/AIK_3_Cert.der |
| 67 | 8 | Andreas Steffen | aik_blob = /home/andi/privacyca/AIK_3_Blob.bin |
| 68 | 8 | Andreas Steffen | |
| 69 | 8 | Andreas Steffen | pcr17_meas = d537d437f058136eb3d7be517dbe7647b623c619 |
| 70 | 8 | Andreas Steffen | pcr17_before = 1717171717171717171717171717171717171717 |
| 71 | 8 | Andreas Steffen | pcr17_after = ffffffffffffffffffffffffffffffffffffffff |
| 72 | 8 | Andreas Steffen | |
| 73 | 8 | Andreas Steffen | pcr18_meas = 160d2b04d11eb225fb148615b699081869e15b6c |
| 74 | 8 | Andreas Steffen | pcr18_before = 1818181818181818181818181818181818181818 |
| 75 | 8 | Andreas Steffen | pcr18_after = ffffffffffffffffffffffffffffffffffffffff |
| 76 | 8 | Andreas Steffen | } |
| 77 | 8 | Andreas Steffen | } |
| 78 | 8 | Andreas Steffen | } |
| 79 | 8 | Andreas Steffen | </pre> |
| 80 | 8 | Andreas Steffen | |
| 81 | 13 | Andreas Steffen | h2. IKEv2 Negotiation |
| 82 | 13 | Andreas Steffen | |
| 83 | 18 | Andreas Steffen | h3. Startup and Initialization |
| 84 | 18 | Andreas Steffen | |
| 85 | 8 | Andreas Steffen | The command |
| 86 | 8 | Andreas Steffen | <pre> |
| 87 | 1 | Andreas Steffen | ipsec start |
| 88 | 1 | Andreas Steffen | </pre> |
| 89 | 1 | Andreas Steffen | |
| 90 | 8 | Andreas Steffen | starts the TNC-enabled IPsec client: |
| 91 | 1 | Andreas Steffen | <pre> |
| 92 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.6.2dr1) |
| 93 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[KNL] listening on interfaces: |
| 94 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[KNL] wlan0 |
| 95 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[KNL] 10.35.167.97 |
| 96 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[KNL] fe80::221:6aff:fe06:cf4c |
| 97 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[KNL] umlbr0 |
| 98 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[KNL] 192.168.0.254 |
| 99 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[KNL] fe80::103c:e8ff:fec0:db34 |
| 100 | 1 | Andreas Steffen | </pre> |
| 101 | 1 | Andreas Steffen | |
| 102 | 1 | Andreas Steffen | The file /etc/tnc_config |
| 103 | 1 | Andreas Steffen | <pre> |
| 104 | 1 | Andreas Steffen | IMC configuration file for strongSwan client |
| 105 | 1 | Andreas Steffen | |
| 106 | 1 | Andreas Steffen | IMC "Attestation" /usr/lib/ipsec/imcvs/imc-attestation.so |
| 107 | 1 | Andreas Steffen | </pre> |
| 108 | 1 | Andreas Steffen | |
| 109 | 1 | Andreas Steffen | defines which IMCs are loaded by the TNC client: |
| 110 | 1 | Andreas Steffen | <pre> |
| 111 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[TNC] loading IMCs from '/etc/tnc_config' |
| 112 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA1[sha1] available |
| 113 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA256[openssl] available |
| 114 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS measurement algorithm HASH_SHA384[openssl] available |
| 115 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS DH group MODP_2048[gmp] available |
| 116 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS DH group MODP_1536[gmp] available |
| 117 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS DH group MODP_1024[gmp] available |
| 118 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[PTS] mandatory PTS DH group ECP_256[openssl] available |
| 119 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS DH group ECP_384[openssl] available |
| 120 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[TNC] added IETF attributes |
| 121 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[TNC] added ITA-HSR attributes |
| 122 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[LIB] libimcv initialized |
| 123 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[IMC] IMC 1 "Attestation" initialized |
| 124 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[TNC] added TCG attributes |
| 125 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[PTS] added TCG functional component namespace |
| 126 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[PTS] added ITA-HSR functional component namespace |
| 127 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[PTS] added ITA-HSR functional component 'Trusted GRUB Boot Loader' |
| 128 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[PTS] added ITA-HSR functional component 'Trusted Boot' |
| 129 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[PTS] added ITA-HSR functional component 'Linux IMA' |
| 130 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[LIB] libpts initialized |
| 131 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[IMC] IMC 1 "Attestation" provided with bind function |
| 132 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[TNC] IMC 1 supports 1 message type: 0x00559701 |
| 133 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[TNC] IMC 1 "Attestation" loaded from '/usr/lib/ipsec/imcvs/imc-attestation.so' |
| 134 | 1 | Andreas Steffen | </pre> |
| 135 | 1 | Andreas Steffen | |
| 136 | 1 | Andreas Steffen | Next the IKEv2 credentials and all necessary plugins are loaded |
| 137 | 1 | Andreas Steffen | <pre> |
| 138 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' |
| 139 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[CFG] loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem' |
| 140 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' |
| 141 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' |
| 142 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' |
| 143 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[CFG] loading crls from '/etc/ipsec.d/crls' |
| 144 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[CFG] loading secrets from '/etc/ipsec.secrets' |
| 145 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[CFG] loaded EAP secret for carol@strongswan.org |
| 146 | 8 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[DMN] loaded plugins: sha1 random gmp pkcs1 pem x509 pubkey openssl hmac revocation curl kernel-netlink socket-default eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 eap-identity resolve stroke |
| 147 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[JOB] spawning 16 worker threads |
| 148 | 1 | Andreas Steffen | </pre> |
| 149 | 18 | Andreas Steffen | |
| 150 | 18 | Andreas Steffen | h3. IKEv2 Exchanges |
| 151 | 1 | Andreas Steffen | |
| 152 | 20 | Andreas Steffen | Due to auto=start the IKEv2 negotiation automatically starts with the IKE_SA_INIT exchange |
| 153 | 1 | Andreas Steffen | <pre> |
| 154 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 04[CFG] received stroke: add connection 'home' |
| 155 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 04[CFG] left nor right host is our side, assuming left=local |
| 156 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 04[CFG] added configuration 'home' |
| 157 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 04[CFG] received stroke: initiate 'home' |
| 158 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 04[IKE] initiating IKE_SA home[1] to 192.168.0.1 |
| 159 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 04[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] |
| 160 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 04[NET] sending packet: from 192.168.0.254[500] to 192.168.0.1[500] |
| 161 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 06[NET] received packet: from 192.168.0.1[500] to 192.168.0.254[500] |
| 162 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 06[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] |
| 163 | 1 | Andreas Steffen | </pre> |
| 164 | 1 | Andreas Steffen | |
| 165 | 17 | Andreas Steffen | followed by the IKE_AUTH exchange where the IKEv2 gateway proposes a mutual IKEv2 EAP-TTLS only authentication: |
| 166 | 1 | Andreas Steffen | <pre> |
| 167 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 06[IKE] establishing CHILD_SA home |
| 168 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 06[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) ] |
| 169 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 06[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500] |
| 170 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 10[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500] |
| 171 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 10[ENC] parsed IKE_AUTH response 1 [ IDr EAP/REQ/TTLS ] |
| 172 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 10[IKE] server requested EAP_TTLS authentication (id 0xA8) |
| 173 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 10[TLS] EAP_TTLS version is v0 |
| 174 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 10[IKE] allow mutual EAP-only authentication |
| 175 | 1 | Andreas Steffen | </pre> |
| 176 | 1 | Andreas Steffen | |
| 177 | 17 | Andreas Steffen | h3. IKEv2 EAP-TTLS Tunnel |
| 178 | 16 | Andreas Steffen | |
| 179 | 16 | Andreas Steffen | The IKEv2 EAP-TTLS tunnel is set up with certificate-based server authentication |
| 180 | 1 | Andreas Steffen | <pre> |
| 181 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 10[ENC] generating IKE_AUTH request 2 [ EAP/RES/TTLS ] |
| 182 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 10[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500] |
| 183 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 05[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500] |
| 184 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 05[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/TTLS ] |
| 185 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 05[ENC] generating IKE_AUTH request 3 [ EAP/RES/TTLS ] |
| 186 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 05[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500] |
| 187 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 15[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500] |
| 188 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 15[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/TTLS ] |
| 189 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 15[TLS] negotiated TLS version TLS 1.2 with suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA |
| 190 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 15[TLS] received TLS server certificate 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' |
| 191 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 15[CFG] using certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" |
| 192 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 15[CFG] using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" |
| 193 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 15[CFG] checking certificate status of "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" |
| 194 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 15[CFG] fetching crl from 'http://crl.strongswan.org/strongswan.crl' ... |
| 195 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 15[CFG] using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" |
| 196 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 15[CFG] crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" |
| 197 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 15[CFG] crl is valid: until Dec 02 09:19:24 2011 |
| 198 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 15[CFG] certificate status is good |
| 199 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 15[CFG] reached self-signed root ca with a path length of 0 |
| 200 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 15[ENC] generating IKE_AUTH request 4 [ EAP/RES/TTLS ] |
| 201 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 15[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500] |
| 202 | 1 | Andreas Steffen | </pre> |
| 203 | 1 | Andreas Steffen | |
| 204 | 16 | Andreas Steffen | h3. Tunneled EAP-Identity |
| 205 | 16 | Andreas Steffen | |
| 206 | 2 | Andreas Steffen | Via the IKEv2 EAP-TTLS tunnel the server requests the EAP client identity |
| 207 | 2 | Andreas Steffen | <pre> |
| 208 | 2 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 14[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500] |
| 209 | 2 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 14[ENC] parsed IKE_AUTH response 4 [ EAP/REQ/TTLS ] |
| 210 | 2 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 14[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/ID] |
| 211 | 2 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 14[IKE] server requested EAP_IDENTITY authentication (id 0x00) |
| 212 | 2 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 14[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/ID] |
| 213 | 2 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 14[ENC] generating IKE_AUTH request 5 [ EAP/RES/TTLS ] |
| 214 | 1 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 14[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500] |
| 215 | 1 | Andreas Steffen | </pre> |
| 216 | 1 | Andreas Steffen | |
| 217 | 16 | Andreas Steffen | h3. Tunneled EAP-MD5 Client Authentication |
| 218 | 16 | Andreas Steffen | |
| 219 | 16 | Andreas Steffen | Next follows an EAP-MD5 client authentication |
| 220 | 2 | Andreas Steffen | <pre> |
| 221 | 2 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 03[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500] |
| 222 | 2 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 03[ENC] parsed IKE_AUTH response 5 [ EAP/REQ/TTLS ] |
| 223 | 2 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 03[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/MD5] |
| 224 | 2 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 03[IKE] server requested EAP_MD5 authentication (id 0x36) |
| 225 | 2 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 03[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/MD5] |
| 226 | 2 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 03[ENC] generating IKE_AUTH request 6 [ EAP/RES/TTLS ] |
| 227 | 1 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 03[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500] |
| 228 | 1 | Andreas Steffen | </pre> |
| 229 | 2 | Andreas Steffen | |
| 230 | 16 | Andreas Steffen | h3. Tunneled EAP-TNC Transport |
| 231 | 16 | Andreas Steffen | |
| 232 | 2 | Andreas Steffen | Now the EAP-TNC transport protocol connecting the TNC client with the TNC server is started: |
| 233 | 2 | Andreas Steffen | <pre> |
| 234 | 2 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500] |
| 235 | 2 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[ENC] parsed IKE_AUTH response 6 [ EAP/REQ/TTLS ] |
| 236 | 2 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/TNC] |
| 237 | 2 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[IKE] server requested EAP_TNC authentication (id 0x84) |
| 238 | 1 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[TLS] EAP_TNC version is v1 |
| 239 | 1 | Andreas Steffen | </pre> |
| 240 | 1 | Andreas Steffen | |
| 241 | 14 | Andreas Steffen | h2. PB-TNC/IF-TNCCS 2.0 Connection |
| 242 | 1 | Andreas Steffen | |
| 243 | 20 | Andreas Steffen | A new TNCCS connection is instantiated on the TNC client and its IF-TNCCS 2.0 state machine is set to the Init state. |
| 244 | 14 | Andreas Steffen | |
| 245 | 2 | Andreas Steffen | !IF-TNCCS-20-State-Diagram.png! |
| 246 | 10 | Andreas Steffen | |
| 247 | 14 | Andreas Steffen | A first PB-TNC CDATA (IF-TNCCS 2.0 ClientData) batch is prepared and a PB-Language-Preference message for Englisch (en) is added: |
| 248 | 11 | Andreas Steffen | <pre> |
| 249 | 14 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[TNC] assigned TNCCS Connection ID 1 |
| 250 | 2 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[TNC] creating PB-TNC CDATA batch |
| 251 | 2 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[TNC] adding PB-Language-Preference message |
| 252 | 2 | Andreas Steffen | </pre> |
| 253 | 3 | Andreas Steffen | |
| 254 | 3 | Andreas Steffen | An instance of the Attestation PTS-IMC is created which in a first step determines the client operating systen |
| 255 | 3 | Andreas Steffen | <pre> |
| 256 | 3 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[PTS] platform is 'Ubuntu 11.10 i686' |
| 257 | 3 | Andreas Steffen | </pre> |
| 258 | 3 | Andreas Steffen | |
| 259 | 9 | Andreas Steffen | and then loads the AIK certificate and the matching AIK private key, the latter in the form of a TPM-encrypted binary blob |
| 260 | 3 | Andreas Steffen | <pre> |
| 261 | 3 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[PTS] loaded AIK certificate from '/home/andi/privacyca/AIK_3_Cert.der' |
| 262 | 3 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[PTS] loaded AIK Blob from '/home/andi/privacyca/AIK_3_Blob.bin' |
| 263 | 3 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[PTS] AIK Blob: => 559 bytes @ 0x8266b24 |
| 264 | 3 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[PTS] 0: 01 01 00 00 00 12 00 00 00 04 00 00 00 00 01 00 ................ |
| 265 | 3 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[PTS] 16: 01 00 02 00 00 00 0C 00 00 08 00 00 00 00 02 00 ................ |
| 266 | 3 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[PTS] 32: 00 00 00 00 00 00 00 00 00 01 00 E9 1C 5F 57 5B ............._W[ |
| 267 | 3 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[PTS] 48: 73 5F 35 15 BD AF 29 89 13 F1 F9 8D 83 62 6C 73 s_5...)......bls |
| 268 | 3 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[PTS] 64: C0 5F 8B 90 5A B8 1A 72 B9 D2 51 F8 DC 24 CF 0D ._..Z..r..Q..$.. |
| 269 | 3 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[PTS] 80: 9E E2 0B F8 8D 11 CD B2 E5 6B CB C2 AB FA BD F4 .........k...... |
| 270 | 3 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[PTS] 96: 74 D2 25 B3 AE CE 47 66 58 A6 65 A4 CA 36 24 1E t.%...GfX.e..6$. |
| 271 | 3 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[PTS] 112: 6E 22 A4 9F 88 C5 63 78 AD 53 33 90 22 91 6F 83 n"....cx.S3.".o. |
| 272 | 3 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[PTS] 128: 8F 2A A8 98 0C 15 3E 89 19 48 63 BE 4C 35 02 F4 .*....>..Hc.L5.. |
| 273 | 3 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[PTS] 144: 03 7E 10 8E 4D DB 5A D1 63 9A 3C D9 63 F5 7B C6 .~..M.Z.c.<.c.{. |
| 274 | 3 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[PTS] 160: 73 0F 23 05 B6 00 30 3B 34 6C 3C 10 A9 A5 4A 79 s.#...0;4l<...Jy |
| 275 | 3 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[PTS] 176: 2E 62 88 E3 CC 7F 7B A7 5A E3 6F 13 7A BD BF 86 .b....{.Z.o.z... |
| 276 | 3 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[PTS] 192: 1D 3C E3 12 3A 8C 0E 7D 47 55 C6 76 A9 D3 61 16 .<..:..}GU.v..a. |
| 277 | 3 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[PTS] 208: 22 8A 32 C5 E7 CD 17 DB 5F A1 67 CC 1D F5 D9 25 ".2....._.g....% |
| 278 | 3 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[PTS] 224: 51 01 33 1E 05 45 85 53 2E 2C 2B 1D 59 E5 FE C2 Q.3..E.S.,+.Y... |
| 279 | 3 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[PTS] 240: 61 26 36 12 05 F2 5C 95 F8 70 E6 6A DB BF 30 1E a&6...\..p.j..0. |
| 280 | 3 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[PTS] 256: 46 05 E6 0E 94 3C 0C C6 1C 96 B4 59 AC 5C 63 15 F....<.....Y.\c. |
| 281 | 3 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[PTS] 272: 8C 77 E8 45 91 6B 8B B1 0D DB 26 3C E5 34 1C E8 .w.E.k....&<.4.. |
| 282 | 3 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[PTS] 288: B9 B5 6E 7F 9B 6E 7D 24 82 6E 2B 00 00 01 00 22 ..n..n}$.n+...." |
| 283 | 3 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[PTS] 304: 35 22 CB 61 E6 28 B9 53 4A EB 52 10 A9 CD 5A 2A 5".a.(.SJ.R...Z* |
| 284 | 3 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[PTS] 320: 23 3A DD 32 77 53 44 8D 94 40 7E 6A 28 83 9D 9D #:.2wSD..@~j(... |
| 285 | 3 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[PTS] 336: 1E 1B CE 7C CE D2 8A C9 04 BE 66 A5 A1 CA E3 03 ...|......f..... |
| 286 | 3 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[PTS] 352: 7F 33 97 AD EF A8 E8 83 C9 65 CA 38 27 22 8A 26 .3.......e.8'".& |
| 287 | 3 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[PTS] 368: 90 B1 1E B0 AE F6 B3 77 5E E3 C8 C2 C6 49 DC 74 .......w^....I.t |
| 288 | 3 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[PTS] 384: EF 6E A4 31 DF 13 12 F0 4B 53 3D 85 5C 4F 98 C3 .n.1....KS=.\O.. |
| 289 | 3 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[PTS] 400: 32 7D 05 EB C1 D6 2A AC 6A 38 B8 C4 D4 B7 FE B7 2}....*.j8...... |
| 290 | 3 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[PTS] 416: 11 39 AD 14 39 EE C2 38 4D 31 86 D9 6F 10 85 90 .9..9..8M1..o... |
| 291 | 3 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[PTS] 432: 07 43 AA DF AA 25 84 79 5D 01 7B 2B B1 DB 3D CA .C...%.y].{+..=. |
| 292 | 3 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[PTS] 448: 34 A5 94 B6 35 3B 87 EC 77 56 8E B4 13 DD 3F 25 4...5;..wV....?% |
| 293 | 3 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[PTS] 464: 12 F9 97 CB 23 CF B8 AB D5 1C 2A D6 2D 13 85 3B ....#.....*.-..; |
| 294 | 3 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[PTS] 480: D3 77 48 B8 A4 C0 31 C6 68 C0 92 33 7C 5B AA 8E .wH...1.h..3|[.. |
| 295 | 3 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[PTS] 496: A5 86 05 EF 99 0D CA 02 5F 96 9A 68 C3 DA A2 A8 ........_..h.... |
| 296 | 3 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[PTS] 512: B7 4C C6 EC 09 98 45 E7 E6 E5 DC A6 E3 B3 54 2A .L....E.......T* |
| 297 | 3 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[PTS] 528: F5 5A 94 78 3C 26 5B FD D0 01 4B A4 5D B2 C2 EC .Z.x<&[...K.]... |
| 298 | 3 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[PTS] 544: B6 56 A0 DB EC C8 BA 0D E9 56 EC F0 77 7A AB .V.......V..wz. |
| 299 | 3 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[IMC] IMC 1 "Attestation" created a state for Connection ID 1 |
| 300 | 3 | Andreas Steffen | </pre> |
| 301 | 3 | Andreas Steffen | |
| 302 | 3 | Andreas Steffen | Via the IF-IMC interface the PTS-IMC receives a 'Handshake' state change from the TNC client |
| 303 | 3 | Andreas Steffen | <pre> |
| 304 | 1 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[IMC] IMC 1 "Attestation" changed state of Connection ID 1 to 'Handshake' |
| 305 | 5 | Andreas Steffen | </pre> |
| 306 | 5 | Andreas Steffen | |
| 307 | 5 | Andreas Steffen | The PTS-IMC generates a PA-TNC message of type TCG/PTS targeted at the remote PTS-IMV, containing a single PA-TNC attribute of type 'IETF/Product Information' with the client operating system information: |
| 308 | 5 | Andreas Steffen | <pre> |
| 309 | 5 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[TNC] creating PA-TNC message with ID 0x569e528e |
| 310 | 5 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[TNC] creating PA-TNC attribute type 'IETF/Product Information' 0x000000/0x00000002 |
| 311 | 5 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[TNC] => 22 bytes @ 0x82452bc |
| 312 | 5 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[TNC] 0: 00 00 00 00 00 55 62 75 6E 74 75 20 31 31 2E 31 .....Ubuntu 11.1 |
| 313 | 5 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[TNC] 16: 30 20 69 36 38 36 0 i686 |
| 314 | 5 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x01 |
| 315 | 5 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[TNC] adding PB-PA message |
| 316 | 5 | Andreas Steffen | </pre> |
| 317 | 5 | Andreas Steffen | |
| 318 | 5 | Andreas Steffen | The PA-TNC message is received by the TNC client via the IF-IMC SendMessage call and is inserted together with the |
| 319 | 5 | Andreas Steffen | PB-Language-Preference message into the PB-TNC CDATA batch which is then sent via the IKEv2 EAP-TTLS tunnel to the TNC server. |
| 320 | 5 | Andreas Steffen | <pre> |
| 321 | 5 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[TNC] PB-TNC state transition from 'Init' to 'Server Working' |
| 322 | 5 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[TNC] sending PB-TNC CDATA batch (105 bytes) for Connection ID 1 |
| 323 | 5 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[TNC] => 105 bytes @ 0x82669a4 |
| 324 | 5 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[TNC] 0: 02 00 00 01 00 00 00 69 00 00 00 00 00 00 00 06 .......i........ |
| 325 | 5 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[TNC] 16: 00 00 00 1F 41 63 63 65 70 74 2D 4C 61 6E 67 75 ....Accept-Langu |
| 326 | 5 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[TNC] 32: 61 67 65 3A 20 65 6E 80 00 00 00 00 00 00 01 00 age: en......... |
| 327 | 5 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[TNC] 48: 00 00 42 00 00 55 97 00 00 00 01 00 01 FF FF 01 ..B..U.......... |
| 328 | 5 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[TNC] 64: 00 00 00 56 9E 52 8E 00 00 00 00 00 00 00 02 00 ...V.R.......... |
| 329 | 5 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[TNC] 80: 00 00 22 00 00 00 00 00 55 62 75 6E 74 75 20 31 ..".....Ubuntu 1 |
| 330 | 5 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[TNC] 96: 31 2E 31 30 20 69 36 38 36 1.10 i686 |
| 331 | 5 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/TNC] |
| 332 | 5 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[ENC] generating IKE_AUTH request 7 [ EAP/RES/TTLS ] |
| 333 | 5 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 02[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500] |
| 334 | 1 | Andreas Steffen | </pre> |
| 335 | 1 | Andreas Steffen | |
| 336 | 17 | Andreas Steffen | h3. PTS Capability Discovery |
| 337 | 17 | Andreas Steffen | |
| 338 | 7 | Andreas Steffen | As a response a PB-TNC SDATA (IF-TNCCS 2.0 ServerData) batch is received from the TNC server |
| 339 | 6 | Andreas Steffen | <pre> |
| 340 | 6 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 13[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500] |
| 341 | 6 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 13[ENC] parsed IKE_AUTH response 7 [ EAP/REQ/TTLS ] |
| 342 | 6 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 13[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/TNC] |
| 343 | 6 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 13[TNC] received TNCCS batch (72 bytes) for Connection ID 1 |
| 344 | 6 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 13[TNC] => 72 bytes @ 0x826212e |
| 345 | 6 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 13[TNC] 0: 02 80 00 02 00 00 00 48 80 00 00 00 00 00 00 01 .......H........ |
| 346 | 6 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 13[TNC] 16: 00 00 00 40 00 00 55 97 00 00 00 01 FF FF 00 01 ...@..U......... |
| 347 | 6 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 13[TNC] 32: 01 00 00 00 10 FB C9 31 80 00 55 97 01 00 00 00 .......1..U..... |
| 348 | 6 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 13[TNC] 48: 00 00 00 10 00 00 00 0E 80 00 55 97 06 00 00 00 ..........U..... |
| 349 | 6 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 13[TNC] 64: 00 00 00 10 00 00 80 00 ........ |
| 350 | 6 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 13[TNC] PB-TNC state transition from 'Server Working' to 'Client Working' |
| 351 | 6 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 13[TNC] processing PB-TNC SDATA batch |
| 352 | 6 | Andreas Steffen | </pre> |
| 353 | 6 | Andreas Steffen | |
| 354 | 6 | Andreas Steffen | containing a PB-PA message of type TCG/PTS to which the PTS-IMC is subscribed: |
| 355 | 6 | Andreas Steffen | <pre> |
| 356 | 6 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 13[TNC] processing PB-PA message (64 bytes) |
| 357 | 6 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 13[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x01 |
| 358 | 6 | Andreas Steffen | </pre> |
| 359 | 6 | Andreas Steffen | |
| 360 | 6 | Andreas Steffen | The PA-TNC message transferred via the IF-IMC interface to the PTS-IMC contains two PA-TNC attributes from the TCG/PTS namespace: |
| 361 | 1 | Andreas Steffen | <pre> |
| 362 | 19 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 13[TNC] processing PA-TNC message with ID 0x10fbc931 |
| 363 | 6 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 13[TNC] processing PA-TNC attribute type 'TCG/Request PTS Protocol Capabilities' 0x005597/0x01000000 |
| 364 | 6 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 13[TNC] => 4 bytes @ 0x8268da0 |
| 365 | 6 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 13[TNC] 0: 00 00 00 0E .... |
| 366 | 6 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 13[TNC] processing PA-TNC attribute type 'TCG/PTS Measurement Algorithm Request' 0x005597/0x06000000 |
| 367 | 1 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 13[TNC] => 4 bytes @ 0x8268db0 |
| 368 | 1 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 13[TNC] 0: 00 00 80 00 .... |
| 369 | 1 | Andreas Steffen | </pre> |
| 370 | 1 | Andreas Steffen | |
| 371 | 16 | Andreas Steffen | namely the requests 'Request PTS Protocol Capabilities' and 'PTS Measurement Algorithm Request'. The PTS-IMV supports the Verification (V), DH Nonce Negotiation (D) and Trusted Platform Evidence (T) PTS protocol capabilities and the PTS-IMC does as well. |
| 372 | 16 | Andreas Steffen | |
| 373 | 16 | Andreas Steffen | <pre> |
| 374 | 16 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 13[PTS] supported PTS protocol capabilities: .VDT. |
| 375 | 16 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 13[PTS] selected PTS measurement algorithm is HASH_SHA1 |
| 376 | 16 | Andreas Steffen | </pre> |
| 377 | 16 | Andreas Steffen | |
| 378 | 16 | Andreas Steffen | The PTS-IMV proposes SHA-1 only for the PTS measurement algorithm which is accepted by the PTS-IMC. These two selections are sent back to the PTS-IMV in a PA-TNC message containing the TCG attributes 'PTS Protocol Capabilities' and 'PTS Measurement Algorithm": |
| 379 | 16 | Andreas Steffen | <pre> |
| 380 | 16 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 13[TNC] creating PA-TNC message with ID 0x0ed3f1f3 |
| 381 | 16 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 13[TNC] creating PA-TNC attribute type 'TCG/PTS Protocol Capabilities' 0x005597/0x02000000 |
| 382 | 16 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 13[TNC] => 4 bytes @ 0x8266b04 |
| 383 | 16 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 13[TNC] 0: 00 00 00 0E .... |
| 384 | 16 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 13[TNC] creating PA-TNC attribute type 'TCG/PTS Measurement Algorithm' 0x005597/0x07000000 |
| 385 | 16 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 13[TNC] => 4 bytes @ 0x825f17c |
| 386 | 16 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 13[TNC] 0: 00 00 80 00 .... |
| 387 | 16 | Andreas Steffen | </pre> |
| 388 | 16 | Andreas Steffen | |
| 389 | 1 | Andreas Steffen | This PA-TNC message is sent as a PB-PA payload in a PB-TNC CDATA batch to the TNC server: |
| 390 | 16 | Andreas Steffen | <pre> |
| 391 | 19 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 13[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x01 |
| 392 | 16 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 13[TNC] creating PB-TNC CDATA batch |
| 393 | 16 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 13[TNC] adding PB-PA message |
| 394 | 16 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 13[TNC] PB-TNC state transition from 'Client Working' to 'Server Working' |
| 395 | 16 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 13[TNC] sending PB-TNC CDATA batch (72 bytes) for Connection ID 1 |
| 396 | 16 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 13[TNC] => 72 bytes @ 0x82679fc |
| 397 | 16 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 13[TNC] 0: 02 00 00 01 00 00 00 48 80 00 00 00 00 00 00 01 .......H........ |
| 398 | 16 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 13[TNC] 16: 00 00 00 40 00 00 55 97 00 00 00 01 00 01 FF FF ...@..U......... |
| 399 | 16 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 13[TNC] 32: 01 00 00 00 0E D3 F1 F3 00 00 55 97 02 00 00 00 ..........U..... |
| 400 | 16 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 13[TNC] 48: 00 00 00 10 00 00 00 0E 00 00 55 97 07 00 00 00 ..........U..... |
| 401 | 16 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 13[TNC] 64: 00 00 00 10 00 00 80 00 ........ |
| 402 | 16 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 13[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/TNC] |
| 403 | 1 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 13[ENC] generating IKE_AUTH request 8 [ EAP/RES/TTLS ] |
| 404 | 16 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 13[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500] |
| 405 | 17 | Andreas Steffen | </pre> |
| 406 | 1 | Andreas Steffen | |
| 407 | 17 | Andreas Steffen | h3. DH Nonce Parameters |
| 408 | 17 | Andreas Steffen | |
| 409 | 17 | Andreas Steffen | <pre> |
| 410 | 17 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 01[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500] |
| 411 | 17 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 01[ENC] parsed IKE_AUTH response 8 [ EAP/REQ/TTLS ] |
| 412 | 17 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 01[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/TNC] |
| 413 | 17 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 01[TNC] received TNCCS batch (56 bytes) for Connection ID 1 |
| 414 | 17 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 01[TNC] => 56 bytes @ 0x825e5b6 |
| 415 | 17 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 01[TNC] 0: 02 80 00 02 00 00 00 38 80 00 00 00 00 00 00 01 .......8........ |
| 416 | 17 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 01[TNC] 16: 00 00 00 30 00 00 55 97 00 00 00 01 FF FF 00 01 ...0..U......... |
| 417 | 17 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 01[TNC] 32: 01 00 00 00 C2 D1 8E F1 80 00 55 97 03 00 00 00 ..........U..... |
| 418 | 17 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 01[TNC] 48: 00 00 00 10 00 00 F0 00 ........ |
| 419 | 17 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 01[TNC] PB-TNC state transition from 'Server Working' to 'Client Working' |
| 420 | 1 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 01[TNC] processing PB-TNC SDATA batch |
| 421 | 17 | Andreas Steffen | </pre> |
| 422 | 1 | Andreas Steffen | |
| 423 | 19 | Andreas Steffen | containing a PB-PA message of type TCG/PTS to which the PTS-IMC is subscribed: |
| 424 | 1 | Andreas Steffen | <pre> |
| 425 | 19 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 01[TNC] processing PB-PA message (48 bytes) |
| 426 | 1 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 01[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x01 |
| 427 | 19 | Andreas Steffen | </pre> |
| 428 | 19 | Andreas Steffen | |
| 429 | 19 | Andreas Steffen | <pre> |
| 430 | 17 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 01[TNC] processing PA-TNC message with ID 0xc2d18ef1 |
| 431 | 1 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 01[TNC] processing PA-TNC attribute type 'TCG/DH Nonce Parameters Request' 0x005597/0x03000000 |
| 432 | 1 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 01[TNC] => 4 bytes @ 0x82452d0 |
| 433 | 1 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 01[TNC] 0: 00 00 F0 00 .... |
| 434 | 19 | Andreas Steffen | </pre> |
| 435 | 19 | Andreas Steffen | |
| 436 | 19 | Andreas Steffen | <pre> |
| 437 | 1 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 01[PTS] selected PTS DH group is ECP_256 |
| 438 | 1 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 01[PTS] nonce length is 20 |
| 439 | 19 | Andreas Steffen | </pre> |
| 440 | 19 | Andreas Steffen | |
| 441 | 19 | Andreas Steffen | <pre> |
| 442 | 17 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 01[TNC] creating PA-TNC message with ID 0xa69f8b02 |
| 443 | 17 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 01[TNC] creating PA-TNC attribute type 'TCG/DH Nonce Parameters Response' 0x005597/0x04000000 |
| 444 | 17 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 01[TNC] => 92 bytes @ 0x826a53c |
| 445 | 17 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 01[TNC] 0: 00 00 00 14 10 00 E0 00 AA B1 9A 5C 9B 47 D0 0D ...........\.G.. |
| 446 | 17 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 01[TNC] 16: EF 3B F4 48 7A 55 EF DA 89 55 D3 74 DF CE B2 FB .;.HzU...U.t.... |
| 447 | 17 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 01[TNC] 32: 44 16 FD 98 44 1D 79 1F 36 7A A5 67 94 30 81 C8 D...D.y.6z.g.0.. |
| 448 | 1 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 01[TNC] 48: 38 A8 1A AD 99 55 0E 91 2F E4 36 62 FA C2 08 63 8....U../.6b...c |
| 449 | 1 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 01[TNC] 64: 88 69 41 79 35 D4 64 8C 4C D4 CB E9 7B 5E CF 0A .iAy5.d.L...{^.. |
| 450 | 1 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 01[TNC] 80: E0 E9 74 66 4C BB 06 3B F8 DE 96 2E ..tfL..;.... |
| 451 | 19 | Andreas Steffen | </pre> |
| 452 | 19 | Andreas Steffen | |
| 453 | 19 | Andreas Steffen | <pre> |
| 454 | 17 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 01[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x01 |
| 455 | 17 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 01[TNC] creating PB-TNC CDATA batch |
| 456 | 17 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 01[TNC] adding PB-PA message |
| 457 | 17 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 01[TNC] PB-TNC state transition from 'Client Working' to 'Server Working' |
| 458 | 17 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 01[TNC] sending PB-TNC CDATA batch (144 bytes) for Connection ID 1 |
| 459 | 17 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 01[TNC] => 144 bytes @ 0x826e85c |
| 460 | 17 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 01[TNC] 0: 02 00 00 01 00 00 00 90 80 00 00 00 00 00 00 01 ................ |
| 461 | 17 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 01[TNC] 16: 00 00 00 88 00 00 55 97 00 00 00 01 00 01 FF FF ......U......... |
| 462 | 17 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 01[TNC] 32: 01 00 00 00 A6 9F 8B 02 00 00 55 97 04 00 00 00 ..........U..... |
| 463 | 17 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 01[TNC] 48: 00 00 00 68 00 00 00 14 10 00 E0 00 AA B1 9A 5C ...h...........\ |
| 464 | 17 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 01[TNC] 64: 9B 47 D0 0D EF 3B F4 48 7A 55 EF DA 89 55 D3 74 .G...;.HzU...U.t |
| 465 | 17 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 01[TNC] 80: DF CE B2 FB 44 16 FD 98 44 1D 79 1F 36 7A A5 67 ....D...D.y.6z.g |
| 466 | 17 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 01[TNC] 96: 94 30 81 C8 38 A8 1A AD 99 55 0E 91 2F E4 36 62 .0..8....U../.6b |
| 467 | 17 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 01[TNC] 112: FA C2 08 63 88 69 41 79 35 D4 64 8C 4C D4 CB E9 ...c.iAy5.d.L... |
| 468 | 17 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 01[TNC] 128: 7B 5E CF 0A E0 E9 74 66 4C BB 06 3B F8 DE 96 2E {^....tfL..;.... |
| 469 | 17 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 01[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/TNC] |
| 470 | 17 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 01[ENC] generating IKE_AUTH request 9 [ EAP/RES/TTLS ] |
| 471 | 17 | Andreas Steffen | Nov 29 07:39:23 merthyr charon: 01[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500] |
| 472 | 16 | Andreas Steffen | </pre> |