TNC Client with PTS-IMC » History » Version 3
Version 2 (Andreas Steffen, 29.11.2011 09:46) → Version 3/69 (Andreas Steffen, 29.11.2011 09:56)
h1. Platform Trust Service Integrity Measurement Collector (PTS-IMC)
With the command
<pre>
ipsec start
</pre>
the TNC-enabled IPsec client is started:
<pre>
Nov 29 07:39:21 merthyr charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.6.2dr1)
Nov 29 07:39:21 merthyr charon: 00[KNL] listening on interfaces:
Nov 29 07:39:21 merthyr charon: 00[KNL] wlan0
Nov 29 07:39:21 merthyr charon: 00[KNL] 10.35.167.97
Nov 29 07:39:21 merthyr charon: 00[KNL] fe80::221:6aff:fe06:cf4c
Nov 29 07:39:21 merthyr charon: 00[KNL] umlbr0
Nov 29 07:39:21 merthyr charon: 00[KNL] 192.168.0.254
Nov 29 07:39:21 merthyr charon: 00[KNL] fe80::103c:e8ff:fec0:db34
</pre>
The file /etc/tnc_config
<pre>
IMC configuration file for strongSwan client
IMC "Attestation" /usr/lib/ipsec/imcvs/imc-attestation.so
</pre>
defines which IMCs are loaded by the TNC client:
<pre>
Nov 29 07:39:21 merthyr charon: 00[TNC] loading IMCs from '/etc/tnc_config'
Nov 29 07:39:21 merthyr charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA1[sha1] available
Nov 29 07:39:21 merthyr charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA256[openssl] available
Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS measurement algorithm HASH_SHA384[openssl] available
Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS DH group MODP_2048[gmp] available
Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS DH group MODP_1536[gmp] available
Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS DH group MODP_1024[gmp] available
Nov 29 07:39:21 merthyr charon: 00[PTS] mandatory PTS DH group ECP_256[openssl] available
Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS DH group ECP_384[openssl] available
Nov 29 07:39:21 merthyr charon: 00[TNC] added IETF attributes
Nov 29 07:39:21 merthyr charon: 00[TNC] added ITA-HSR attributes
Nov 29 07:39:21 merthyr charon: 00[LIB] libimcv initialized
Nov 29 07:39:21 merthyr charon: 00[IMC] IMC 1 "Attestation" initialized
Nov 29 07:39:21 merthyr charon: 00[TNC] added TCG attributes
Nov 29 07:39:21 merthyr charon: 00[PTS] added TCG functional component namespace
Nov 29 07:39:21 merthyr charon: 00[PTS] added ITA-HSR functional component namespace
Nov 29 07:39:21 merthyr charon: 00[PTS] added ITA-HSR functional component 'Trusted GRUB Boot Loader'
Nov 29 07:39:21 merthyr charon: 00[PTS] added ITA-HSR functional component 'Trusted Boot'
Nov 29 07:39:21 merthyr charon: 00[PTS] added ITA-HSR functional component 'Linux IMA'
Nov 29 07:39:21 merthyr charon: 00[LIB] libpts initialized
Nov 29 07:39:21 merthyr charon: 00[IMC] IMC 1 "Attestation" provided with bind function
Nov 29 07:39:21 merthyr charon: 00[TNC] IMC 1 supports 1 message type: 0x00559701
Nov 29 07:39:21 merthyr charon: 00[TNC] IMC 1 "Attestation" loaded from '/usr/lib/ipsec/imcvs/imc-attestation.so'
</pre>
Next the IKEv2 credentials and all necessary plugins are loaded
<pre>
Nov 29 07:39:21 merthyr charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Nov 29 07:39:21 merthyr charon: 00[CFG] loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem'
Nov 29 07:39:21 merthyr charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Nov 29 07:39:21 merthyr charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Nov 29 07:39:21 merthyr charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Nov 29 07:39:21 merthyr charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Nov 29 07:39:21 merthyr charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Nov 29 07:39:21 merthyr charon: 00[CFG] loaded EAP secret for carol@strongswan.org
Nov 29 07:39:21 merthyr charon: 00[DMN] loaded plugins: sha1 random gmp pkcs1 pem x509 pubkey openssl hmac revocation curl kernel-netlink socket-default eap-mschapv2 eap-md5 eap-tls eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 eap-identity resolve stroke
Nov 29 07:39:21 merthyr charon: 00[JOB] spawning 16 worker threads
</pre>
Now the IKEv2 negotiation automatically starts with the IKE_SA_INIT exchange
<pre>
Nov 29 07:39:22 merthyr charon: 04[CFG] received stroke: add connection 'home'
Nov 29 07:39:22 merthyr charon: 04[CFG] left nor right host is our side, assuming left=local
Nov 29 07:39:22 merthyr charon: 04[CFG] added configuration 'home'
Nov 29 07:39:22 merthyr charon: 04[CFG] received stroke: initiate 'home'
Nov 29 07:39:22 merthyr charon: 04[IKE] initiating IKE_SA home[1] to 192.168.0.1
Nov 29 07:39:22 merthyr charon: 04[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Nov 29 07:39:22 merthyr charon: 04[NET] sending packet: from 192.168.0.254[500] to 192.168.0.1[500]
Nov 29 07:39:22 merthyr charon: 06[NET] received packet: from 192.168.0.1[500] to 192.168.0.254[500]
Nov 29 07:39:22 merthyr charon: 06[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
</pre>
followed by the IKE_AUTH exchange where the IKEv2 gateway proposes a mutual EAP-TTLS only authentication:
<pre>
Nov 29 07:39:22 merthyr charon: 06[IKE] establishing CHILD_SA home
Nov 29 07:39:22 merthyr charon: 06[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) ]
Nov 29 07:39:22 merthyr charon: 06[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:22 merthyr charon: 10[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:22 merthyr charon: 10[ENC] parsed IKE_AUTH response 1 [ IDr EAP/REQ/TTLS ]
Nov 29 07:39:22 merthyr charon: 10[IKE] server requested EAP_TTLS authentication (id 0xA8)
Nov 29 07:39:22 merthyr charon: 10[TLS] EAP_TTLS version is v0
Nov 29 07:39:22 merthyr charon: 10[IKE] allow mutual EAP-only authentication
</pre>
The IKEv2 EAP-TLS tunnel is set up with certificate-based server authentication
<pre>
Nov 29 07:39:22 merthyr charon: 10[ENC] generating IKE_AUTH request 2 [ EAP/RES/TTLS ]
Nov 29 07:39:22 merthyr charon: 10[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:22 merthyr charon: 05[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:22 merthyr charon: 05[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/TTLS ]
Nov 29 07:39:22 merthyr charon: 05[ENC] generating IKE_AUTH request 3 [ EAP/RES/TTLS ]
Nov 29 07:39:22 merthyr charon: 05[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:22 merthyr charon: 15[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:22 merthyr charon: 15[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/TTLS ]
Nov 29 07:39:22 merthyr charon: 15[TLS] negotiated TLS version TLS 1.2 with suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Nov 29 07:39:22 merthyr charon: 15[TLS] received TLS server certificate 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org'
Nov 29 07:39:22 merthyr charon: 15[CFG] using certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
Nov 29 07:39:22 merthyr charon: 15[CFG] using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Nov 29 07:39:22 merthyr charon: 15[CFG] checking certificate status of "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
Nov 29 07:39:22 merthyr charon: 15[CFG] fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
Nov 29 07:39:22 merthyr charon: 15[CFG] using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Nov 29 07:39:22 merthyr charon: 15[CFG] crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Nov 29 07:39:22 merthyr charon: 15[CFG] crl is valid: until Dec 02 09:19:24 2011
Nov 29 07:39:22 merthyr charon: 15[CFG] certificate status is good
Nov 29 07:39:22 merthyr charon: 15[CFG] reached self-signed root ca with a path length of 0
Nov 29 07:39:22 merthyr charon: 15[ENC] generating IKE_AUTH request 4 [ EAP/RES/TTLS ]
Nov 29 07:39:22 merthyr charon: 15[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
</pre>
Via the IKEv2 EAP-TTLS tunnel the server requests the EAP client identity
<pre>
Nov 29 07:39:23 merthyr charon: 14[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:23 merthyr charon: 14[ENC] parsed IKE_AUTH response 4 [ EAP/REQ/TTLS ]
Nov 29 07:39:23 merthyr charon: 14[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/ID]
Nov 29 07:39:23 merthyr charon: 14[IKE] server requested EAP_IDENTITY authentication (id 0x00)
Nov 29 07:39:23 merthyr charon: 14[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/ID]
Nov 29 07:39:23 merthyr charon: 14[ENC] generating IKE_AUTH request 5 [ EAP/RES/TTLS ]
Nov 29 07:39:23 merthyr charon: 14[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
</pre>
followed by an EAP-MD5 client authentication
<pre>
Nov 29 07:39:23 merthyr charon: 03[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:23 merthyr charon: 03[ENC] parsed IKE_AUTH response 5 [ EAP/REQ/TTLS ]
Nov 29 07:39:23 merthyr charon: 03[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/MD5]
Nov 29 07:39:23 merthyr charon: 03[IKE] server requested EAP_MD5 authentication (id 0x36)
Nov 29 07:39:23 merthyr charon: 03[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/MD5]
Nov 29 07:39:23 merthyr charon: 03[ENC] generating IKE_AUTH request 6 [ EAP/RES/TTLS ]
Nov 29 07:39:23 merthyr charon: 03[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
</pre>
Now the EAP-TNC transport protocol connecting the TNC client with the TNC server is started:
<pre>
Nov 29 07:39:23 merthyr charon: 02[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:23 merthyr charon: 02[ENC] parsed IKE_AUTH response 6 [ EAP/REQ/TTLS ]
Nov 29 07:39:23 merthyr charon: 02[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/TNC]
Nov 29 07:39:23 merthyr charon: 02[IKE] server requested EAP_TNC authentication (id 0x84)
Nov 29 07:39:23 merthyr charon: 02[TLS] EAP_TNC version is v1
Nov 29 07:39:23 merthyr charon: 02[TNC] assigned TNCCS Connection ID 1
</pre>
A first PB-TNC CDATA (IF-TNCCS 2.0 ClientData) batch is prepared
<pre>
Nov 29 07:39:23 merthyr charon: 02[TNC] creating PB-TNC CDATA batch
Nov 29 07:39:23 merthyr charon: 02[TNC] adding PB-Language-Preference message
</pre>
An instance of the Attestation PTS-IMC is created which in a first step determines the client operating systen
<pre>
Nov 29 07:39:23 merthyr charon: 02[PTS] platform is 'Ubuntu 11.10 i686'
</pre>
and then loads the private AIK key in the form of a TPM-encrypted binary blob
<pre>
Nov 29 07:39:23 merthyr charon: 02[PTS] loaded AIK certificate from '/home/andi/privacyca/AIK_3_Cert.der'
Nov 29 07:39:23 merthyr charon: 02[PTS] loaded AIK Blob from '/home/andi/privacyca/AIK_3_Blob.bin'
Nov 29 07:39:23 merthyr charon: 02[PTS] AIK Blob: => 559 bytes @ 0x8266b24
Nov 29 07:39:23 merthyr charon: 02[PTS] 0: 01 01 00 00 00 12 00 00 00 04 00 00 00 00 01 00 ................
Nov 29 07:39:23 merthyr charon: 02[PTS] 16: 01 00 02 00 00 00 0C 00 00 08 00 00 00 00 02 00 ................
Nov 29 07:39:23 merthyr charon: 02[PTS] 32: 00 00 00 00 00 00 00 00 00 01 00 E9 1C 5F 57 5B ............._W[
Nov 29 07:39:23 merthyr charon: 02[PTS] 48: 73 5F 35 15 BD AF 29 89 13 F1 F9 8D 83 62 6C 73 s_5...)......bls
Nov 29 07:39:23 merthyr charon: 02[PTS] 64: C0 5F 8B 90 5A B8 1A 72 B9 D2 51 F8 DC 24 CF 0D ._..Z..r..Q..$..
Nov 29 07:39:23 merthyr charon: 02[PTS] 80: 9E E2 0B F8 8D 11 CD B2 E5 6B CB C2 AB FA BD F4 .........k......
Nov 29 07:39:23 merthyr charon: 02[PTS] 96: 74 D2 25 B3 AE CE 47 66 58 A6 65 A4 CA 36 24 1E t.%...GfX.e..6$.
Nov 29 07:39:23 merthyr charon: 02[PTS] 112: 6E 22 A4 9F 88 C5 63 78 AD 53 33 90 22 91 6F 83 n"....cx.S3.".o.
Nov 29 07:39:23 merthyr charon: 02[PTS] 128: 8F 2A A8 98 0C 15 3E 89 19 48 63 BE 4C 35 02 F4 .*....>..Hc.L5..
Nov 29 07:39:23 merthyr charon: 02[PTS] 144: 03 7E 10 8E 4D DB 5A D1 63 9A 3C D9 63 F5 7B C6 .~..M.Z.c.<.c.{.
Nov 29 07:39:23 merthyr charon: 02[PTS] 160: 73 0F 23 05 B6 00 30 3B 34 6C 3C 10 A9 A5 4A 79 s.#...0;4l<...Jy
Nov 29 07:39:23 merthyr charon: 02[PTS] 176: 2E 62 88 E3 CC 7F 7B A7 5A E3 6F 13 7A BD BF 86 .b....{.Z.o.z...
Nov 29 07:39:23 merthyr charon: 02[PTS] 192: 1D 3C E3 12 3A 8C 0E 7D 47 55 C6 76 A9 D3 61 16 .<..:..}GU.v..a.
Nov 29 07:39:23 merthyr charon: 02[PTS] 208: 22 8A 32 C5 E7 CD 17 DB 5F A1 67 CC 1D F5 D9 25 ".2....._.g....%
Nov 29 07:39:23 merthyr charon: 02[PTS] 224: 51 01 33 1E 05 45 85 53 2E 2C 2B 1D 59 E5 FE C2 Q.3..E.S.,+.Y...
Nov 29 07:39:23 merthyr charon: 02[PTS] 240: 61 26 36 12 05 F2 5C 95 F8 70 E6 6A DB BF 30 1E a&6...\..p.j..0.
Nov 29 07:39:23 merthyr charon: 02[PTS] 256: 46 05 E6 0E 94 3C 0C C6 1C 96 B4 59 AC 5C 63 15 F....<.....Y.\c.
Nov 29 07:39:23 merthyr charon: 02[PTS] 272: 8C 77 E8 45 91 6B 8B B1 0D DB 26 3C E5 34 1C E8 .w.E.k....&<.4..
Nov 29 07:39:23 merthyr charon: 02[PTS] 288: B9 B5 6E 7F 9B 6E 7D 24 82 6E 2B 00 00 01 00 22 ..n..n}$.n+...."
Nov 29 07:39:23 merthyr charon: 02[PTS] 304: 35 22 CB 61 E6 28 B9 53 4A EB 52 10 A9 CD 5A 2A 5".a.(.SJ.R...Z*
Nov 29 07:39:23 merthyr charon: 02[PTS] 320: 23 3A DD 32 77 53 44 8D 94 40 7E 6A 28 83 9D 9D #:.2wSD..@~j(...
Nov 29 07:39:23 merthyr charon: 02[PTS] 336: 1E 1B CE 7C CE D2 8A C9 04 BE 66 A5 A1 CA E3 03 ...|......f.....
Nov 29 07:39:23 merthyr charon: 02[PTS] 352: 7F 33 97 AD EF A8 E8 83 C9 65 CA 38 27 22 8A 26 .3.......e.8'".&
Nov 29 07:39:23 merthyr charon: 02[PTS] 368: 90 B1 1E B0 AE F6 B3 77 5E E3 C8 C2 C6 49 DC 74 .......w^....I.t
Nov 29 07:39:23 merthyr charon: 02[PTS] 384: EF 6E A4 31 DF 13 12 F0 4B 53 3D 85 5C 4F 98 C3 .n.1....KS=.\O..
Nov 29 07:39:23 merthyr charon: 02[PTS] 400: 32 7D 05 EB C1 D6 2A AC 6A 38 B8 C4 D4 B7 FE B7 2}....*.j8......
Nov 29 07:39:23 merthyr charon: 02[PTS] 416: 11 39 AD 14 39 EE C2 38 4D 31 86 D9 6F 10 85 90 .9..9..8M1..o...
Nov 29 07:39:23 merthyr charon: 02[PTS] 432: 07 43 AA DF AA 25 84 79 5D 01 7B 2B B1 DB 3D CA .C...%.y].{+..=.
Nov 29 07:39:23 merthyr charon: 02[PTS] 448: 34 A5 94 B6 35 3B 87 EC 77 56 8E B4 13 DD 3F 25 4...5;..wV....?%
Nov 29 07:39:23 merthyr charon: 02[PTS] 464: 12 F9 97 CB 23 CF B8 AB D5 1C 2A D6 2D 13 85 3B ....#.....*.-..;
Nov 29 07:39:23 merthyr charon: 02[PTS] 480: D3 77 48 B8 A4 C0 31 C6 68 C0 92 33 7C 5B AA 8E .wH...1.h..3|[..
Nov 29 07:39:23 merthyr charon: 02[PTS] 496: A5 86 05 EF 99 0D CA 02 5F 96 9A 68 C3 DA A2 A8 ........_..h....
Nov 29 07:39:23 merthyr charon: 02[PTS] 512: B7 4C C6 EC 09 98 45 E7 E6 E5 DC A6 E3 B3 54 2A .L....E.......T*
Nov 29 07:39:23 merthyr charon: 02[PTS] 528: F5 5A 94 78 3C 26 5B FD D0 01 4B A4 5D B2 C2 EC .Z.x<&[...K.]...
Nov 29 07:39:23 merthyr charon: 02[PTS] 544: B6 56 A0 DB EC C8 BA 0D E9 56 EC F0 77 7A AB .V.......V..wz.
Nov 29 07:39:23 merthyr charon: 02[IMC] IMC 1 "Attestation" created a state for Connection ID 1
</pre>
Via the IF-IMC interface the PTS-IMC receives a 'Handshake' state change from the TNC client
<pre>
Nov 29 07:39:23 merthyr charon: 02[IMC] IMC 1 "Attestation" changed state of Connection ID 1 to 'Handshake'
</pre>
With the command
<pre>
ipsec start
</pre>
the TNC-enabled IPsec client is started:
<pre>
Nov 29 07:39:21 merthyr charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.6.2dr1)
Nov 29 07:39:21 merthyr charon: 00[KNL] listening on interfaces:
Nov 29 07:39:21 merthyr charon: 00[KNL] wlan0
Nov 29 07:39:21 merthyr charon: 00[KNL] 10.35.167.97
Nov 29 07:39:21 merthyr charon: 00[KNL] fe80::221:6aff:fe06:cf4c
Nov 29 07:39:21 merthyr charon: 00[KNL] umlbr0
Nov 29 07:39:21 merthyr charon: 00[KNL] 192.168.0.254
Nov 29 07:39:21 merthyr charon: 00[KNL] fe80::103c:e8ff:fec0:db34
</pre>
The file /etc/tnc_config
<pre>
IMC configuration file for strongSwan client
IMC "Attestation" /usr/lib/ipsec/imcvs/imc-attestation.so
</pre>
defines which IMCs are loaded by the TNC client:
<pre>
Nov 29 07:39:21 merthyr charon: 00[TNC] loading IMCs from '/etc/tnc_config'
Nov 29 07:39:21 merthyr charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA1[sha1] available
Nov 29 07:39:21 merthyr charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA256[openssl] available
Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS measurement algorithm HASH_SHA384[openssl] available
Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS DH group MODP_2048[gmp] available
Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS DH group MODP_1536[gmp] available
Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS DH group MODP_1024[gmp] available
Nov 29 07:39:21 merthyr charon: 00[PTS] mandatory PTS DH group ECP_256[openssl] available
Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS DH group ECP_384[openssl] available
Nov 29 07:39:21 merthyr charon: 00[TNC] added IETF attributes
Nov 29 07:39:21 merthyr charon: 00[TNC] added ITA-HSR attributes
Nov 29 07:39:21 merthyr charon: 00[LIB] libimcv initialized
Nov 29 07:39:21 merthyr charon: 00[IMC] IMC 1 "Attestation" initialized
Nov 29 07:39:21 merthyr charon: 00[TNC] added TCG attributes
Nov 29 07:39:21 merthyr charon: 00[PTS] added TCG functional component namespace
Nov 29 07:39:21 merthyr charon: 00[PTS] added ITA-HSR functional component namespace
Nov 29 07:39:21 merthyr charon: 00[PTS] added ITA-HSR functional component 'Trusted GRUB Boot Loader'
Nov 29 07:39:21 merthyr charon: 00[PTS] added ITA-HSR functional component 'Trusted Boot'
Nov 29 07:39:21 merthyr charon: 00[PTS] added ITA-HSR functional component 'Linux IMA'
Nov 29 07:39:21 merthyr charon: 00[LIB] libpts initialized
Nov 29 07:39:21 merthyr charon: 00[IMC] IMC 1 "Attestation" provided with bind function
Nov 29 07:39:21 merthyr charon: 00[TNC] IMC 1 supports 1 message type: 0x00559701
Nov 29 07:39:21 merthyr charon: 00[TNC] IMC 1 "Attestation" loaded from '/usr/lib/ipsec/imcvs/imc-attestation.so'
</pre>
Next the IKEv2 credentials and all necessary plugins are loaded
<pre>
Nov 29 07:39:21 merthyr charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Nov 29 07:39:21 merthyr charon: 00[CFG] loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem'
Nov 29 07:39:21 merthyr charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Nov 29 07:39:21 merthyr charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Nov 29 07:39:21 merthyr charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Nov 29 07:39:21 merthyr charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Nov 29 07:39:21 merthyr charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Nov 29 07:39:21 merthyr charon: 00[CFG] loaded EAP secret for carol@strongswan.org
Nov 29 07:39:21 merthyr charon: 00[DMN] loaded plugins: sha1 random gmp pkcs1 pem x509 pubkey openssl hmac revocation curl kernel-netlink socket-default eap-mschapv2 eap-md5 eap-tls eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 eap-identity resolve stroke
Nov 29 07:39:21 merthyr charon: 00[JOB] spawning 16 worker threads
</pre>
Now the IKEv2 negotiation automatically starts with the IKE_SA_INIT exchange
<pre>
Nov 29 07:39:22 merthyr charon: 04[CFG] received stroke: add connection 'home'
Nov 29 07:39:22 merthyr charon: 04[CFG] left nor right host is our side, assuming left=local
Nov 29 07:39:22 merthyr charon: 04[CFG] added configuration 'home'
Nov 29 07:39:22 merthyr charon: 04[CFG] received stroke: initiate 'home'
Nov 29 07:39:22 merthyr charon: 04[IKE] initiating IKE_SA home[1] to 192.168.0.1
Nov 29 07:39:22 merthyr charon: 04[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Nov 29 07:39:22 merthyr charon: 04[NET] sending packet: from 192.168.0.254[500] to 192.168.0.1[500]
Nov 29 07:39:22 merthyr charon: 06[NET] received packet: from 192.168.0.1[500] to 192.168.0.254[500]
Nov 29 07:39:22 merthyr charon: 06[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
</pre>
followed by the IKE_AUTH exchange where the IKEv2 gateway proposes a mutual EAP-TTLS only authentication:
<pre>
Nov 29 07:39:22 merthyr charon: 06[IKE] establishing CHILD_SA home
Nov 29 07:39:22 merthyr charon: 06[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) ]
Nov 29 07:39:22 merthyr charon: 06[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:22 merthyr charon: 10[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:22 merthyr charon: 10[ENC] parsed IKE_AUTH response 1 [ IDr EAP/REQ/TTLS ]
Nov 29 07:39:22 merthyr charon: 10[IKE] server requested EAP_TTLS authentication (id 0xA8)
Nov 29 07:39:22 merthyr charon: 10[TLS] EAP_TTLS version is v0
Nov 29 07:39:22 merthyr charon: 10[IKE] allow mutual EAP-only authentication
</pre>
The IKEv2 EAP-TLS tunnel is set up with certificate-based server authentication
<pre>
Nov 29 07:39:22 merthyr charon: 10[ENC] generating IKE_AUTH request 2 [ EAP/RES/TTLS ]
Nov 29 07:39:22 merthyr charon: 10[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:22 merthyr charon: 05[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:22 merthyr charon: 05[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/TTLS ]
Nov 29 07:39:22 merthyr charon: 05[ENC] generating IKE_AUTH request 3 [ EAP/RES/TTLS ]
Nov 29 07:39:22 merthyr charon: 05[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:22 merthyr charon: 15[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:22 merthyr charon: 15[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/TTLS ]
Nov 29 07:39:22 merthyr charon: 15[TLS] negotiated TLS version TLS 1.2 with suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Nov 29 07:39:22 merthyr charon: 15[TLS] received TLS server certificate 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org'
Nov 29 07:39:22 merthyr charon: 15[CFG] using certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
Nov 29 07:39:22 merthyr charon: 15[CFG] using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Nov 29 07:39:22 merthyr charon: 15[CFG] checking certificate status of "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
Nov 29 07:39:22 merthyr charon: 15[CFG] fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
Nov 29 07:39:22 merthyr charon: 15[CFG] using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Nov 29 07:39:22 merthyr charon: 15[CFG] crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Nov 29 07:39:22 merthyr charon: 15[CFG] crl is valid: until Dec 02 09:19:24 2011
Nov 29 07:39:22 merthyr charon: 15[CFG] certificate status is good
Nov 29 07:39:22 merthyr charon: 15[CFG] reached self-signed root ca with a path length of 0
Nov 29 07:39:22 merthyr charon: 15[ENC] generating IKE_AUTH request 4 [ EAP/RES/TTLS ]
Nov 29 07:39:22 merthyr charon: 15[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
</pre>
Via the IKEv2 EAP-TTLS tunnel the server requests the EAP client identity
<pre>
Nov 29 07:39:23 merthyr charon: 14[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:23 merthyr charon: 14[ENC] parsed IKE_AUTH response 4 [ EAP/REQ/TTLS ]
Nov 29 07:39:23 merthyr charon: 14[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/ID]
Nov 29 07:39:23 merthyr charon: 14[IKE] server requested EAP_IDENTITY authentication (id 0x00)
Nov 29 07:39:23 merthyr charon: 14[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/ID]
Nov 29 07:39:23 merthyr charon: 14[ENC] generating IKE_AUTH request 5 [ EAP/RES/TTLS ]
Nov 29 07:39:23 merthyr charon: 14[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
</pre>
followed by an EAP-MD5 client authentication
<pre>
Nov 29 07:39:23 merthyr charon: 03[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:23 merthyr charon: 03[ENC] parsed IKE_AUTH response 5 [ EAP/REQ/TTLS ]
Nov 29 07:39:23 merthyr charon: 03[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/MD5]
Nov 29 07:39:23 merthyr charon: 03[IKE] server requested EAP_MD5 authentication (id 0x36)
Nov 29 07:39:23 merthyr charon: 03[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/MD5]
Nov 29 07:39:23 merthyr charon: 03[ENC] generating IKE_AUTH request 6 [ EAP/RES/TTLS ]
Nov 29 07:39:23 merthyr charon: 03[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
</pre>
Now the EAP-TNC transport protocol connecting the TNC client with the TNC server is started:
<pre>
Nov 29 07:39:23 merthyr charon: 02[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:23 merthyr charon: 02[ENC] parsed IKE_AUTH response 6 [ EAP/REQ/TTLS ]
Nov 29 07:39:23 merthyr charon: 02[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/TNC]
Nov 29 07:39:23 merthyr charon: 02[IKE] server requested EAP_TNC authentication (id 0x84)
Nov 29 07:39:23 merthyr charon: 02[TLS] EAP_TNC version is v1
Nov 29 07:39:23 merthyr charon: 02[TNC] assigned TNCCS Connection ID 1
</pre>
A first PB-TNC CDATA (IF-TNCCS 2.0 ClientData) batch is prepared
<pre>
Nov 29 07:39:23 merthyr charon: 02[TNC] creating PB-TNC CDATA batch
Nov 29 07:39:23 merthyr charon: 02[TNC] adding PB-Language-Preference message
</pre>
An instance of the Attestation PTS-IMC is created which in a first step determines the client operating systen
<pre>
Nov 29 07:39:23 merthyr charon: 02[PTS] platform is 'Ubuntu 11.10 i686'
</pre>
and then loads the private AIK key in the form of a TPM-encrypted binary blob
<pre>
Nov 29 07:39:23 merthyr charon: 02[PTS] loaded AIK certificate from '/home/andi/privacyca/AIK_3_Cert.der'
Nov 29 07:39:23 merthyr charon: 02[PTS] loaded AIK Blob from '/home/andi/privacyca/AIK_3_Blob.bin'
Nov 29 07:39:23 merthyr charon: 02[PTS] AIK Blob: => 559 bytes @ 0x8266b24
Nov 29 07:39:23 merthyr charon: 02[PTS] 0: 01 01 00 00 00 12 00 00 00 04 00 00 00 00 01 00 ................
Nov 29 07:39:23 merthyr charon: 02[PTS] 16: 01 00 02 00 00 00 0C 00 00 08 00 00 00 00 02 00 ................
Nov 29 07:39:23 merthyr charon: 02[PTS] 32: 00 00 00 00 00 00 00 00 00 01 00 E9 1C 5F 57 5B ............._W[
Nov 29 07:39:23 merthyr charon: 02[PTS] 48: 73 5F 35 15 BD AF 29 89 13 F1 F9 8D 83 62 6C 73 s_5...)......bls
Nov 29 07:39:23 merthyr charon: 02[PTS] 64: C0 5F 8B 90 5A B8 1A 72 B9 D2 51 F8 DC 24 CF 0D ._..Z..r..Q..$..
Nov 29 07:39:23 merthyr charon: 02[PTS] 80: 9E E2 0B F8 8D 11 CD B2 E5 6B CB C2 AB FA BD F4 .........k......
Nov 29 07:39:23 merthyr charon: 02[PTS] 96: 74 D2 25 B3 AE CE 47 66 58 A6 65 A4 CA 36 24 1E t.%...GfX.e..6$.
Nov 29 07:39:23 merthyr charon: 02[PTS] 112: 6E 22 A4 9F 88 C5 63 78 AD 53 33 90 22 91 6F 83 n"....cx.S3.".o.
Nov 29 07:39:23 merthyr charon: 02[PTS] 128: 8F 2A A8 98 0C 15 3E 89 19 48 63 BE 4C 35 02 F4 .*....>..Hc.L5..
Nov 29 07:39:23 merthyr charon: 02[PTS] 144: 03 7E 10 8E 4D DB 5A D1 63 9A 3C D9 63 F5 7B C6 .~..M.Z.c.<.c.{.
Nov 29 07:39:23 merthyr charon: 02[PTS] 160: 73 0F 23 05 B6 00 30 3B 34 6C 3C 10 A9 A5 4A 79 s.#...0;4l<...Jy
Nov 29 07:39:23 merthyr charon: 02[PTS] 176: 2E 62 88 E3 CC 7F 7B A7 5A E3 6F 13 7A BD BF 86 .b....{.Z.o.z...
Nov 29 07:39:23 merthyr charon: 02[PTS] 192: 1D 3C E3 12 3A 8C 0E 7D 47 55 C6 76 A9 D3 61 16 .<..:..}GU.v..a.
Nov 29 07:39:23 merthyr charon: 02[PTS] 208: 22 8A 32 C5 E7 CD 17 DB 5F A1 67 CC 1D F5 D9 25 ".2....._.g....%
Nov 29 07:39:23 merthyr charon: 02[PTS] 224: 51 01 33 1E 05 45 85 53 2E 2C 2B 1D 59 E5 FE C2 Q.3..E.S.,+.Y...
Nov 29 07:39:23 merthyr charon: 02[PTS] 240: 61 26 36 12 05 F2 5C 95 F8 70 E6 6A DB BF 30 1E a&6...\..p.j..0.
Nov 29 07:39:23 merthyr charon: 02[PTS] 256: 46 05 E6 0E 94 3C 0C C6 1C 96 B4 59 AC 5C 63 15 F....<.....Y.\c.
Nov 29 07:39:23 merthyr charon: 02[PTS] 272: 8C 77 E8 45 91 6B 8B B1 0D DB 26 3C E5 34 1C E8 .w.E.k....&<.4..
Nov 29 07:39:23 merthyr charon: 02[PTS] 288: B9 B5 6E 7F 9B 6E 7D 24 82 6E 2B 00 00 01 00 22 ..n..n}$.n+...."
Nov 29 07:39:23 merthyr charon: 02[PTS] 304: 35 22 CB 61 E6 28 B9 53 4A EB 52 10 A9 CD 5A 2A 5".a.(.SJ.R...Z*
Nov 29 07:39:23 merthyr charon: 02[PTS] 320: 23 3A DD 32 77 53 44 8D 94 40 7E 6A 28 83 9D 9D #:.2wSD..@~j(...
Nov 29 07:39:23 merthyr charon: 02[PTS] 336: 1E 1B CE 7C CE D2 8A C9 04 BE 66 A5 A1 CA E3 03 ...|......f.....
Nov 29 07:39:23 merthyr charon: 02[PTS] 352: 7F 33 97 AD EF A8 E8 83 C9 65 CA 38 27 22 8A 26 .3.......e.8'".&
Nov 29 07:39:23 merthyr charon: 02[PTS] 368: 90 B1 1E B0 AE F6 B3 77 5E E3 C8 C2 C6 49 DC 74 .......w^....I.t
Nov 29 07:39:23 merthyr charon: 02[PTS] 384: EF 6E A4 31 DF 13 12 F0 4B 53 3D 85 5C 4F 98 C3 .n.1....KS=.\O..
Nov 29 07:39:23 merthyr charon: 02[PTS] 400: 32 7D 05 EB C1 D6 2A AC 6A 38 B8 C4 D4 B7 FE B7 2}....*.j8......
Nov 29 07:39:23 merthyr charon: 02[PTS] 416: 11 39 AD 14 39 EE C2 38 4D 31 86 D9 6F 10 85 90 .9..9..8M1..o...
Nov 29 07:39:23 merthyr charon: 02[PTS] 432: 07 43 AA DF AA 25 84 79 5D 01 7B 2B B1 DB 3D CA .C...%.y].{+..=.
Nov 29 07:39:23 merthyr charon: 02[PTS] 448: 34 A5 94 B6 35 3B 87 EC 77 56 8E B4 13 DD 3F 25 4...5;..wV....?%
Nov 29 07:39:23 merthyr charon: 02[PTS] 464: 12 F9 97 CB 23 CF B8 AB D5 1C 2A D6 2D 13 85 3B ....#.....*.-..;
Nov 29 07:39:23 merthyr charon: 02[PTS] 480: D3 77 48 B8 A4 C0 31 C6 68 C0 92 33 7C 5B AA 8E .wH...1.h..3|[..
Nov 29 07:39:23 merthyr charon: 02[PTS] 496: A5 86 05 EF 99 0D CA 02 5F 96 9A 68 C3 DA A2 A8 ........_..h....
Nov 29 07:39:23 merthyr charon: 02[PTS] 512: B7 4C C6 EC 09 98 45 E7 E6 E5 DC A6 E3 B3 54 2A .L....E.......T*
Nov 29 07:39:23 merthyr charon: 02[PTS] 528: F5 5A 94 78 3C 26 5B FD D0 01 4B A4 5D B2 C2 EC .Z.x<&[...K.]...
Nov 29 07:39:23 merthyr charon: 02[PTS] 544: B6 56 A0 DB EC C8 BA 0D E9 56 EC F0 77 7A AB .V.......V..wz.
Nov 29 07:39:23 merthyr charon: 02[IMC] IMC 1 "Attestation" created a state for Connection ID 1
</pre>
Via the IF-IMC interface the PTS-IMC receives a 'Handshake' state change from the TNC client
<pre>
Nov 29 07:39:23 merthyr charon: 02[IMC] IMC 1 "Attestation" changed state of Connection ID 1 to 'Handshake'
</pre>