TNC Client with PTS-IMC » History » Version 4
« Previous -
Version 4/69
(diff) -
Next » -
Current version
Andreas Steffen, 29.11.2011 10:20
update PTS-IMC pages
Platform Trust Service Integrity Measurement Collector (PTS-IMC)¶
The connection between IPsec client carol and IPsec gateway moon is defined in the /etc/ipsec.conf file:
# ipsec.conf - strongSwan IPsec configuration file
config setup
plutostart=no
charonstart=yes
charondebug="tnc 3, imc 3, pts 3"
conn home
left=%any
leftid=carol@strongswan.org
leftauth=eap
right=192.168.0.1
rightid=@moon.strongswan.org
rightsendcert=never
rightsubnet=10.1.0.0/16
auto=start
The debug levels for the TNC, IMC, and PTS components are increased to 3, so that HEX dumps of messages and attributes will be included in the log file.
The IKEv2 client carol is going to use EAP-based authentication with the user credentials being stored in the /etc/ipsec.secrets file:
# /etc/ipsec.secrets - strongSwan IPsec secrets file carol@strongswan.org : EAP "Ar3etTnp"
With the command
ipsec start
the TNC-enabled IPsec client is started:
Nov 29 07:39:21 merthyr charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.6.2dr1) Nov 29 07:39:21 merthyr charon: 00[KNL] listening on interfaces: Nov 29 07:39:21 merthyr charon: 00[KNL] wlan0 Nov 29 07:39:21 merthyr charon: 00[KNL] 10.35.167.97 Nov 29 07:39:21 merthyr charon: 00[KNL] fe80::221:6aff:fe06:cf4c Nov 29 07:39:21 merthyr charon: 00[KNL] umlbr0 Nov 29 07:39:21 merthyr charon: 00[KNL] 192.168.0.254 Nov 29 07:39:21 merthyr charon: 00[KNL] fe80::103c:e8ff:fec0:db34
The file /etc/tnc_config
IMC configuration file for strongSwan client IMC "Attestation" /usr/lib/ipsec/imcvs/imc-attestation.so
defines which IMCs are loaded by the TNC client:
Nov 29 07:39:21 merthyr charon: 00[TNC] loading IMCs from '/etc/tnc_config' Nov 29 07:39:21 merthyr charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA1[sha1] available Nov 29 07:39:21 merthyr charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA256[openssl] available Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS measurement algorithm HASH_SHA384[openssl] available Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS DH group MODP_2048[gmp] available Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS DH group MODP_1536[gmp] available Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS DH group MODP_1024[gmp] available Nov 29 07:39:21 merthyr charon: 00[PTS] mandatory PTS DH group ECP_256[openssl] available Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS DH group ECP_384[openssl] available Nov 29 07:39:21 merthyr charon: 00[TNC] added IETF attributes Nov 29 07:39:21 merthyr charon: 00[TNC] added ITA-HSR attributes Nov 29 07:39:21 merthyr charon: 00[LIB] libimcv initialized Nov 29 07:39:21 merthyr charon: 00[IMC] IMC 1 "Attestation" initialized Nov 29 07:39:21 merthyr charon: 00[TNC] added TCG attributes Nov 29 07:39:21 merthyr charon: 00[PTS] added TCG functional component namespace Nov 29 07:39:21 merthyr charon: 00[PTS] added ITA-HSR functional component namespace Nov 29 07:39:21 merthyr charon: 00[PTS] added ITA-HSR functional component 'Trusted GRUB Boot Loader' Nov 29 07:39:21 merthyr charon: 00[PTS] added ITA-HSR functional component 'Trusted Boot' Nov 29 07:39:21 merthyr charon: 00[PTS] added ITA-HSR functional component 'Linux IMA' Nov 29 07:39:21 merthyr charon: 00[LIB] libpts initialized Nov 29 07:39:21 merthyr charon: 00[IMC] IMC 1 "Attestation" provided with bind function Nov 29 07:39:21 merthyr charon: 00[TNC] IMC 1 supports 1 message type: 0x00559701 Nov 29 07:39:21 merthyr charon: 00[TNC] IMC 1 "Attestation" loaded from '/usr/lib/ipsec/imcvs/imc-attestation.so'
Next the IKEv2 credentials and all necessary plugins are loaded
Nov 29 07:39:21 merthyr charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Nov 29 07:39:21 merthyr charon: 00[CFG] loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem' Nov 29 07:39:21 merthyr charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Nov 29 07:39:21 merthyr charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Nov 29 07:39:21 merthyr charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Nov 29 07:39:21 merthyr charon: 00[CFG] loading crls from '/etc/ipsec.d/crls' Nov 29 07:39:21 merthyr charon: 00[CFG] loading secrets from '/etc/ipsec.secrets' Nov 29 07:39:21 merthyr charon: 00[CFG] loaded EAP secret for carol@strongswan.org Nov 29 07:39:21 merthyr charon: 00[DMN] loaded plugins: sha1 random gmp pkcs1 pem x509 pubkey openssl hmac revocation curl kernel-netlink socket-default eap-mschapv2 eap-md5 eap-tls eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 eap-identity resolve stroke Nov 29 07:39:21 merthyr charon: 00[JOB] spawning 16 worker threads
Now the IKEv2 negotiation automatically starts with the IKE_SA_INIT exchange
Nov 29 07:39:22 merthyr charon: 04[CFG] received stroke: add connection 'home' Nov 29 07:39:22 merthyr charon: 04[CFG] left nor right host is our side, assuming left=local Nov 29 07:39:22 merthyr charon: 04[CFG] added configuration 'home' Nov 29 07:39:22 merthyr charon: 04[CFG] received stroke: initiate 'home' Nov 29 07:39:22 merthyr charon: 04[IKE] initiating IKE_SA home[1] to 192.168.0.1 Nov 29 07:39:22 merthyr charon: 04[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Nov 29 07:39:22 merthyr charon: 04[NET] sending packet: from 192.168.0.254[500] to 192.168.0.1[500] Nov 29 07:39:22 merthyr charon: 06[NET] received packet: from 192.168.0.1[500] to 192.168.0.254[500] Nov 29 07:39:22 merthyr charon: 06[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
followed by the IKE_AUTH exchange where the IKEv2 gateway proposes a mutual EAP-TTLS only authentication:
Nov 29 07:39:22 merthyr charon: 06[IKE] establishing CHILD_SA home Nov 29 07:39:22 merthyr charon: 06[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) ] Nov 29 07:39:22 merthyr charon: 06[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500] Nov 29 07:39:22 merthyr charon: 10[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500] Nov 29 07:39:22 merthyr charon: 10[ENC] parsed IKE_AUTH response 1 [ IDr EAP/REQ/TTLS ] Nov 29 07:39:22 merthyr charon: 10[IKE] server requested EAP_TTLS authentication (id 0xA8) Nov 29 07:39:22 merthyr charon: 10[TLS] EAP_TTLS version is v0 Nov 29 07:39:22 merthyr charon: 10[IKE] allow mutual EAP-only authentication
The IKEv2 EAP-TLS tunnel is set up with certificate-based server authentication
Nov 29 07:39:22 merthyr charon: 10[ENC] generating IKE_AUTH request 2 [ EAP/RES/TTLS ] Nov 29 07:39:22 merthyr charon: 10[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500] Nov 29 07:39:22 merthyr charon: 05[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500] Nov 29 07:39:22 merthyr charon: 05[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/TTLS ] Nov 29 07:39:22 merthyr charon: 05[ENC] generating IKE_AUTH request 3 [ EAP/RES/TTLS ] Nov 29 07:39:22 merthyr charon: 05[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500] Nov 29 07:39:22 merthyr charon: 15[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500] Nov 29 07:39:22 merthyr charon: 15[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/TTLS ] Nov 29 07:39:22 merthyr charon: 15[TLS] negotiated TLS version TLS 1.2 with suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Nov 29 07:39:22 merthyr charon: 15[TLS] received TLS server certificate 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' Nov 29 07:39:22 merthyr charon: 15[CFG] using certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" Nov 29 07:39:22 merthyr charon: 15[CFG] using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" Nov 29 07:39:22 merthyr charon: 15[CFG] checking certificate status of "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" Nov 29 07:39:22 merthyr charon: 15[CFG] fetching crl from 'http://crl.strongswan.org/strongswan.crl' ... Nov 29 07:39:22 merthyr charon: 15[CFG] using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" Nov 29 07:39:22 merthyr charon: 15[CFG] crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" Nov 29 07:39:22 merthyr charon: 15[CFG] crl is valid: until Dec 02 09:19:24 2011 Nov 29 07:39:22 merthyr charon: 15[CFG] certificate status is good Nov 29 07:39:22 merthyr charon: 15[CFG] reached self-signed root ca with a path length of 0 Nov 29 07:39:22 merthyr charon: 15[ENC] generating IKE_AUTH request 4 [ EAP/RES/TTLS ] Nov 29 07:39:22 merthyr charon: 15[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Via the IKEv2 EAP-TTLS tunnel the server requests the EAP client identity
Nov 29 07:39:23 merthyr charon: 14[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500] Nov 29 07:39:23 merthyr charon: 14[ENC] parsed IKE_AUTH response 4 [ EAP/REQ/TTLS ] Nov 29 07:39:23 merthyr charon: 14[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/ID] Nov 29 07:39:23 merthyr charon: 14[IKE] server requested EAP_IDENTITY authentication (id 0x00) Nov 29 07:39:23 merthyr charon: 14[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/ID] Nov 29 07:39:23 merthyr charon: 14[ENC] generating IKE_AUTH request 5 [ EAP/RES/TTLS ] Nov 29 07:39:23 merthyr charon: 14[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
followed by an EAP-MD5 client authentication
Nov 29 07:39:23 merthyr charon: 03[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500] Nov 29 07:39:23 merthyr charon: 03[ENC] parsed IKE_AUTH response 5 [ EAP/REQ/TTLS ] Nov 29 07:39:23 merthyr charon: 03[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/MD5] Nov 29 07:39:23 merthyr charon: 03[IKE] server requested EAP_MD5 authentication (id 0x36) Nov 29 07:39:23 merthyr charon: 03[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/MD5] Nov 29 07:39:23 merthyr charon: 03[ENC] generating IKE_AUTH request 6 [ EAP/RES/TTLS ] Nov 29 07:39:23 merthyr charon: 03[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Now the EAP-TNC transport protocol connecting the TNC client with the TNC server is started:
Nov 29 07:39:23 merthyr charon: 02[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500] Nov 29 07:39:23 merthyr charon: 02[ENC] parsed IKE_AUTH response 6 [ EAP/REQ/TTLS ] Nov 29 07:39:23 merthyr charon: 02[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/TNC] Nov 29 07:39:23 merthyr charon: 02[IKE] server requested EAP_TNC authentication (id 0x84) Nov 29 07:39:23 merthyr charon: 02[TLS] EAP_TNC version is v1 Nov 29 07:39:23 merthyr charon: 02[TNC] assigned TNCCS Connection ID 1
A first PB-TNC CDATA (IF-TNCCS 2.0 ClientData) batch is prepared
Nov 29 07:39:23 merthyr charon: 02[TNC] creating PB-TNC CDATA batch Nov 29 07:39:23 merthyr charon: 02[TNC] adding PB-Language-Preference message
An instance of the Attestation PTS-IMC is created which in a first step determines the client operating systen
Nov 29 07:39:23 merthyr charon: 02[PTS] platform is 'Ubuntu 11.10 i686'
and then loads the private AIK key in the form of a TPM-encrypted binary blob
Nov 29 07:39:23 merthyr charon: 02[PTS] loaded AIK certificate from '/home/andi/privacyca/AIK_3_Cert.der'
Nov 29 07:39:23 merthyr charon: 02[PTS] loaded AIK Blob from '/home/andi/privacyca/AIK_3_Blob.bin'
Nov 29 07:39:23 merthyr charon: 02[PTS] AIK Blob: => 559 bytes @ 0x8266b24
Nov 29 07:39:23 merthyr charon: 02[PTS] 0: 01 01 00 00 00 12 00 00 00 04 00 00 00 00 01 00 ................
Nov 29 07:39:23 merthyr charon: 02[PTS] 16: 01 00 02 00 00 00 0C 00 00 08 00 00 00 00 02 00 ................
Nov 29 07:39:23 merthyr charon: 02[PTS] 32: 00 00 00 00 00 00 00 00 00 01 00 E9 1C 5F 57 5B ............._W[
Nov 29 07:39:23 merthyr charon: 02[PTS] 48: 73 5F 35 15 BD AF 29 89 13 F1 F9 8D 83 62 6C 73 s_5...)......bls
Nov 29 07:39:23 merthyr charon: 02[PTS] 64: C0 5F 8B 90 5A B8 1A 72 B9 D2 51 F8 DC 24 CF 0D ._..Z..r..Q..$..
Nov 29 07:39:23 merthyr charon: 02[PTS] 80: 9E E2 0B F8 8D 11 CD B2 E5 6B CB C2 AB FA BD F4 .........k......
Nov 29 07:39:23 merthyr charon: 02[PTS] 96: 74 D2 25 B3 AE CE 47 66 58 A6 65 A4 CA 36 24 1E t.%...GfX.e..6$.
Nov 29 07:39:23 merthyr charon: 02[PTS] 112: 6E 22 A4 9F 88 C5 63 78 AD 53 33 90 22 91 6F 83 n"....cx.S3.".o.
Nov 29 07:39:23 merthyr charon: 02[PTS] 128: 8F 2A A8 98 0C 15 3E 89 19 48 63 BE 4C 35 02 F4 .*....>..Hc.L5..
Nov 29 07:39:23 merthyr charon: 02[PTS] 144: 03 7E 10 8E 4D DB 5A D1 63 9A 3C D9 63 F5 7B C6 .~..M.Z.c.<.c.{.
Nov 29 07:39:23 merthyr charon: 02[PTS] 160: 73 0F 23 05 B6 00 30 3B 34 6C 3C 10 A9 A5 4A 79 s.#...0;4l<...Jy
Nov 29 07:39:23 merthyr charon: 02[PTS] 176: 2E 62 88 E3 CC 7F 7B A7 5A E3 6F 13 7A BD BF 86 .b....{.Z.o.z...
Nov 29 07:39:23 merthyr charon: 02[PTS] 192: 1D 3C E3 12 3A 8C 0E 7D 47 55 C6 76 A9 D3 61 16 .<..:..}GU.v..a.
Nov 29 07:39:23 merthyr charon: 02[PTS] 208: 22 8A 32 C5 E7 CD 17 DB 5F A1 67 CC 1D F5 D9 25 ".2....._.g....%
Nov 29 07:39:23 merthyr charon: 02[PTS] 224: 51 01 33 1E 05 45 85 53 2E 2C 2B 1D 59 E5 FE C2 Q.3..E.S.,+.Y...
Nov 29 07:39:23 merthyr charon: 02[PTS] 240: 61 26 36 12 05 F2 5C 95 F8 70 E6 6A DB BF 30 1E a&6...\..p.j..0.
Nov 29 07:39:23 merthyr charon: 02[PTS] 256: 46 05 E6 0E 94 3C 0C C6 1C 96 B4 59 AC 5C 63 15 F....<.....Y.\c.
Nov 29 07:39:23 merthyr charon: 02[PTS] 272: 8C 77 E8 45 91 6B 8B B1 0D DB 26 3C E5 34 1C E8 .w.E.k....&<.4..
Nov 29 07:39:23 merthyr charon: 02[PTS] 288: B9 B5 6E 7F 9B 6E 7D 24 82 6E 2B 00 00 01 00 22 ..n..n}$.n+...."
Nov 29 07:39:23 merthyr charon: 02[PTS] 304: 35 22 CB 61 E6 28 B9 53 4A EB 52 10 A9 CD 5A 2A 5".a.(.SJ.R...Z*
Nov 29 07:39:23 merthyr charon: 02[PTS] 320: 23 3A DD 32 77 53 44 8D 94 40 7E 6A 28 83 9D 9D #:.2wSD..@~j(...
Nov 29 07:39:23 merthyr charon: 02[PTS] 336: 1E 1B CE 7C CE D2 8A C9 04 BE 66 A5 A1 CA E3 03 ...|......f.....
Nov 29 07:39:23 merthyr charon: 02[PTS] 352: 7F 33 97 AD EF A8 E8 83 C9 65 CA 38 27 22 8A 26 .3.......e.8'".&
Nov 29 07:39:23 merthyr charon: 02[PTS] 368: 90 B1 1E B0 AE F6 B3 77 5E E3 C8 C2 C6 49 DC 74 .......w^....I.t
Nov 29 07:39:23 merthyr charon: 02[PTS] 384: EF 6E A4 31 DF 13 12 F0 4B 53 3D 85 5C 4F 98 C3 .n.1....KS=.\O..
Nov 29 07:39:23 merthyr charon: 02[PTS] 400: 32 7D 05 EB C1 D6 2A AC 6A 38 B8 C4 D4 B7 FE B7 2}....*.j8......
Nov 29 07:39:23 merthyr charon: 02[PTS] 416: 11 39 AD 14 39 EE C2 38 4D 31 86 D9 6F 10 85 90 .9..9..8M1..o...
Nov 29 07:39:23 merthyr charon: 02[PTS] 432: 07 43 AA DF AA 25 84 79 5D 01 7B 2B B1 DB 3D CA .C...%.y].{+..=.
Nov 29 07:39:23 merthyr charon: 02[PTS] 448: 34 A5 94 B6 35 3B 87 EC 77 56 8E B4 13 DD 3F 25 4...5;..wV....?%
Nov 29 07:39:23 merthyr charon: 02[PTS] 464: 12 F9 97 CB 23 CF B8 AB D5 1C 2A D6 2D 13 85 3B ....#.....*.-..;
Nov 29 07:39:23 merthyr charon: 02[PTS] 480: D3 77 48 B8 A4 C0 31 C6 68 C0 92 33 7C 5B AA 8E .wH...1.h..3|[..
Nov 29 07:39:23 merthyr charon: 02[PTS] 496: A5 86 05 EF 99 0D CA 02 5F 96 9A 68 C3 DA A2 A8 ........_..h....
Nov 29 07:39:23 merthyr charon: 02[PTS] 512: B7 4C C6 EC 09 98 45 E7 E6 E5 DC A6 E3 B3 54 2A .L....E.......T*
Nov 29 07:39:23 merthyr charon: 02[PTS] 528: F5 5A 94 78 3C 26 5B FD D0 01 4B A4 5D B2 C2 EC .Z.x<&[...K.]...
Nov 29 07:39:23 merthyr charon: 02[PTS] 544: B6 56 A0 DB EC C8 BA 0D E9 56 EC F0 77 7A AB .V.......V..wz.
Nov 29 07:39:23 merthyr charon: 02[IMC] IMC 1 "Attestation" created a state for Connection ID 1
Via the IF-IMC interface the PTS-IMC receives a 'Handshake' state change from the TNC client
Nov 29 07:39:23 merthyr charon: 02[IMC] IMC 1 "Attestation" changed state of Connection ID 1 to 'Handshake'