TNC Client with PTS-IMC » History » Version 59
Version 58 (Andreas Steffen, 09.02.2012 15:05) → Version 59/69 (Andreas Steffen, 09.02.2012 15:18)
h1. TNC Client with PTS-IMC
This HOWTO explains in a step-for-step fashion how a strongSwan IPsec client with integrated TNC client functionality and an attached Platform Trust Service Integrity Measurement Collector (PTS-IMC) can provide remote attestation measurement data to a TNC server via the IKEv2 EAP-TTLS protocol.
{{>toc}}
h2. Installation and Configuration
The following steps describe the installation of the strongSwan software
<pre>
wget http://download.strongswan.org/strongswan-4.6.2rc1.tar.bz2
tar xjf strongswan-4.6.2rc1.tar.bz2
cd strongswan-4.6.2rc1
./configure --prefix=/usr --sysconfdir=/etc --disable-pluto --enable-openssl --enable-curl
--enable-eap-identity --enable-eap-md5 --enable-eap-ttls --enable-eap-tnc
--enable-tnccs-20 --enable-tnc-imc --enable-imc-attestation
make
[sudo] make install
</pre>
The strongSwan *imc-attestation.so* dynamic PTS-IMC library depends on the "TrouSerS":http://sourceforge.net/projects/trousers/ libtspi library. For compilation additionally the /usr/include/trousers/ header files are required.
The connection between IPsec client *carol* and IPsec gateway *moon* is defined in the /etc/ipsec.conf file:
<pre>
# ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="tnc 3, imc 3, pts 3"
conn home
left=%any
leftid=carol@strongswan.org
leftauth=eap
right=192.168.0.1
rightid=@moon.strongswan.org
rightsendcert=never
rightsubnet=10.1.0.0/16
auto=start
</pre>
The debug levels for the TNC, IMC, and PTS components are increased to 3, so that HEX dumps of PB-TNC (IF-TNCCS 2.0) messages and PA-TNC (IF-M) attributes will be included in the log file.
The IKEv2 client *carol* is going to use EAP-based authentication with the user credentials being stored in the /etc/ipsec.secrets file:
<pre>
# /etc/ipsec.secrets - strongSwan IPsec secrets file
carol@strongswan.org : EAP "Ar3etTnp"
</pre>
The following IKEv2 charon and Attestation IMC options are defined in the /etc/strongswan.conf file
<pre>
# strongswan.conf - strongSwan configuration file
charon {
load = sha1 random gmp pkcs1 pkcs8 pem x509 pubkey openssl hmac revocation curl kernel-netlink socket-default eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 eap-identity resolve stroke
plugins {
eap-tnc {
protocol = tnccs-2.0
}
tnc-imc {
preferred_language = en
}
}
}
libimcv {
plugins {
imc-attestation {
aik_cert = /home/andi/privacyca/AIK_3_Cert.der
aik_blob = /home/andi/privacyca/AIK_3_Blob.bin
pcr17_meas = d537d437f058136eb3d7be517dbe7647b623c619
pcr17_before = 1717171717171717171717171717171717171717
pcr17_after = ffffffffffffffffffffffffffffffffffffffff
pcr18_meas = 160d2b04d11eb225fb148615b699081869e15b6c
pcr18_before = 1818181818181818181818181818181818181818
pcr18_after = ffffffffffffffffffffffffffffffffffffffff
}
}
}
</pre>
h2. IKEv2 Negotiation
h3. Startup and Initialization
The command
<pre>
ipsec start
</pre>
starts the TNC-enabled IPsec client:
<pre>
Feb 9 14:53:42 pin1212a00 charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.6.2rc1)
Feb 9 14:53:42 pin1212a00 charon: 00[KNL] listening on interfaces:
Feb 9 14:53:42 pin1212a00 charon: 00[KNL] eth0
Feb 9 14:53:42 pin1212a00 charon: 00[KNL] 152.96.31.100
Feb 9 14:53:42 pin1212a00 charon: 00[KNL] fe80::219:99ff:feb3:92c3
Feb 9 14:53:42 pin1212a00 charon: 00[KNL] umlbr0
Feb 9 14:53:42 pin1212a00 charon: 00[KNL] 192.168.0.254
Feb 9 14:53:42 pin1212a00 charon: 00[KNL] fe80::9cb8:adff:fe5a:270a
</pre>
The file /etc/tnc_config
<pre>
# IMC configuration file for strongSwan client
IMC "Attestation" /usr/lib/ipsec/imcvs/imc-attestation.so
</pre>
defines which IMCs are loaded by the TNC client:
<pre>
Feb 9 14:53:42 pin1212a00 charon: 00[TNC] loading IMCs from '/etc/tnc_config'
Feb 9 14:53:42 pin1212a00 charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA1[sha1] available
Feb 9 14:53:42 pin1212a00 charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA256[openssl] available
Feb 9 14:53:42 pin1212a00 charon: 00[PTS] optional PTS measurement algorithm HASH_SHA384[openssl] available
Feb 9 14:53:42 pin1212a00 charon: 00[PTS] optional PTS DH group MODP_2048[gmp] available
Feb 9 14:53:42 pin1212a00 charon: 00[PTS] optional PTS DH group MODP_1536[gmp] available
Feb 9 14:53:42 pin1212a00 charon: 00[PTS] optional PTS DH group MODP_1024[gmp] available
Feb 9 14:53:42 pin1212a00 charon: 00[PTS] mandatory PTS DH group ECP_256[openssl] available
Feb 9 14:53:42 pin1212a00 charon: 00[PTS] optional PTS DH group ECP_384[openssl] available
Feb 9 14:53:42 pin1212a00 charon: 00[TNC] added IETF attributes
Feb 9 14:53:42 pin1212a00 charon: 00[TNC] added ITA-HSR attributes
Feb 9 14:53:42 pin1212a00 charon: 00[LIB] libimcv initialized
Feb 9 14:53:42 pin1212a00 charon: 00[IMC] IMC 1 "Attestation" initialized
Feb 9 14:53:42 pin1212a00 charon: 00[TNC] added TCG attributes
Feb 9 14:53:42 pin1212a00 charon: 00[PTS] added TCG functional component namespace
Feb 9 14:53:42 pin1212a00 charon: 00[PTS] added ITA-HSR functional component namespace
Feb 9 14:53:42 pin1212a00 charon: 00[PTS] added ITA-HSR functional component 'Trusted GRUB Boot Loader'
Feb 9 14:53:42 pin1212a00 charon: 00[PTS] added ITA-HSR functional component 'Trusted Boot'
Feb 9 14:53:42 pin1212a00 charon: 00[PTS] added ITA-HSR functional component 'Linux IMA'
Feb 9 14:53:42 pin1212a00 charon: 00[LIB] libpts initialized
Feb 9 14:53:42 pin1212a00 charon: 00[IMC] IMC 1 "Attestation" provided with bind function
Feb 9 14:53:42 pin1212a00 charon: 00[TNC] IMC 1 supports 1 message type: 'TCG/PTS' 0x005597/0x00000001
Feb 9 14:53:42 pin1212a00 charon: 00[TNC] IMC 1 "Attestation" loaded from '/usr/lib/ipsec/imcvs/imc-attestation.so'
</pre>
Next the IKEv2 credential,all necessary plugins and the IPsec connection definition are loaded
<pre>
Feb 9 14:53:42 pin1212a00 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Feb 9 14:53:42 pin1212a00 charon: 00[CFG] loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem'
Feb 9 14:53:42 pin1212a00 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Feb 9 14:53:42 pin1212a00 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Feb 9 14:53:42 pin1212a00 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Feb 9 14:53:42 pin1212a00 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Feb 9 14:53:42 pin1212a00 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Feb 9 14:53:42 pin1212a00 charon: 00[CFG] loaded EAP secret for carol@strongswan.org
Feb 9 14:53:42 pin1212a00 charon: 00[DMN] loaded plugins: sha1 random gmp pkcs1 pkcs8 pem x509 pubkey openssl hmac revocation curl kernel-netlink socket-default eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 eap-identity resolve stroke
Feb 9 14:53:42 pin1212a00 charon: 00[JOB] spawning 16 worker threads
Feb 9 14:53:42 pin1212a00 charon: 09[CFG] received stroke: add connection 'home'
Feb 9 14:53:42 pin1212a00 charon: 09[CFG] left nor right host is our side, assuming left=local
Feb 9 14:53:42 pin1212a00 charon: 09[CFG] added configuration 'home'
</pre>
h3. IKEv2 Exchanges
Due to auto=start the IKEv2 negotiation automatically initiates the IKE_SA_INIT exchange
<pre>
Feb 9 14:53:48 pin1212a00 charon: 07[CFG] received stroke: initiate 'home'
Feb 9 14:53:48 pin1212a00 charon: 12[IKE] initiating IKE_SA home[1] to 192.168.0.1
Feb 9 14:53:48 pin1212a00 charon: 12[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Feb 9 14:53:48 pin1212a00 charon: 12[NET] sending packet: from 192.168.0.254[500] to 192.168.0.1[500]
Feb 9 14:53:48 pin1212a00 charon: 13[NET] received packet: from 192.168.0.1[500] to 192.168.0.254[500]
Feb 9 14:53:48 pin1212a00 charon: 13[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
</pre>
followed by the IKE_AUTH exchange where the IKEv2 gateway proposes a mutual IKEv2 EAP-TTLS only authentication:
<pre>
Feb 9 14:53:48 pin1212a00 charon: 13[IKE] establishing CHILD_SA home
Feb 9 14:53:48 pin1212a00 charon: 13[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Feb 9 14:53:48 pin1212a00 charon: 13[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Feb 9 14:53:48 pin1212a00 charon: 14[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Feb 9 14:53:48 pin1212a00 charon: 14[ENC] parsed IKE_AUTH response 1 [ IDr EAP/REQ/TTLS ]
Feb 9 14:53:48 pin1212a00 charon: 14[IKE] server requested EAP_TTLS authentication (id 0x0A)
Feb 9 14:53:48 pin1212a00 charon: 14[TLS] EAP_TTLS version is v0
Feb 9 14:53:48 pin1212a00 charon: 14[IKE] allow mutual EAP-only authentication
</pre>
h3. IKEv2 EAP-TTLS Tunnel
The IKEv2 EAP-TTLS tunnel is set up with certificate-based server authentication
<pre>
Feb 9 14:53:48 pin1212a00 charon: 14[ENC] generating IKE_AUTH request 2 [ EAP/RES/TTLS ]
Feb 9 14:53:48 pin1212a00 charon: 14[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Feb 9 14:53:48 pin1212a00 charon: 15[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Feb 9 14:53:48 pin1212a00 charon: 15[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/TTLS ]
Feb 9 14:53:48 pin1212a00 charon: 15[ENC] generating IKE_AUTH request 3 [ EAP/RES/TTLS ]
Feb 9 14:53:48 pin1212a00 charon: 15[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Feb 9 14:53:48 pin1212a00 charon: 11[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Feb 9 14:53:48 pin1212a00 charon: 11[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/TTLS ]
Feb 9 14:53:48 pin1212a00 charon: 11[TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Feb 9 14:53:48 pin1212a00 charon: 11[TLS] received TLS server certificate 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org'
Feb 9 14:53:48 pin1212a00 charon: 11[CFG] using certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
Feb 9 14:53:48 pin1212a00 charon: 11[CFG] using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Feb 9 14:53:48 pin1212a00 charon: 11[CFG] checking certificate status of "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
Feb 9 14:53:48 pin1212a00 charon: 11[CFG] fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
Feb 9 14:53:48 pin1212a00 charon: 11[CFG] using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Feb 9 14:53:48 pin1212a00 charon: 11[CFG] crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Feb 9 14:53:48 pin1212a00 charon: 11[CFG] crl is valid: until Mar 09 10:28:34 2012
Feb 9 14:53:48 pin1212a00 charon: 11[CFG] certificate status is good
Feb 9 14:53:48 pin1212a00 charon: 11[CFG] reached self-signed root ca with a path length of 0
Feb 9 14:53:48 pin1212a00 charon: 11[ENC] generating IKE_AUTH request 4 [ EAP/RES/TTLS ]
Feb 9 14:53:48 pin1212a00 charon: 11[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
</pre>
h3. Tunneled EAP-Identity
Via the IKEv2 EAP-TTLS tunnel the server requests the EAP client identity
<pre>
Feb 9 14:53:48 pin1212a00 charon: 08[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Feb 9 14:53:48 pin1212a00 charon: 08[ENC] parsed IKE_AUTH response 4 [ EAP/REQ/TTLS ]
Feb 9 14:53:48 pin1212a00 charon: 08[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/ID]
Feb 9 14:53:48 pin1212a00 charon: 08[IKE] server requested EAP_IDENTITY authentication (id 0x00)
Feb 9 14:53:48 pin1212a00 charon: 08[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/ID]
Feb 9 14:53:48 pin1212a00 charon: 08[ENC] generating IKE_AUTH request 5 [ EAP/RES/TTLS ]
Feb 9 14:53:48 pin1212a00 charon: 08[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
</pre>
h3. Tunneled EAP-MD5 Client Authentication
Next follows an EAP-MD5 client authentication
<pre>
Feb 9 14:53:48 pin1212a00 charon: 09[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Feb 9 14:53:48 pin1212a00 charon: 09[ENC] parsed IKE_AUTH response 5 [ EAP/REQ/TTLS ]
Feb 9 14:53:48 pin1212a00 charon: 09[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/MD5]
Feb 9 14:53:48 pin1212a00 charon: 09[IKE] server requested EAP_MD5 authentication (id 0x29)
Feb 9 14:53:48 pin1212a00 charon: 09[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/MD5]
Feb 9 14:53:48 pin1212a00 charon: 09[ENC] generating IKE_AUTH request 6 [ EAP/RES/TTLS ]
Feb 9 14:53:48 pin1212a00 charon: 09[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
</pre>
h3. Tunneled EAP-TNC Transport
Now the EAP-TNC transport protocol connecting the TNC client with the TNC server is started:
<pre>
Feb 9 14:53:48 pin1212a00 charon: 10[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Feb 9 14:53:48 pin1212a00 charon: 10[ENC] parsed IKE_AUTH response 6 [ EAP/REQ/TTLS ]
Feb 9 14:53:48 pin1212a00 charon: 10[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/TNC]
Feb 9 14:53:48 pin1212a00 charon: 10[IKE] server requested EAP_TNC authentication (id 0xC5)
Feb 9 14:53:48 pin1212a00 charon: 10[TLS] EAP_TNC version is v1
</pre>
h2. PB-TNC/IF-TNCCS 2.0 Connection
A new TNCCS connection is instantiated on the TNC client and its IF-TNCCS 2.0 state machine is set to the Init state.
!IF-TNCCS-20-State-Diagram.png!
A first PB-TNC CDATA (IF-TNCCS 2.0 ClientData) batch is prepared and a PB-Language-Preference message for Englisch (en) is added:
<pre>
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[TNC] 02[TNC] assigned TNCCS Connection ID 1
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[TNC] 02[TNC] creating PB-TNC CDATA batch
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[TNC] 02[TNC] adding PB-Language-Preference message
</pre>
An instance of the Attestation PTS-IMC is created which in a first step determines the client operating systen
<pre>
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] platform is 'Ubuntu 11.04 11.10 i686'
</pre>
and then loads the AIK certificate and the matching AIK private key, the latter in the form of a TPM-encrypted binary blob
<pre>
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] loaded AIK certificate from '/home/seclab/privacyca/AIK_Cert.der' '/home/andi/privacyca/AIK_3_Cert.der'
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] loaded AIK Blob from '/home/seclab/privacyca/AIK_Blob.bin' '/home/andi/privacyca/AIK_3_Blob.bin'
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] AIK Blob: => 559 bytes @ 0x9136e08 0x8266b24
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 0: 01 01 00 00 00 12 00 00 00 04 00 00 00 00 01 00 ................
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 16: 01 00 02 00 00 00 0C 00 00 08 00 00 00 00 02 00 ................
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 32: 00 00 00 00 00 00 00 00 00 01 00 81 E3 38 7C 4D E9 1C 5F 57 5B .............8|M ............._W[
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 48: 46 70 CB D5 33 73 5F 35 15 BD AF 29 89 13 F1 F9 8D 83 62 38 50 AD 98 D1 28 56 D3 6E 71 6C 73 Fp..3b8P...(V.nq s_5...)......bls
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 64: C0 5F 8B 90 5A B8 1A 72 B9 D2 51 F8 DC 24 CF AA E3 C8 31 BD F6 FE 53 6A ED C8 54 0E 7C FB 0D ....1...Sj..T.|. ._..Z..r..Q..$..
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 80: 00 98 80 D6 7D C7 57 D4 EC 24 93 59 48 1F DA 67 9E E2 0B F8 8D 11 CD B2 E5 6B CB C2 AB FA BD F4 ....}.W..$.YH..g .........k......
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 96: 30 87 4F D3 59 B2 74 D2 25 B3 AE CE 47 66 58 A6 65 A4 CA A8 9D CE C9 27 9A 03 57 C0 36 24 1E 0.O.Y......'..W. t.%...GfX.e..6$.
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 112: FE 1F AB EE E5 C2 A8 C6 D5 DC C7 1E 81 74 4D 3D 6E 22 A4 9F 88 C5 63 78 AD 53 33 90 22 91 6F 83 .............tM= n"....cx.S3.".o.
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 128: B5 8F 2A A8 98 6D 57 22 74 0C 15 3E 89 19 48 63 BE 4C 35 02 F1 41 7C E3 68 C1 1C 1C 2F F4 ..mW"t..A|.h.../ .*....>..Hc.L5..
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 144: 57 54 CA 4A FB D6 3D 33 37 A9 BC FF 6F 50 13 CC 03 7E 10 8E 4D DB 5A D1 63 9A 3C D9 63 F5 7B C6 WT.J..=37...oP.. .~..M.Z.c.<.c.{.
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 160: C2 D3 83 F1 4B 01 FD 66 A6 EE 7A D3 E0 E2 C0 51 73 0F 23 05 B6 00 30 3B 34 6C 3C 10 A9 A5 4A 79 ....K..f..z....Q s.#...0;4l<...Jy
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 176: 55 A2 8A AB F4 85 09 74 24 64 03 DD 65 1C 26 2F 2E 62 88 E3 CC 7F 7B A7 5A E3 6F 13 7A BD BF 86 U......t$d..e.&/ .b....{.Z.o.z...
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 192: 35 08 BF 57 D9 28 DA 1D 3C E3 12 3A 8C 0E 7D 47 55 C6 76 A9 D3 D7 5B ED C8 C6 6C 43 7E 61 16 5..W.(...[...lC~ .<..:..}GU.v..a.
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 208: DE D3 93 F4 D5 D7 36 1E 31 9A A8 42 10 7A 22 8A 32 C5 E7 CD 17 DB 5F A1 67 CC 1D F5 94 D9 25 ......6.1..B.z.. ".2....._.g....%
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 224: 93 9C 8F BD 6D BC 66 51 01 33 1E 05 45 85 53 2E 2C 2B 1D 30 A5 B3 B3 44 4D DA 6D 59 E5 FE C2 ....m.f.0...DM.m Q.3..E.S.,+.Y...
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 240: 35 64 A6 08 EB D2 A6 99 18 56 01 28 3B 61 26 94 FD 36 12 05 F2 5C 95 F8 70 E6 6A DB BF 30 1E 5d.......V.(;&.. a&6...\..p.j..0.
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 256: 6F 7F AD 45 68 46 05 E6 0E 94 3C 8A 7D 38 8C DB D8 5F 76 16 F5 0C C6 1C 96 B4 59 AC 5C 63 15 o..Eh<.}8..._v.. F....<.....Y.\c.
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 272: 5E 8A 4B C2 2B 19 8A 27 D9 80 8C 77 E8 45 91 6B 8B B1 0D DB 26 3C C8 13 01 11 70 E5 34 1C E8 ^.K.+..'..<....p .w.E.k....&<.4..
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 288: CC D6 EF 57 F3 EF 37 A2 E6 B9 B5 49 6E 7F 9B 6E 7D 24 82 6E 2B 00 00 01 00 4C 22 ...W..7...I....L ..n..n}$.n+...."
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 304: DA 76 65 D0 54 8C F9 E8 B6 C4 9E 26 37 70 B4 45 35 22 CB 61 E6 28 B9 53 4A EB 52 10 A9 CD 5A 2A .ve.T......&7p.E 5".a.(.SJ.R...Z*
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 320: C0 42 E0 A3 7A 3E 23 3A DD 32 77 53 44 8D 94 40 7E 6A 28 83 9D 57 96 B0 C8 68 DE 6A 84 76 9D .B..z>.W...h.j.v #:.2wSD..@~j(...
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 336: 9A 9A 1E 1B CE 7C CE D2 8A C9 04 BE 66 A5 A1 CA E3 F9 D7 44 AB E0 A2 4B D2 3E 44 BD D9 92 03 .....D...K.>D... ...|......f.....
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 352: 53 AF 6A 04 7F 33 97 AD EF A8 E8 83 C9 65 CA 38 27 22 8A 26 56 04 FC F9 43 D0 68 E3 63 AD 7B S.j.&V...C.h.c.{ .3.......e.8'".&
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 368: 5C A2 50 B8 BA A2 F0 53 8C 8B 3A 67 35 90 B1 1E B0 AE F6 B3 77 5E E3 C8 C2 C6 49 CA E4 DC 74 \.P....S..:g5I.. .......w^....I.t
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 384: 35 A3 35 EF 6E A4 31 DF 13 12 F0 4B E7 31 D0 25 10 D4 6A B9 17 32 F9 53 3D 85 5C 4F 98 C3 5.5K.1.%..j..2.S .n.1....KS=.\O..
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 400: 22 E9 13 9D 13 E9 0D F0 59 55 33 36 5C A5 28 FB 32 7D 05 EB C1 D6 2A AC 6A 38 B8 C4 D4 B7 FE B7 ".......YU36\.(. 2}....*.j8......
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 416: 11 39 AD 14 39 EE C2 38 4D 31 86 88 69 69 F0 93 D9 6F 4B 62 76 B0 0E 64 E9 69 2D 10 85 90 ..ii..oKbv..d.i- .9..9..8M1..o...
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 432: 7D 9E 9E ED E1 1E 62 4C 63 07 43 AA D8 FD 87 86 77 3C DF AA 25 84 79 5D 01 7B 2B B1 DB 3D CA }.....bLc.....w< .C...%.y].{+..=.
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 448: C1 04 E8 63 81 54 FE 75 82 D8 36 96 67 6A D1 18 34 A5 94 B6 35 3B 87 EC 77 56 8E B4 13 DD 3F 25 ...c.T.u..6.gj.. 4...5;..wV....?%
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 464: 78 6C 7D 7B 8C BB 28 A0 AC 84 D8 7B 7E D0 55 38 12 F9 97 CB 23 CF B8 AB D5 1C 2A D6 2D 13 85 3B xl}{..(....{~.U8 ....#.....*.-..;
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 480: 80 64 4C 3A 38 E0 B0 1A FE A7 C8 C3 A1 F9 21 A5 D3 77 48 B8 A4 C0 31 C6 68 C0 92 33 7C 5B AA 8E .dL:8.........!. .wH...1.h..3|[..
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 496: D1 6F DE C4 CE 0B 62 D6 39 A5 86 05 EF 99 0D CA 02 5F 96 9A 68 C3 DA A4 35 45 B3 B6 D2 A2 A8 .o....b.9..5E... ........_..h....
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 512: D4 73 0B 82 28 B5 C1 79 88 85 D8 7D B7 4C C6 EC 09 98 45 E7 E6 E5 DC A6 E3 B3 54 38 E0 DA 2A .s..(..y...}T8.. .L....E.......T*
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 528: 57 2C 57 C1 34 4D F5 5A 94 78 3C 26 B8 9F A3 81 5B 4A 98 E5 E6 FD D0 01 4B A4 5D B2 C2 EC W,W.4M&....[J... .Z.x<&[...K.]...
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 544: 89 94 25 B6 56 A0 3F 9F 5A 3E CF A3 9A 0B 55 74 02 DB EC C8 BA 0D E9 56 EC F0 77 7A AB ..%.?.Z>....Ut. .V.......V..wz.
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[IMC] 02[IMC] IMC 1 "Attestation" created a state for Connection ID 1: IF-TNCCS 2.0 with +long +excl -soh over IF-T for Tunneled EAP 1.1 1
</pre>
Via the IF-IMC interface the PTS-IMC receives a 'Handshake' state change from the TNC client
<pre>
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[IMC] 02[IMC] IMC 1 "Attestation" changed state of Connection ID 1 to 'Handshake'
</pre>
The PTS-IMC generates a PA-TNC message of type TCG/PTS targeted at the remote PTS-IMV, containing a single PA-TNC attribute of type 'IETF/Product Information' with the client operating system information:
<pre>
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[TNC] 02[TNC] creating PA-TNC message with ID 0xf6c4bd2b 0x569e528e
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[TNC] 02[TNC] creating PA-TNC attribute type 'IETF/Product Information' 0x000000/0x00000002
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[TNC] 02[TNC] => 22 bytes @ 0x91322a0 0x82452bc
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[TNC] 02[TNC] 0: 00 00 00 00 00 55 62 75 6E 74 75 20 31 31 2E 30 31 .....Ubuntu 11.0 11.1
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[TNC] 02[TNC] 16: 34 30 20 69 36 38 36 4 0 i686
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[TNC] 02[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001 0x005597/0x01
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[TNC] 02[TNC] adding PB-PA message
</pre>
The PA-TNC message is received by the TNC client via the IF-IMC SendMessage call and is inserted together with the
PB-Language-Preference message into the PB-TNC CDATA batch which is then sent via the IKEv2 EAP-TTLS tunnel to the TNC server.
<pre>
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[TNC] 02[TNC] PB-TNC state transition from 'Init' to 'Server Working'
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[TNC] 02[TNC] sending PB-TNC CDATA batch (105 bytes) for Connection ID 1
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[TNC] 02[TNC] => 105 bytes @ 0x9137040 0x82669a4
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[TNC] 02[TNC] 0: 02 00 00 01 00 00 00 69 00 00 00 00 00 00 00 06 .......i........
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[TNC] 02[TNC] 16: 00 00 00 1F 41 63 63 65 70 74 2D 4C 61 6E 67 75 ....Accept-Langu
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[TNC] 02[TNC] 32: 61 67 65 3A 20 65 6E 80 00 00 00 00 00 00 01 00 age: en.........
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[TNC] 02[TNC] 48: 00 00 42 00 00 55 97 00 00 00 01 00 01 FF FF 01 ..B..U..........
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[TNC] 02[TNC] 64: 00 00 00 F6 C4 BD 2B 56 9E 52 8E 00 00 00 00 00 00 00 02 00 ......+......... ...V.R..........
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[TNC] 02[TNC] 80: 00 00 22 00 00 00 00 00 55 62 75 6E 74 75 20 31 ..".....Ubuntu 1
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[TNC] 02[TNC] 96: 31 2E 31 30 34 20 69 36 38 36 1.04 1.10 i686
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[IKE] 02[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/TNC]
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[ENC] 02[ENC] generating IKE_AUTH request 7 [ EAP/RES/TTLS ]
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[NET] 02[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
</pre>
h3. PTS Capability Discovery
As a response a PB-TNC SDATA (IF-TNCCS 2.0 ServerData) batch is received from the TNC server
<pre>
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[NET] 13[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[ENC] 13[ENC] parsed IKE_AUTH response 7 [ EAP/REQ/TTLS ]
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[IKE] 13[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/TNC]
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] received TNCCS batch (72 bytes) for Connection ID 1
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] => 72 bytes @ 0x9131442 0x826212e
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] 0: 02 80 00 02 00 00 00 48 80 00 00 00 00 00 00 01 .......H........
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] 16: 00 00 00 40 00 00 55 97 00 00 00 01 FF FF 00 01 ...@..U.........
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] 32: 01 00 00 00 4B 21 AF FF 10 FB C9 31 80 00 55 97 01 00 00 00 ....K!....U..... .......1..U.....
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] 48: 00 00 00 10 00 00 00 0E 80 00 55 97 06 00 00 00 ..........U.....
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] 64: 00 00 00 10 00 00 80 00 ........
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] processing PB-TNC SDATA batch
</pre>
containing a PB-PA message of type TCG/PTS to which the PTS-IMC is subscribed:
<pre>
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] processing PB-PA message (64 bytes)
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001 0x005597/0x01
</pre>
The PA-TNC message transferred via the IF-IMC interface to the PTS-IMC contains two PA-TNC attributes from the TCG/PTS namespace:
<pre>
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[IMC] IMC 1 "Attestation" received message for Connection ID 1 from IMV 1
Feb 9 14:53:48 pin1212a00 charon: 12[TNC] 13[TNC] processing PA-TNC message with ID 0x4b21afff 0x10fbc931
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] processing PA-TNC attribute type 'TCG/Request PTS Protocol Capabilities' 0x005597/0x01000000
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] => 4 bytes @ 0x9135bdc 0x8268da0
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] 0: 00 00 00 0E ....
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] processing PA-TNC attribute type 'TCG/PTS Measurement Algorithm Request' 0x005597/0x06000000
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] => 4 bytes @ 0x9135bec 0x8268db0
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] 0: 00 00 80 00 ....
</pre>
namely the requests 'Request PTS Protocol Capabilities' and 'PTS Measurement Algorithm Request'. The PTS-IMV supports the Verification (V), DH Nonce Negotiation (D) and Trusted Platform Evidence (T) PTS protocol capabilities and the PTS-IMC does as well.
<pre>
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[PTS] 13[PTS] supported PTS protocol capabilities: .VDT.
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[PTS] 13[PTS] selected PTS measurement algorithm is HASH_SHA1
</pre>
The PTS-IMV proposes SHA-1 only for the PTS measurement algorithm which is accepted by the PTS-IMC. These two selections are sent back to the PTS-IMV in a PA-TNC message containing the TCG attributes 'PTS Protocol Capabilities' and 'PTS Measurement Algorithm":
<pre>
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] creating PA-TNC message with ID 0x349421bb 0x0ed3f1f3
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] creating PA-TNC attribute type 'TCG/PTS Protocol Capabilities' 0x005597/0x02000000
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] => 4 bytes @ 0x9136df8 0x8266b04
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] 0: 00 00 00 0E ....
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] creating PA-TNC attribute type 'TCG/PTS Measurement Algorithm' 0x005597/0x07000000
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] => 4 bytes @ 0x91314e0 0x825f17c
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] 0: 00 00 80 00 ....
</pre>
This PA-TNC message is sent as a PB-PA payload in a PB-TNC CDATA batch to the TNC server:
<pre>
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001 0x005597/0x01
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] creating PB-TNC CDATA batch
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] adding PB-PA message
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] sending PB-TNC CDATA batch (72 bytes) for Connection ID 1
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] => 72 bytes @ 0x9135b58 0x82679fc
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] 0: 02 00 00 01 00 00 00 48 80 00 00 00 00 00 00 01 .......H........
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] 16: 00 00 00 40 00 00 55 97 00 00 00 01 00 01 FF FF ...@..U.........
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] 32: 01 00 00 00 34 94 21 BB 0E D3 F1 F3 00 00 55 97 02 00 00 00 ....4.!...U..... ..........U.....
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] 48: 00 00 00 10 00 00 00 0E 00 00 55 97 07 00 00 00 ..........U.....
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] 64: 00 00 00 10 00 00 80 00 ........
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[IKE] 13[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/TNC]
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[ENC] 13[ENC] generating IKE_AUTH request 8 [ EAP/RES/TTLS ]
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[NET] 13[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
</pre>
h3. DH Nonce Parameters
The next PB-TNC SDATA batch is received:
<pre>
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[NET] 01[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[ENC] 01[ENC] parsed IKE_AUTH response 8 [ EAP/REQ/TTLS ]
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[IKE] 01[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/TNC]
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] received TNCCS batch (56 bytes) for Connection ID 1
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] => 56 bytes @ 0x9135bd2 0x825e5b6
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] 0: 02 80 00 02 00 00 00 38 80 00 00 00 00 00 00 01 .......8........
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] 16: 00 00 00 30 00 00 55 97 00 00 00 01 FF FF 00 01 ...0..U.........
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] 32: 01 00 00 00 BD 1F 9F 28 C2 D1 8E F1 80 00 55 97 03 00 00 00 .......(..U..... ..........U.....
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] 48: 00 00 00 10 00 00 F0 00 ........
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] processing PB-TNC SDATA batch
</pre>
containing a PB-PA message of type TCG/PTS to which the PTS-IMC is subscribed:
<pre>
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] processing PB-PA message (48 bytes)
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001 0x005597/0x01
</pre>
The PA-TNC message contains a 'DH Nonce Parameters Request' from the TCG namespace
<pre>
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[IMC] IMC 1 "Attestation" received message for Connection ID 1 from IMV 1
Feb 9 14:53:48 pin1212a00 charon: 13[TNC] 01[TNC] processing PA-TNC message with ID 0xbd1f9f28 0xc2d18ef1
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] processing PA-TNC attribute type 'TCG/DH Nonce Parameters Request' 0x005597/0x03000000
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] => 4 bytes @ 0x9135fc4 0x82452d0
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] 0: 00 00 F0 00 ....
</pre>
and offers the set of IKE DH groups {2, 5, 14, 19} from which the PTS-IMC selects ECP_256 (group 14).
<pre>
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[PTS] 01[PTS] selected PTS DH group is ECP_256
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[PTS] 01[PTS] nonce length is 20
</pre>
The PTS-IMC also returns a 20 byte DH responder nonce and the 32 byte ECP_256 DH responder public value:
<pre>
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] creating PA-TNC message with ID 0x144b8472 0xa69f8b02
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] creating PA-TNC attribute type 'TCG/DH Nonce Parameters Response' 0x005597/0x04000000
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] => 92 bytes @ 0x9132b50 0x826a53c
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] 0: 00 00 00 14 10 00 E0 00 B9 FD DB 13 D2 BE 4E BA AA B1 9A 5C 9B 47 D0 0D ..............N. ...........\.G..
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] 16: E2 FF 33 25 CD A0 C8 79 AE 1A 51 D8 91 EF 3B F4 48 7A 55 EF DA 89 55 D3 11 77 74 DF CE B2 FB ..3%...y..Q....w .;.HzU...U.t....
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] 32: 82 E6 F0 31 44 16 FD 98 44 1D 79 1F 36 7A A5 67 A7 5C EB 76 E5 BD 3E E8 62 A8 F6 94 30 81 C8 ...1g.\.v..>.b.. D...D.y.6z.g.0..
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] 48: D7 2B 58 3B 1F F4 79 9D E9 DB 38 A8 1A AD 99 6A F0 A8 3E 0C 55 0E 91 2F E4 36 62 FA C2 08 63 .+X;..y....j..>. 8....U../.6b...c
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] 64: 83 1B 6E 36 F7 93 7C CE 75 04 90 D7 DB 73 5F C8 88 69 41 79 35 D4 64 8C 4C D4 CB E9 7B 5E CF 0A ..n6..|.u....s_. .iAy5.d.L...{^..
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] 80: E0 E9 74 F4 FF B3 64 CF 82 90 2A 32 EA C8 66 4C BB 06 3B F8 DE 96 2E t...d...*2.. ..tfL..;....
</pre>
This PA-TNC message is carried in a PB-PA message encapsulated in a PB-TNC CDATA batch:
<pre>
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001 0x005597/0x01
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] creating PB-TNC CDATA batch
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] adding PB-PA message
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] sending PB-TNC CDATA batch (144 bytes) for Connection ID 1
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] => 144 bytes @ 0x9132de0 0x826e85c
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] 0: 02 00 00 01 00 00 00 90 80 00 00 00 00 00 00 01 ................
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] 16: 00 00 00 88 00 00 55 97 00 00 00 01 00 01 FF FF ......U.........
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] 32: 01 00 00 00 14 4B 84 72 A6 9F 8B 02 00 00 55 97 04 00 00 00 .....K.r..U..... ..........U.....
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] 48: 00 00 00 68 00 00 00 14 10 00 E0 00 B9 FD DB 13 AA B1 9A 5C ...h............ ...h...........\
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] 64: D2 BE 4E BA E2 FF 33 25 CD A0 C8 79 AE 1A 51 D8 9B 47 D0 0D EF 3B F4 48 7A 55 EF DA 89 55 D3 74 ..N...3%...y..Q. .G...;.HzU...U.t
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] 80: 91 D3 11 77 82 E6 F0 31 DF CE B2 FB 44 16 FD 98 44 1D 79 1F 36 7A A5 67 A7 5C EB 76 E5 BD 3E ...w...1g.\.v..> ....D...D.y.6z.g
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] 96: E8 62 94 30 81 C8 38 A8 F6 D7 2B 58 3B 1F F4 79 9D E9 DB 1A AD 99 6A 55 0E 91 2F E4 36 62 .b...+X;..y....j .0..8....U../.6b
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] 112: F0 A8 3E 0C 83 1B 6E 36 F7 93 7C CE 75 04 90 D7 FA C2 08 63 88 69 41 79 35 D4 64 8C 4C D4 CB E9 ..>...n6..|.u... ...c.iAy5.d.L...
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] 128: DB 73 5F C8 7B 5E CF 0A E0 E9 74 F4 FF B3 64 CF 82 90 2A 32 EA C8 66 4C BB 06 3B F8 DE 96 2E .s_.t...d...*2.. {^....tfL..;....
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[IKE] 01[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/TNC]
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[ENC] 01[ENC] generating IKE_AUTH request 9 [ EAP/RES/TTLS ]
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[NET] 01[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
</pre>
h3. DH Nonce Finish and TPM Version/AIK Info
The next PB-TNC SDATA batch is received:
<pre>
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[NET] 04[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[ENC] 04[ENC] parsed IKE_AUTH response 9 [ EAP/REQ/TTLS ]
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[IKE] 04[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/TNC]
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] received TNCCS batch (172 bytes) for Connection ID 1
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] => 172 bytes @ 0x9138a1a 0x826e866
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] 0: 02 80 00 02 00 00 00 AC 80 00 00 00 00 00 00 01 ................
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] 16: 00 00 00 A4 00 00 55 97 00 00 00 01 FF FF 00 01 ......U.........
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] 32: 01 00 00 00 7B 50 C7 13 83 45 BD D1 80 00 55 97 05 00 00 00 ....{P....U..... .....E....U.....
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] 48: 00 00 00 64 00 14 80 00 3B FF C4 8E 14 94 F3 24 B1 E2 2D 2D 11 80 E2 BC ...d....;......$ ...d......--....
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] 64: 19 83 5A 56 DC 1B A7 7B 7D FB 99 CE 06 96 CD AC 23 D3 17 57 18 3F 91 3B 63 E0 E9 09 2A 67 0D ...{}.......#..W .ZV...?.;c...*g.
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] 80: 50 20 20 22 85 9C BA 47 CF C6 F0 13 AD 40 38 4B AE FB D6 94 32 39 5A 2C D2 2C 58 2C 5F 3E B4 00 P "...G.....@8K ....29Z,.,X,_>..
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] 96: AA 99 1D 6B 2A C0 0E 20 25 68 E8 EB 9E 46 93 49 29 86 FE 22 FC B9 B3 C7 AE 5C 57 26 92 D7 4E ...k*.. .I)..".. %h...F....\W&..N
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] 112: 10 B3 87 97 53 AD 1A 9E 7D 9E 5C A0 75 4E D5 9E F2 14 08 60 96 A4 74 78 46 C4 11 FB 33 64 F3 27 ....S...}.\.uN.. ...`..txF...3d.'
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] 128: 92 FE A4 8D 4F 34 D3 1B 4D 04 9D 12 1D 62 3D C4 83 73 AE AE 8B 36 E4 F5 80 00 55 97 ....O4..M.....U. .b=..s...6....U.
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] 144: 08 00 00 00 00 00 00 10 00 00 00 00 80 00 55 97 ..............U.
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] 160: 0D 00 00 00 00 00 00 10 00 00 00 00 ............
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] processing PB-TNC SDATA batch
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] processing PB-PA message (164 bytes)
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001 0x005597/0x01
</pre>
containing a PA-TNC message with the 'DH Nonce Finish', 'Get TPM Version Information' and 'Get Attestation Identity Key'
attributes from the TCG namespace:
<pre>
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[IMC] IMC 1 "Attestation" received message for Connection ID 1 from IMV 1
Feb 9 14:53:48 pin1212a00 charon: 14[TNC] 04[TNC] processing PA-TNC message with ID 0x7b50c713 0x8345bdd1
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] processing PA-TNC attribute type 'TCG/DH Nonce Finish' 0x005597/0x05000000
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] => 88 bytes @ 0x9137fdc 0x826a928
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] 0: 00 14 80 00 3B FF C4 8E 14 94 F3 24 19 1B A7 7B B1 E2 2D 2D 11 80 E2 BC 83 5A 56 DC ....;......$...{ ......--.....ZV.
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] 16: 7D 1B 18 3F 91 3B 63 E0 E9 09 2A 67 0D AE FB 99 CE 06 96 CD AC 23 D3 17 57 50 20 20 22 D6 94 }.......#..WP " ..?.;c...*g.....
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] 32: 85 9C BA 47 CF C6 F0 13 AD 40 38 4B AA 99 1D 6B 32 39 5A 2C D2 2C 58 2C 5F 3E B4 00 25 68 E8 EB ...G.....@8K...k 29Z,.,X,_>..%h..
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] 48: 2A C0 0E 20 9E 46 93 49 29 86 FE 22 FC B9 10 B3 87 97 C7 AE 5C 57 26 92 D7 4E F2 14 08 60 *.. .I).."...... .F....\W&..N...`
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] 64: 53 AD 1A 9E 7D 9E 5C A0 75 4E D5 9E 92 FE 96 A4 8D 74 78 46 C4 11 FB 33 64 F3 27 1D 62 3D C4 S...}.\.uN...... ..txF...3d.'.b=.
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] 80: 4F 34 D3 1B 4D 04 9D 12 83 73 AE AE 8B 36 E4 F5 O4..M... .s...6..
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] processing PA-TNC attribute type 'TCG/Get TPM Version Information' 0x005597/0x08000000
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] => 4 bytes @ 0x9138040 0x826a98c
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] 0: 00 00 00 00 ....
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] processing PA-TNC attribute type 'TCG/Get Attestation Identity Key' 0x005597/0x0d000000
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] => 4 bytes @ 0x9138050 0x826a99c
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] 0: 00 00 00 00 ....
</pre>
The PTS-IMV reports that it selected SHA-1 as the DH hash algorithm and provides its 20 byte nonce and 32 byte public DH factor
so that the share DH secret can be computed:
<pre>
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[PTS] 04[PTS] selected DH hash algorithm is HASH_SHA1
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[PTS] 04[PTS] initiator nonce: => 20 bytes @ 0x9138668 0x82594a4
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[PTS] 04[PTS] 0: 7D 9E 5C A0 75 4E D5 9E 92 FE A4 8D 4F 34 D3 1B 46 C4 11 FB 33 64 F3 27 1D 62 3D C4 83 73 AE AE }.\.uN......O4.. F...3d.'.b=..s..
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[PTS] 04[PTS] 16: 4D 04 9D 12 8B 36 E4 F5 M... .6..
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[PTS] 04[PTS] responder nonce: => 20 bytes @ 0x91370d8 0x8266a7c
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[PTS] 04[PTS] 0: B9 FD DB 13 D2 BE 4E BA E2 FF 33 25 CD A0 C8 79 AA B1 9A 5C 9B 47 D0 0D EF 3B F4 48 7A 55 EF DA ......N...3%...y ...\.G...;.HzU..
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[PTS] 04[PTS] 16: AE 1A 51 D8 89 55 D3 74 ..Q. .U.t
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[PTS] 04[PTS] shared DH secret: => 32 bytes @ 0x9138ad0 0x826c8e4
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[PTS] 04[PTS] 0: 17 DE 46 03 F0 0F 07 4F E4 E5 07 1B A5 61 E8 7D D7 8C C8 DF 4E 5C 5A B7 48 75 38 0C 35 36 B8 ..F....O......56 a.}....N\Z.Hu8..
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[PTS] 04[PTS] 16: F6 6B 7B EA A4 AF 4A E8 2D 23 08 8E E2 BD 5E 19 C6 F5 AA 73 D5 B9 25 04 F8 03 BA 35 9F 3A 52 .k{...J...^....s -#.....%....5.:R
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[PTS] 04[PTS] secret assessment value: => 20 bytes @ 0x9138250 0x8266ea4
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[PTS] 04[PTS] 0: CE 50 79 31 50 D6 FC 62 0F 99 D3 B8 C6 42 D0 B1 E1 1B 01 B4 FF 2B 56 83 24 AD AD AD 8B 7B 36 B7 .Py1P..b.....B.. .....+V.$....{6.
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[PTS] 04[PTS] 16: 6E 06 C0 FB FF CA D9 59 n...
...Y
</pre>
Answering the 'Get TPM Version Information' request, the following TPM version info is returned in binary form:
<pre>
Nov 29 07:39:23 merthyr charon: 04[PTS] TPM 1.2 Version Info: Chip Version: 1.2.1.2, Spec Level: 2, Errata Rev: 0, Vendor ID: IFX
</pre>
Besides the 'TPM Version Information' attribute, also the 'Attestation Identity Key' is included in the PA-TNC message to be forwarded to the PTS-IMV:
<pre>
Nov 29 07:39:23 merthyr charon: 04[TNC] creating PA-TNC message with ID 0x1e82d806
Nov 29 07:39:23 merthyr charon: 04[TNC] creating PA-TNC attribute type 'TCG/TPM Version Information' 0x005597/0x09000000
Nov 29 07:39:23 merthyr charon: 04[TNC] => 15 bytes @ 0x826a9ec
Nov 29 07:39:23 merthyr charon: 04[TNC] 0: 00 30 01 02 01 02 00 02 00 49 46 58 00 00 00 .0.......IFX...
Nov 29 07:39:23 merthyr charon: 04[TNC] creating PA-TNC attribute type 'TCG/Attestation Identity Key' 0x005597/0x0e000000
Nov 29 07:39:23 merthyr charon: 04[TNC] => 1334 bytes @ 0x826e274
Nov 29 07:39:23 merthyr charon: 04[TNC] 0: 00 30 82 05 31 30 82 04 19 A0 03 02 01 02 02 10 .0..10..........
Nov 29 07:39:23 merthyr charon: 04[TNC] 16: 15 C8 E6 07 AD F7 B6 3C 0A F2 87 51 0C 34 F7 BA .......<...Q.4..
Nov 29 07:39:23 merthyr charon: 04[TNC] 32: 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 30 0...*.H........0
Nov 29 07:39:23 merthyr charon: 04[TNC] 48: 4D 31 16 30 14 06 03 55 04 0A 13 0D 70 72 69 76 M1.0...U....priv
Nov 29 07:39:23 merthyr charon: 04[TNC] 64: 61 63 79 63 61 2E 63 6F 6D 31 33 30 31 06 03 55 acyca.com1301..U
Nov 29 07:39:23 merthyr charon: 04[TNC] 80: 04 03 13 2A 50 72 69 76 61 63 79 20 43 41 20 45 ...*Privacy CA E
Nov 29 07:39:23 merthyr charon: 04[TNC] 96: 4B 2D 43 65 72 74 2D 43 68 65 63 6B 65 64 20 41 K-Cert-Checked A
Nov 29 07:39:23 merthyr charon: 04[TNC] 112: 49 4B 20 43 65 72 74 69 66 69 63 61 74 65 30 1E IK Certificate0.
Nov 29 07:39:23 merthyr charon: 04[TNC] 128: 17 0D 31 31 31 31 30 32 30 37 35 30 35 31 5A 17 ..111102075051Z.
Nov 29 07:39:23 merthyr charon: 04[TNC] 144: 0D 31 32 31 31 30 32 30 37 35 30 35 31 5A 30 00 .121102075051Z0.
Nov 29 07:39:23 merthyr charon: 04[TNC] 160: 30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0.."0...*.H.....
Nov 29 07:39:23 merthyr charon: 04[TNC] 176: 01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01 ........0.......
Nov 29 07:39:23 merthyr charon: 04[TNC] 192: 00 E9 1C 5F 57 5B 73 5F 35 15 BD AF 29 89 13 F1 ..._W[s_5...)...
Nov 29 07:39:23 merthyr charon: 04[TNC] 208: F9 8D 83 62 6C 73 C0 5F 8B 90 5A B8 1A 72 B9 D2 ...bls._..Z..r..
Nov 29 07:39:23 merthyr charon: 04[TNC] 224: 51 F8 DC 24 CF 0D 9E E2 0B F8 8D 11 CD B2 E5 6B Q..$...........k
Nov 29 07:39:23 merthyr charon: 04[TNC] 240: CB C2 AB FA BD F4 74 D2 25 B3 AE CE 47 66 58 A6 ......t.%...GfX.
Nov 29 07:39:23 merthyr charon: 04[TNC] 256: 65 A4 CA 36 24 1E 6E 22 A4 9F 88 C5 63 78 AD 53 e..6$.n"....cx.S
Nov 29 07:39:23 merthyr charon: 04[TNC] 272: 33 90 22 91 6F 83 8F 2A A8 98 0C 15 3E 89 19 48 3.".o..*....>..H
Nov 29 07:39:23 merthyr charon: 04[TNC] 288: 63 BE 4C 35 02 F4 03 7E 10 8E 4D DB 5A D1 63 9A c.L5...~..M.Z.c.
Nov 29 07:39:23 merthyr charon: 04[TNC] 304: 3C D9 63 F5 7B C6 73 0F 23 05 B6 00 30 3B 34 6C <.c.{.s.#...0;4l
Nov 29 07:39:23 merthyr charon: 04[TNC] 320: 3C 10 A9 A5 4A 79 2E 62 88 E3 CC 7F 7B A7 5A E3 <...Jy.b....{.Z.
Nov 29 07:39:23 merthyr charon: 04[TNC] 336: 6F 13 7A BD BF 86 1D 3C E3 12 3A 8C 0E 7D 47 55 o.z....<..:..}GU
Nov 29 07:39:23 merthyr charon: 04[TNC] 352: C6 76 A9 D3 61 16 22 8A 32 C5 E7 CD 17 DB 5F A1 .v..a.".2....._.
Nov 29 07:39:23 merthyr charon: 04[TNC] 368: 67 CC 1D F5 D9 25 51 01 33 1E 05 45 85 53 2E 2C g....%Q.3..E.S.,
Nov 29 07:39:23 merthyr charon: 04[TNC] 384: 2B 1D 59 E5 FE C2 61 26 36 12 05 F2 5C 95 F8 70 +.Y...a&6...\..p
Nov 29 07:39:23 merthyr charon: 04[TNC] 400: E6 6A DB BF 30 1E 46 05 E6 0E 94 3C 0C C6 1C 96 .j..0.F....<....
Nov 29 07:39:23 merthyr charon: 04[TNC] 416: B4 59 AC 5C 63 15 8C 77 E8 45 91 6B 8B B1 0D DB .Y.\c..w.E.k....
Nov 29 07:39:23 merthyr charon: 04[TNC] 432: 26 3C E5 34 1C E8 B9 B5 6E 7F 9B 6E 7D 24 82 6E &<.4....n..n}$.n
Nov 29 07:39:23 merthyr charon: 04[TNC] 448: 2B 02 03 01 00 01 A3 82 02 58 30 82 02 54 30 81 +........X0..T0.
Nov 29 07:39:23 merthyr charon: 04[TNC] 464: 93 06 03 55 1D 09 04 81 8B 30 81 88 30 3A 06 03 ...U.....0..0:..
Nov 29 07:39:23 merthyr charon: 04[TNC] 480: 55 04 34 31 33 30 0B 30 09 06 05 2B 0E 03 02 1A U.4130.0...+....
Nov 29 07:39:23 merthyr charon: 04[TNC] 496: 05 00 30 24 30 22 06 09 2A 86 48 86 F7 0D 01 01 ..0$0"..*.H.....
Nov 29 07:39:23 merthyr charon: 04[TNC] 512: 07 30 15 A2 13 30 11 06 09 2A 86 48 86 F7 0D 01 .0...0...*.H....
Nov 29 07:39:23 merthyr charon: 04[TNC] 528: 01 09 04 04 54 43 50 41 30 16 06 05 67 81 05 02 ....TCPA0...g...
Nov 29 07:39:23 merthyr charon: 04[TNC] 544: 10 31 0D 30 0B 0C 03 31 2E 32 02 01 02 02 01 00 .1.0...1.2......
Nov 29 07:39:23 merthyr charon: 04[TNC] 560: 30 32 06 05 67 81 05 02 12 31 29 30 27 01 01 FF 02..g....1)0'...
Nov 29 07:39:23 merthyr charon: 04[TNC] 576: A0 03 0A 01 01 A1 03 0A 01 00 A2 03 0A 01 00 A3 ................
Nov 29 07:39:23 merthyr charon: 04[TNC] 592: 10 30 0E 16 03 33 2E 30 0A 01 04 0A 01 00 01 01 .0...3.0........
Nov 29 07:39:23 merthyr charon: 04[TNC] 608: FF 01 01 FF 30 62 06 03 55 1D 11 01 01 FF 04 58 ....0b..U......X
Nov 29 07:39:23 merthyr charon: 04[TNC] 624: 30 56 A4 47 30 45 31 16 30 14 06 05 67 81 05 02 0V.G0E1.0...g...
Nov 29 07:39:23 merthyr charon: 04[TNC] 640: 01 0C 0B 69 64 3A 34 39 34 36 35 38 30 30 31 17 ...id:494658001.
Nov 29 07:39:23 merthyr charon: 04[TNC] 656: 30 15 06 05 67 81 05 02 02 0C 0C 53 4C 42 39 36 0...g......SLB96
Nov 29 07:39:23 merthyr charon: 04[TNC] 672: 33 35 54 54 31 2E 32 31 12 30 10 06 05 67 81 05 35TT1.21.0...g..
Nov 29 07:39:23 merthyr charon: 04[TNC] 688: 02 03 0C 07 69 64 3A 30 31 30 32 A0 0B 06 05 67 ....id:0102....g
Nov 29 07:39:23 merthyr charon: 04[TNC] 704: 81 05 02 0F A0 02 0C 00 30 0C 06 03 55 1D 13 01 ........0...U...
Nov 29 07:39:23 merthyr charon: 04[TNC] 720: 01 FF 04 02 30 00 30 82 01 27 06 03 55 1D 20 01 ....0.0..'..U. .
Nov 29 07:39:23 merthyr charon: 04[TNC] 736: 01 FF 04 82 01 1B 30 82 01 17 30 67 06 0A 2B 06 ......0...0g..+.
Nov 29 07:39:23 merthyr charon: 04[TNC] 752: 01 04 01 81 E3 42 01 11 30 59 30 29 06 08 2B 06 .....B..0Y0)..+.
Nov [ Incomplete diff, document too large... ]
This HOWTO explains in a step-for-step fashion how a strongSwan IPsec client with integrated TNC client functionality and an attached Platform Trust Service Integrity Measurement Collector (PTS-IMC) can provide remote attestation measurement data to a TNC server via the IKEv2 EAP-TTLS protocol.
{{>toc}}
h2. Installation and Configuration
The following steps describe the installation of the strongSwan software
<pre>
wget http://download.strongswan.org/strongswan-4.6.2rc1.tar.bz2
tar xjf strongswan-4.6.2rc1.tar.bz2
cd strongswan-4.6.2rc1
./configure --prefix=/usr --sysconfdir=/etc --disable-pluto --enable-openssl --enable-curl
--enable-eap-identity --enable-eap-md5 --enable-eap-ttls --enable-eap-tnc
--enable-tnccs-20 --enable-tnc-imc --enable-imc-attestation
make
[sudo] make install
</pre>
The strongSwan *imc-attestation.so* dynamic PTS-IMC library depends on the "TrouSerS":http://sourceforge.net/projects/trousers/ libtspi library. For compilation additionally the /usr/include/trousers/ header files are required.
The connection between IPsec client *carol* and IPsec gateway *moon* is defined in the /etc/ipsec.conf file:
<pre>
# ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="tnc 3, imc 3, pts 3"
conn home
left=%any
leftid=carol@strongswan.org
leftauth=eap
right=192.168.0.1
rightid=@moon.strongswan.org
rightsendcert=never
rightsubnet=10.1.0.0/16
auto=start
</pre>
The debug levels for the TNC, IMC, and PTS components are increased to 3, so that HEX dumps of PB-TNC (IF-TNCCS 2.0) messages and PA-TNC (IF-M) attributes will be included in the log file.
The IKEv2 client *carol* is going to use EAP-based authentication with the user credentials being stored in the /etc/ipsec.secrets file:
<pre>
# /etc/ipsec.secrets - strongSwan IPsec secrets file
carol@strongswan.org : EAP "Ar3etTnp"
</pre>
The following IKEv2 charon and Attestation IMC options are defined in the /etc/strongswan.conf file
<pre>
# strongswan.conf - strongSwan configuration file
charon {
load = sha1 random gmp pkcs1 pkcs8 pem x509 pubkey openssl hmac revocation curl kernel-netlink socket-default eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 eap-identity resolve stroke
plugins {
eap-tnc {
protocol = tnccs-2.0
}
tnc-imc {
preferred_language = en
}
}
}
libimcv {
plugins {
imc-attestation {
aik_cert = /home/andi/privacyca/AIK_3_Cert.der
aik_blob = /home/andi/privacyca/AIK_3_Blob.bin
pcr17_meas = d537d437f058136eb3d7be517dbe7647b623c619
pcr17_before = 1717171717171717171717171717171717171717
pcr17_after = ffffffffffffffffffffffffffffffffffffffff
pcr18_meas = 160d2b04d11eb225fb148615b699081869e15b6c
pcr18_before = 1818181818181818181818181818181818181818
pcr18_after = ffffffffffffffffffffffffffffffffffffffff
}
}
}
</pre>
h2. IKEv2 Negotiation
h3. Startup and Initialization
The command
<pre>
ipsec start
</pre>
starts the TNC-enabled IPsec client:
<pre>
Feb 9 14:53:42 pin1212a00 charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.6.2rc1)
Feb 9 14:53:42 pin1212a00 charon: 00[KNL] listening on interfaces:
Feb 9 14:53:42 pin1212a00 charon: 00[KNL] eth0
Feb 9 14:53:42 pin1212a00 charon: 00[KNL] 152.96.31.100
Feb 9 14:53:42 pin1212a00 charon: 00[KNL] fe80::219:99ff:feb3:92c3
Feb 9 14:53:42 pin1212a00 charon: 00[KNL] umlbr0
Feb 9 14:53:42 pin1212a00 charon: 00[KNL] 192.168.0.254
Feb 9 14:53:42 pin1212a00 charon: 00[KNL] fe80::9cb8:adff:fe5a:270a
</pre>
The file /etc/tnc_config
<pre>
# IMC configuration file for strongSwan client
IMC "Attestation" /usr/lib/ipsec/imcvs/imc-attestation.so
</pre>
defines which IMCs are loaded by the TNC client:
<pre>
Feb 9 14:53:42 pin1212a00 charon: 00[TNC] loading IMCs from '/etc/tnc_config'
Feb 9 14:53:42 pin1212a00 charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA1[sha1] available
Feb 9 14:53:42 pin1212a00 charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA256[openssl] available
Feb 9 14:53:42 pin1212a00 charon: 00[PTS] optional PTS measurement algorithm HASH_SHA384[openssl] available
Feb 9 14:53:42 pin1212a00 charon: 00[PTS] optional PTS DH group MODP_2048[gmp] available
Feb 9 14:53:42 pin1212a00 charon: 00[PTS] optional PTS DH group MODP_1536[gmp] available
Feb 9 14:53:42 pin1212a00 charon: 00[PTS] optional PTS DH group MODP_1024[gmp] available
Feb 9 14:53:42 pin1212a00 charon: 00[PTS] mandatory PTS DH group ECP_256[openssl] available
Feb 9 14:53:42 pin1212a00 charon: 00[PTS] optional PTS DH group ECP_384[openssl] available
Feb 9 14:53:42 pin1212a00 charon: 00[TNC] added IETF attributes
Feb 9 14:53:42 pin1212a00 charon: 00[TNC] added ITA-HSR attributes
Feb 9 14:53:42 pin1212a00 charon: 00[LIB] libimcv initialized
Feb 9 14:53:42 pin1212a00 charon: 00[IMC] IMC 1 "Attestation" initialized
Feb 9 14:53:42 pin1212a00 charon: 00[TNC] added TCG attributes
Feb 9 14:53:42 pin1212a00 charon: 00[PTS] added TCG functional component namespace
Feb 9 14:53:42 pin1212a00 charon: 00[PTS] added ITA-HSR functional component namespace
Feb 9 14:53:42 pin1212a00 charon: 00[PTS] added ITA-HSR functional component 'Trusted GRUB Boot Loader'
Feb 9 14:53:42 pin1212a00 charon: 00[PTS] added ITA-HSR functional component 'Trusted Boot'
Feb 9 14:53:42 pin1212a00 charon: 00[PTS] added ITA-HSR functional component 'Linux IMA'
Feb 9 14:53:42 pin1212a00 charon: 00[LIB] libpts initialized
Feb 9 14:53:42 pin1212a00 charon: 00[IMC] IMC 1 "Attestation" provided with bind function
Feb 9 14:53:42 pin1212a00 charon: 00[TNC] IMC 1 supports 1 message type: 'TCG/PTS' 0x005597/0x00000001
Feb 9 14:53:42 pin1212a00 charon: 00[TNC] IMC 1 "Attestation" loaded from '/usr/lib/ipsec/imcvs/imc-attestation.so'
</pre>
Next the IKEv2 credential,all necessary plugins and the IPsec connection definition are loaded
<pre>
Feb 9 14:53:42 pin1212a00 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Feb 9 14:53:42 pin1212a00 charon: 00[CFG] loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem'
Feb 9 14:53:42 pin1212a00 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Feb 9 14:53:42 pin1212a00 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Feb 9 14:53:42 pin1212a00 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Feb 9 14:53:42 pin1212a00 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Feb 9 14:53:42 pin1212a00 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Feb 9 14:53:42 pin1212a00 charon: 00[CFG] loaded EAP secret for carol@strongswan.org
Feb 9 14:53:42 pin1212a00 charon: 00[DMN] loaded plugins: sha1 random gmp pkcs1 pkcs8 pem x509 pubkey openssl hmac revocation curl kernel-netlink socket-default eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 eap-identity resolve stroke
Feb 9 14:53:42 pin1212a00 charon: 00[JOB] spawning 16 worker threads
Feb 9 14:53:42 pin1212a00 charon: 09[CFG] received stroke: add connection 'home'
Feb 9 14:53:42 pin1212a00 charon: 09[CFG] left nor right host is our side, assuming left=local
Feb 9 14:53:42 pin1212a00 charon: 09[CFG] added configuration 'home'
</pre>
h3. IKEv2 Exchanges
Due to auto=start the IKEv2 negotiation automatically initiates the IKE_SA_INIT exchange
<pre>
Feb 9 14:53:48 pin1212a00 charon: 07[CFG] received stroke: initiate 'home'
Feb 9 14:53:48 pin1212a00 charon: 12[IKE] initiating IKE_SA home[1] to 192.168.0.1
Feb 9 14:53:48 pin1212a00 charon: 12[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Feb 9 14:53:48 pin1212a00 charon: 12[NET] sending packet: from 192.168.0.254[500] to 192.168.0.1[500]
Feb 9 14:53:48 pin1212a00 charon: 13[NET] received packet: from 192.168.0.1[500] to 192.168.0.254[500]
Feb 9 14:53:48 pin1212a00 charon: 13[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
</pre>
followed by the IKE_AUTH exchange where the IKEv2 gateway proposes a mutual IKEv2 EAP-TTLS only authentication:
<pre>
Feb 9 14:53:48 pin1212a00 charon: 13[IKE] establishing CHILD_SA home
Feb 9 14:53:48 pin1212a00 charon: 13[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Feb 9 14:53:48 pin1212a00 charon: 13[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Feb 9 14:53:48 pin1212a00 charon: 14[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Feb 9 14:53:48 pin1212a00 charon: 14[ENC] parsed IKE_AUTH response 1 [ IDr EAP/REQ/TTLS ]
Feb 9 14:53:48 pin1212a00 charon: 14[IKE] server requested EAP_TTLS authentication (id 0x0A)
Feb 9 14:53:48 pin1212a00 charon: 14[TLS] EAP_TTLS version is v0
Feb 9 14:53:48 pin1212a00 charon: 14[IKE] allow mutual EAP-only authentication
</pre>
h3. IKEv2 EAP-TTLS Tunnel
The IKEv2 EAP-TTLS tunnel is set up with certificate-based server authentication
<pre>
Feb 9 14:53:48 pin1212a00 charon: 14[ENC] generating IKE_AUTH request 2 [ EAP/RES/TTLS ]
Feb 9 14:53:48 pin1212a00 charon: 14[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Feb 9 14:53:48 pin1212a00 charon: 15[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Feb 9 14:53:48 pin1212a00 charon: 15[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/TTLS ]
Feb 9 14:53:48 pin1212a00 charon: 15[ENC] generating IKE_AUTH request 3 [ EAP/RES/TTLS ]
Feb 9 14:53:48 pin1212a00 charon: 15[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Feb 9 14:53:48 pin1212a00 charon: 11[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Feb 9 14:53:48 pin1212a00 charon: 11[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/TTLS ]
Feb 9 14:53:48 pin1212a00 charon: 11[TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Feb 9 14:53:48 pin1212a00 charon: 11[TLS] received TLS server certificate 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org'
Feb 9 14:53:48 pin1212a00 charon: 11[CFG] using certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
Feb 9 14:53:48 pin1212a00 charon: 11[CFG] using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Feb 9 14:53:48 pin1212a00 charon: 11[CFG] checking certificate status of "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
Feb 9 14:53:48 pin1212a00 charon: 11[CFG] fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
Feb 9 14:53:48 pin1212a00 charon: 11[CFG] using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Feb 9 14:53:48 pin1212a00 charon: 11[CFG] crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Feb 9 14:53:48 pin1212a00 charon: 11[CFG] crl is valid: until Mar 09 10:28:34 2012
Feb 9 14:53:48 pin1212a00 charon: 11[CFG] certificate status is good
Feb 9 14:53:48 pin1212a00 charon: 11[CFG] reached self-signed root ca with a path length of 0
Feb 9 14:53:48 pin1212a00 charon: 11[ENC] generating IKE_AUTH request 4 [ EAP/RES/TTLS ]
Feb 9 14:53:48 pin1212a00 charon: 11[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
</pre>
h3. Tunneled EAP-Identity
Via the IKEv2 EAP-TTLS tunnel the server requests the EAP client identity
<pre>
Feb 9 14:53:48 pin1212a00 charon: 08[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Feb 9 14:53:48 pin1212a00 charon: 08[ENC] parsed IKE_AUTH response 4 [ EAP/REQ/TTLS ]
Feb 9 14:53:48 pin1212a00 charon: 08[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/ID]
Feb 9 14:53:48 pin1212a00 charon: 08[IKE] server requested EAP_IDENTITY authentication (id 0x00)
Feb 9 14:53:48 pin1212a00 charon: 08[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/ID]
Feb 9 14:53:48 pin1212a00 charon: 08[ENC] generating IKE_AUTH request 5 [ EAP/RES/TTLS ]
Feb 9 14:53:48 pin1212a00 charon: 08[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
</pre>
h3. Tunneled EAP-MD5 Client Authentication
Next follows an EAP-MD5 client authentication
<pre>
Feb 9 14:53:48 pin1212a00 charon: 09[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Feb 9 14:53:48 pin1212a00 charon: 09[ENC] parsed IKE_AUTH response 5 [ EAP/REQ/TTLS ]
Feb 9 14:53:48 pin1212a00 charon: 09[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/MD5]
Feb 9 14:53:48 pin1212a00 charon: 09[IKE] server requested EAP_MD5 authentication (id 0x29)
Feb 9 14:53:48 pin1212a00 charon: 09[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/MD5]
Feb 9 14:53:48 pin1212a00 charon: 09[ENC] generating IKE_AUTH request 6 [ EAP/RES/TTLS ]
Feb 9 14:53:48 pin1212a00 charon: 09[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
</pre>
h3. Tunneled EAP-TNC Transport
Now the EAP-TNC transport protocol connecting the TNC client with the TNC server is started:
<pre>
Feb 9 14:53:48 pin1212a00 charon: 10[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Feb 9 14:53:48 pin1212a00 charon: 10[ENC] parsed IKE_AUTH response 6 [ EAP/REQ/TTLS ]
Feb 9 14:53:48 pin1212a00 charon: 10[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/TNC]
Feb 9 14:53:48 pin1212a00 charon: 10[IKE] server requested EAP_TNC authentication (id 0xC5)
Feb 9 14:53:48 pin1212a00 charon: 10[TLS] EAP_TNC version is v1
</pre>
h2. PB-TNC/IF-TNCCS 2.0 Connection
A new TNCCS connection is instantiated on the TNC client and its IF-TNCCS 2.0 state machine is set to the Init state.
!IF-TNCCS-20-State-Diagram.png!
A first PB-TNC CDATA (IF-TNCCS 2.0 ClientData) batch is prepared and a PB-Language-Preference message for Englisch (en) is added:
<pre>
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[TNC] 02[TNC] assigned TNCCS Connection ID 1
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[TNC] 02[TNC] creating PB-TNC CDATA batch
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[TNC] 02[TNC] adding PB-Language-Preference message
</pre>
An instance of the Attestation PTS-IMC is created which in a first step determines the client operating systen
<pre>
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] platform is 'Ubuntu 11.04 11.10 i686'
</pre>
and then loads the AIK certificate and the matching AIK private key, the latter in the form of a TPM-encrypted binary blob
<pre>
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] loaded AIK certificate from '/home/seclab/privacyca/AIK_Cert.der' '/home/andi/privacyca/AIK_3_Cert.der'
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] loaded AIK Blob from '/home/seclab/privacyca/AIK_Blob.bin' '/home/andi/privacyca/AIK_3_Blob.bin'
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] AIK Blob: => 559 bytes @ 0x9136e08 0x8266b24
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 0: 01 01 00 00 00 12 00 00 00 04 00 00 00 00 01 00 ................
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 16: 01 00 02 00 00 00 0C 00 00 08 00 00 00 00 02 00 ................
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 32: 00 00 00 00 00 00 00 00 00 01 00 81 E3 38 7C 4D E9 1C 5F 57 5B .............8|M ............._W[
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 48: 46 70 CB D5 33 73 5F 35 15 BD AF 29 89 13 F1 F9 8D 83 62 38 50 AD 98 D1 28 56 D3 6E 71 6C 73 Fp..3b8P...(V.nq s_5...)......bls
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 64: C0 5F 8B 90 5A B8 1A 72 B9 D2 51 F8 DC 24 CF AA E3 C8 31 BD F6 FE 53 6A ED C8 54 0E 7C FB 0D ....1...Sj..T.|. ._..Z..r..Q..$..
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 80: 00 98 80 D6 7D C7 57 D4 EC 24 93 59 48 1F DA 67 9E E2 0B F8 8D 11 CD B2 E5 6B CB C2 AB FA BD F4 ....}.W..$.YH..g .........k......
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 96: 30 87 4F D3 59 B2 74 D2 25 B3 AE CE 47 66 58 A6 65 A4 CA A8 9D CE C9 27 9A 03 57 C0 36 24 1E 0.O.Y......'..W. t.%...GfX.e..6$.
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 112: FE 1F AB EE E5 C2 A8 C6 D5 DC C7 1E 81 74 4D 3D 6E 22 A4 9F 88 C5 63 78 AD 53 33 90 22 91 6F 83 .............tM= n"....cx.S3.".o.
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 128: B5 8F 2A A8 98 6D 57 22 74 0C 15 3E 89 19 48 63 BE 4C 35 02 F1 41 7C E3 68 C1 1C 1C 2F F4 ..mW"t..A|.h.../ .*....>..Hc.L5..
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 144: 57 54 CA 4A FB D6 3D 33 37 A9 BC FF 6F 50 13 CC 03 7E 10 8E 4D DB 5A D1 63 9A 3C D9 63 F5 7B C6 WT.J..=37...oP.. .~..M.Z.c.<.c.{.
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 160: C2 D3 83 F1 4B 01 FD 66 A6 EE 7A D3 E0 E2 C0 51 73 0F 23 05 B6 00 30 3B 34 6C 3C 10 A9 A5 4A 79 ....K..f..z....Q s.#...0;4l<...Jy
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 176: 55 A2 8A AB F4 85 09 74 24 64 03 DD 65 1C 26 2F 2E 62 88 E3 CC 7F 7B A7 5A E3 6F 13 7A BD BF 86 U......t$d..e.&/ .b....{.Z.o.z...
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 192: 35 08 BF 57 D9 28 DA 1D 3C E3 12 3A 8C 0E 7D 47 55 C6 76 A9 D3 D7 5B ED C8 C6 6C 43 7E 61 16 5..W.(...[...lC~ .<..:..}GU.v..a.
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 208: DE D3 93 F4 D5 D7 36 1E 31 9A A8 42 10 7A 22 8A 32 C5 E7 CD 17 DB 5F A1 67 CC 1D F5 94 D9 25 ......6.1..B.z.. ".2....._.g....%
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 224: 93 9C 8F BD 6D BC 66 51 01 33 1E 05 45 85 53 2E 2C 2B 1D 30 A5 B3 B3 44 4D DA 6D 59 E5 FE C2 ....m.f.0...DM.m Q.3..E.S.,+.Y...
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 240: 35 64 A6 08 EB D2 A6 99 18 56 01 28 3B 61 26 94 FD 36 12 05 F2 5C 95 F8 70 E6 6A DB BF 30 1E 5d.......V.(;&.. a&6...\..p.j..0.
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 256: 6F 7F AD 45 68 46 05 E6 0E 94 3C 8A 7D 38 8C DB D8 5F 76 16 F5 0C C6 1C 96 B4 59 AC 5C 63 15 o..Eh<.}8..._v.. F....<.....Y.\c.
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 272: 5E 8A 4B C2 2B 19 8A 27 D9 80 8C 77 E8 45 91 6B 8B B1 0D DB 26 3C C8 13 01 11 70 E5 34 1C E8 ^.K.+..'..<....p .w.E.k....&<.4..
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 288: CC D6 EF 57 F3 EF 37 A2 E6 B9 B5 49 6E 7F 9B 6E 7D 24 82 6E 2B 00 00 01 00 4C 22 ...W..7...I....L ..n..n}$.n+...."
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 304: DA 76 65 D0 54 8C F9 E8 B6 C4 9E 26 37 70 B4 45 35 22 CB 61 E6 28 B9 53 4A EB 52 10 A9 CD 5A 2A .ve.T......&7p.E 5".a.(.SJ.R...Z*
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 320: C0 42 E0 A3 7A 3E 23 3A DD 32 77 53 44 8D 94 40 7E 6A 28 83 9D 57 96 B0 C8 68 DE 6A 84 76 9D .B..z>.W...h.j.v #:.2wSD..@~j(...
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 336: 9A 9A 1E 1B CE 7C CE D2 8A C9 04 BE 66 A5 A1 CA E3 F9 D7 44 AB E0 A2 4B D2 3E 44 BD D9 92 03 .....D...K.>D... ...|......f.....
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 352: 53 AF 6A 04 7F 33 97 AD EF A8 E8 83 C9 65 CA 38 27 22 8A 26 56 04 FC F9 43 D0 68 E3 63 AD 7B S.j.&V...C.h.c.{ .3.......e.8'".&
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 368: 5C A2 50 B8 BA A2 F0 53 8C 8B 3A 67 35 90 B1 1E B0 AE F6 B3 77 5E E3 C8 C2 C6 49 CA E4 DC 74 \.P....S..:g5I.. .......w^....I.t
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 384: 35 A3 35 EF 6E A4 31 DF 13 12 F0 4B E7 31 D0 25 10 D4 6A B9 17 32 F9 53 3D 85 5C 4F 98 C3 5.5K.1.%..j..2.S .n.1....KS=.\O..
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 400: 22 E9 13 9D 13 E9 0D F0 59 55 33 36 5C A5 28 FB 32 7D 05 EB C1 D6 2A AC 6A 38 B8 C4 D4 B7 FE B7 ".......YU36\.(. 2}....*.j8......
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 416: 11 39 AD 14 39 EE C2 38 4D 31 86 88 69 69 F0 93 D9 6F 4B 62 76 B0 0E 64 E9 69 2D 10 85 90 ..ii..oKbv..d.i- .9..9..8M1..o...
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 432: 7D 9E 9E ED E1 1E 62 4C 63 07 43 AA D8 FD 87 86 77 3C DF AA 25 84 79 5D 01 7B 2B B1 DB 3D CA }.....bLc.....w< .C...%.y].{+..=.
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 448: C1 04 E8 63 81 54 FE 75 82 D8 36 96 67 6A D1 18 34 A5 94 B6 35 3B 87 EC 77 56 8E B4 13 DD 3F 25 ...c.T.u..6.gj.. 4...5;..wV....?%
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 464: 78 6C 7D 7B 8C BB 28 A0 AC 84 D8 7B 7E D0 55 38 12 F9 97 CB 23 CF B8 AB D5 1C 2A D6 2D 13 85 3B xl}{..(....{~.U8 ....#.....*.-..;
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 480: 80 64 4C 3A 38 E0 B0 1A FE A7 C8 C3 A1 F9 21 A5 D3 77 48 B8 A4 C0 31 C6 68 C0 92 33 7C 5B AA 8E .dL:8.........!. .wH...1.h..3|[..
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 496: D1 6F DE C4 CE 0B 62 D6 39 A5 86 05 EF 99 0D CA 02 5F 96 9A 68 C3 DA A4 35 45 B3 B6 D2 A2 A8 .o....b.9..5E... ........_..h....
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 512: D4 73 0B 82 28 B5 C1 79 88 85 D8 7D B7 4C C6 EC 09 98 45 E7 E6 E5 DC A6 E3 B3 54 38 E0 DA 2A .s..(..y...}T8.. .L....E.......T*
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 528: 57 2C 57 C1 34 4D F5 5A 94 78 3C 26 B8 9F A3 81 5B 4A 98 E5 E6 FD D0 01 4B A4 5D B2 C2 EC W,W.4M&....[J... .Z.x<&[...K.]...
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[PTS] 02[PTS] 544: 89 94 25 B6 56 A0 3F 9F 5A 3E CF A3 9A 0B 55 74 02 DB EC C8 BA 0D E9 56 EC F0 77 7A AB ..%.?.Z>....Ut. .V.......V..wz.
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[IMC] 02[IMC] IMC 1 "Attestation" created a state for Connection ID 1: IF-TNCCS 2.0 with +long +excl -soh over IF-T for Tunneled EAP 1.1 1
</pre>
Via the IF-IMC interface the PTS-IMC receives a 'Handshake' state change from the TNC client
<pre>
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[IMC] 02[IMC] IMC 1 "Attestation" changed state of Connection ID 1 to 'Handshake'
</pre>
The PTS-IMC generates a PA-TNC message of type TCG/PTS targeted at the remote PTS-IMV, containing a single PA-TNC attribute of type 'IETF/Product Information' with the client operating system information:
<pre>
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[TNC] 02[TNC] creating PA-TNC message with ID 0xf6c4bd2b 0x569e528e
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[TNC] 02[TNC] creating PA-TNC attribute type 'IETF/Product Information' 0x000000/0x00000002
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[TNC] 02[TNC] => 22 bytes @ 0x91322a0 0x82452bc
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[TNC] 02[TNC] 0: 00 00 00 00 00 55 62 75 6E 74 75 20 31 31 2E 30 31 .....Ubuntu 11.0 11.1
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[TNC] 02[TNC] 16: 34 30 20 69 36 38 36 4 0 i686
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[TNC] 02[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001 0x005597/0x01
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[TNC] 02[TNC] adding PB-PA message
</pre>
The PA-TNC message is received by the TNC client via the IF-IMC SendMessage call and is inserted together with the
PB-Language-Preference message into the PB-TNC CDATA batch which is then sent via the IKEv2 EAP-TTLS tunnel to the TNC server.
<pre>
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[TNC] 02[TNC] PB-TNC state transition from 'Init' to 'Server Working'
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[TNC] 02[TNC] sending PB-TNC CDATA batch (105 bytes) for Connection ID 1
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[TNC] 02[TNC] => 105 bytes @ 0x9137040 0x82669a4
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[TNC] 02[TNC] 0: 02 00 00 01 00 00 00 69 00 00 00 00 00 00 00 06 .......i........
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[TNC] 02[TNC] 16: 00 00 00 1F 41 63 63 65 70 74 2D 4C 61 6E 67 75 ....Accept-Langu
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[TNC] 02[TNC] 32: 61 67 65 3A 20 65 6E 80 00 00 00 00 00 00 01 00 age: en.........
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[TNC] 02[TNC] 48: 00 00 42 00 00 55 97 00 00 00 01 00 01 FF FF 01 ..B..U..........
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[TNC] 02[TNC] 64: 00 00 00 F6 C4 BD 2B 56 9E 52 8E 00 00 00 00 00 00 00 02 00 ......+......... ...V.R..........
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[TNC] 02[TNC] 80: 00 00 22 00 00 00 00 00 55 62 75 6E 74 75 20 31 ..".....Ubuntu 1
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[TNC] 02[TNC] 96: 31 2E 31 30 34 20 69 36 38 36 1.04 1.10 i686
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[IKE] 02[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/TNC]
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[ENC] 02[ENC] generating IKE_AUTH request 7 [ EAP/RES/TTLS ]
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 10[NET] 02[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
</pre>
h3. PTS Capability Discovery
As a response a PB-TNC SDATA (IF-TNCCS 2.0 ServerData) batch is received from the TNC server
<pre>
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[NET] 13[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[ENC] 13[ENC] parsed IKE_AUTH response 7 [ EAP/REQ/TTLS ]
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[IKE] 13[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/TNC]
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] received TNCCS batch (72 bytes) for Connection ID 1
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] => 72 bytes @ 0x9131442 0x826212e
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] 0: 02 80 00 02 00 00 00 48 80 00 00 00 00 00 00 01 .......H........
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] 16: 00 00 00 40 00 00 55 97 00 00 00 01 FF FF 00 01 ...@..U.........
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] 32: 01 00 00 00 4B 21 AF FF 10 FB C9 31 80 00 55 97 01 00 00 00 ....K!....U..... .......1..U.....
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] 48: 00 00 00 10 00 00 00 0E 80 00 55 97 06 00 00 00 ..........U.....
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] 64: 00 00 00 10 00 00 80 00 ........
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] processing PB-TNC SDATA batch
</pre>
containing a PB-PA message of type TCG/PTS to which the PTS-IMC is subscribed:
<pre>
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] processing PB-PA message (64 bytes)
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001 0x005597/0x01
</pre>
The PA-TNC message transferred via the IF-IMC interface to the PTS-IMC contains two PA-TNC attributes from the TCG/PTS namespace:
<pre>
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[IMC] IMC 1 "Attestation" received message for Connection ID 1 from IMV 1
Feb 9 14:53:48 pin1212a00 charon: 12[TNC] 13[TNC] processing PA-TNC message with ID 0x4b21afff 0x10fbc931
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] processing PA-TNC attribute type 'TCG/Request PTS Protocol Capabilities' 0x005597/0x01000000
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] => 4 bytes @ 0x9135bdc 0x8268da0
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] 0: 00 00 00 0E ....
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] processing PA-TNC attribute type 'TCG/PTS Measurement Algorithm Request' 0x005597/0x06000000
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] => 4 bytes @ 0x9135bec 0x8268db0
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] 0: 00 00 80 00 ....
</pre>
namely the requests 'Request PTS Protocol Capabilities' and 'PTS Measurement Algorithm Request'. The PTS-IMV supports the Verification (V), DH Nonce Negotiation (D) and Trusted Platform Evidence (T) PTS protocol capabilities and the PTS-IMC does as well.
<pre>
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[PTS] 13[PTS] supported PTS protocol capabilities: .VDT.
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[PTS] 13[PTS] selected PTS measurement algorithm is HASH_SHA1
</pre>
The PTS-IMV proposes SHA-1 only for the PTS measurement algorithm which is accepted by the PTS-IMC. These two selections are sent back to the PTS-IMV in a PA-TNC message containing the TCG attributes 'PTS Protocol Capabilities' and 'PTS Measurement Algorithm":
<pre>
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] creating PA-TNC message with ID 0x349421bb 0x0ed3f1f3
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] creating PA-TNC attribute type 'TCG/PTS Protocol Capabilities' 0x005597/0x02000000
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] => 4 bytes @ 0x9136df8 0x8266b04
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] 0: 00 00 00 0E ....
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] creating PA-TNC attribute type 'TCG/PTS Measurement Algorithm' 0x005597/0x07000000
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] => 4 bytes @ 0x91314e0 0x825f17c
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] 0: 00 00 80 00 ....
</pre>
This PA-TNC message is sent as a PB-PA payload in a PB-TNC CDATA batch to the TNC server:
<pre>
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001 0x005597/0x01
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] creating PB-TNC CDATA batch
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] adding PB-PA message
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] sending PB-TNC CDATA batch (72 bytes) for Connection ID 1
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] => 72 bytes @ 0x9135b58 0x82679fc
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] 0: 02 00 00 01 00 00 00 48 80 00 00 00 00 00 00 01 .......H........
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] 16: 00 00 00 40 00 00 55 97 00 00 00 01 00 01 FF FF ...@..U.........
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] 32: 01 00 00 00 34 94 21 BB 0E D3 F1 F3 00 00 55 97 02 00 00 00 ....4.!...U..... ..........U.....
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] 48: 00 00 00 10 00 00 00 0E 00 00 55 97 07 00 00 00 ..........U.....
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[TNC] 13[TNC] 64: 00 00 00 10 00 00 80 00 ........
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[IKE] 13[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/TNC]
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[ENC] 13[ENC] generating IKE_AUTH request 8 [ EAP/RES/TTLS ]
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 12[NET] 13[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
</pre>
h3. DH Nonce Parameters
The next PB-TNC SDATA batch is received:
<pre>
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[NET] 01[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[ENC] 01[ENC] parsed IKE_AUTH response 8 [ EAP/REQ/TTLS ]
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[IKE] 01[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/TNC]
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] received TNCCS batch (56 bytes) for Connection ID 1
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] => 56 bytes @ 0x9135bd2 0x825e5b6
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] 0: 02 80 00 02 00 00 00 38 80 00 00 00 00 00 00 01 .......8........
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] 16: 00 00 00 30 00 00 55 97 00 00 00 01 FF FF 00 01 ...0..U.........
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] 32: 01 00 00 00 BD 1F 9F 28 C2 D1 8E F1 80 00 55 97 03 00 00 00 .......(..U..... ..........U.....
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] 48: 00 00 00 10 00 00 F0 00 ........
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] processing PB-TNC SDATA batch
</pre>
containing a PB-PA message of type TCG/PTS to which the PTS-IMC is subscribed:
<pre>
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] processing PB-PA message (48 bytes)
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001 0x005597/0x01
</pre>
The PA-TNC message contains a 'DH Nonce Parameters Request' from the TCG namespace
<pre>
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[IMC] IMC 1 "Attestation" received message for Connection ID 1 from IMV 1
Feb 9 14:53:48 pin1212a00 charon: 13[TNC] 01[TNC] processing PA-TNC message with ID 0xbd1f9f28 0xc2d18ef1
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] processing PA-TNC attribute type 'TCG/DH Nonce Parameters Request' 0x005597/0x03000000
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] => 4 bytes @ 0x9135fc4 0x82452d0
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] 0: 00 00 F0 00 ....
</pre>
and offers the set of IKE DH groups {2, 5, 14, 19} from which the PTS-IMC selects ECP_256 (group 14).
<pre>
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[PTS] 01[PTS] selected PTS DH group is ECP_256
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[PTS] 01[PTS] nonce length is 20
</pre>
The PTS-IMC also returns a 20 byte DH responder nonce and the 32 byte ECP_256 DH responder public value:
<pre>
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] creating PA-TNC message with ID 0x144b8472 0xa69f8b02
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] creating PA-TNC attribute type 'TCG/DH Nonce Parameters Response' 0x005597/0x04000000
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] => 92 bytes @ 0x9132b50 0x826a53c
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] 0: 00 00 00 14 10 00 E0 00 B9 FD DB 13 D2 BE 4E BA AA B1 9A 5C 9B 47 D0 0D ..............N. ...........\.G..
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] 16: E2 FF 33 25 CD A0 C8 79 AE 1A 51 D8 91 EF 3B F4 48 7A 55 EF DA 89 55 D3 11 77 74 DF CE B2 FB ..3%...y..Q....w .;.HzU...U.t....
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] 32: 82 E6 F0 31 44 16 FD 98 44 1D 79 1F 36 7A A5 67 A7 5C EB 76 E5 BD 3E E8 62 A8 F6 94 30 81 C8 ...1g.\.v..>.b.. D...D.y.6z.g.0..
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] 48: D7 2B 58 3B 1F F4 79 9D E9 DB 38 A8 1A AD 99 6A F0 A8 3E 0C 55 0E 91 2F E4 36 62 FA C2 08 63 .+X;..y....j..>. 8....U../.6b...c
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] 64: 83 1B 6E 36 F7 93 7C CE 75 04 90 D7 DB 73 5F C8 88 69 41 79 35 D4 64 8C 4C D4 CB E9 7B 5E CF 0A ..n6..|.u....s_. .iAy5.d.L...{^..
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] 80: E0 E9 74 F4 FF B3 64 CF 82 90 2A 32 EA C8 66 4C BB 06 3B F8 DE 96 2E t...d...*2.. ..tfL..;....
</pre>
This PA-TNC message is carried in a PB-PA message encapsulated in a PB-TNC CDATA batch:
<pre>
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001 0x005597/0x01
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] creating PB-TNC CDATA batch
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] adding PB-PA message
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] sending PB-TNC CDATA batch (144 bytes) for Connection ID 1
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] => 144 bytes @ 0x9132de0 0x826e85c
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] 0: 02 00 00 01 00 00 00 90 80 00 00 00 00 00 00 01 ................
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] 16: 00 00 00 88 00 00 55 97 00 00 00 01 00 01 FF FF ......U.........
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] 32: 01 00 00 00 14 4B 84 72 A6 9F 8B 02 00 00 55 97 04 00 00 00 .....K.r..U..... ..........U.....
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] 48: 00 00 00 68 00 00 00 14 10 00 E0 00 B9 FD DB 13 AA B1 9A 5C ...h............ ...h...........\
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] 64: D2 BE 4E BA E2 FF 33 25 CD A0 C8 79 AE 1A 51 D8 9B 47 D0 0D EF 3B F4 48 7A 55 EF DA 89 55 D3 74 ..N...3%...y..Q. .G...;.HzU...U.t
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] 80: 91 D3 11 77 82 E6 F0 31 DF CE B2 FB 44 16 FD 98 44 1D 79 1F 36 7A A5 67 A7 5C EB 76 E5 BD 3E ...w...1g.\.v..> ....D...D.y.6z.g
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] 96: E8 62 94 30 81 C8 38 A8 F6 D7 2B 58 3B 1F F4 79 9D E9 DB 1A AD 99 6A 55 0E 91 2F E4 36 62 .b...+X;..y....j .0..8....U../.6b
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] 112: F0 A8 3E 0C 83 1B 6E 36 F7 93 7C CE 75 04 90 D7 FA C2 08 63 88 69 41 79 35 D4 64 8C 4C D4 CB E9 ..>...n6..|.u... ...c.iAy5.d.L...
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[TNC] 01[TNC] 128: DB 73 5F C8 7B 5E CF 0A E0 E9 74 F4 FF B3 64 CF 82 90 2A 32 EA C8 66 4C BB 06 3B F8 DE 96 2E .s_.t...d...*2.. {^....tfL..;....
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[IKE] 01[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/TNC]
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[ENC] 01[ENC] generating IKE_AUTH request 9 [ EAP/RES/TTLS ]
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 13[NET] 01[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
</pre>
h3. DH Nonce Finish and TPM Version/AIK Info
The next PB-TNC SDATA batch is received:
<pre>
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[NET] 04[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[ENC] 04[ENC] parsed IKE_AUTH response 9 [ EAP/REQ/TTLS ]
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[IKE] 04[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/TNC]
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] received TNCCS batch (172 bytes) for Connection ID 1
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] => 172 bytes @ 0x9138a1a 0x826e866
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] 0: 02 80 00 02 00 00 00 AC 80 00 00 00 00 00 00 01 ................
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] 16: 00 00 00 A4 00 00 55 97 00 00 00 01 FF FF 00 01 ......U.........
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] 32: 01 00 00 00 7B 50 C7 13 83 45 BD D1 80 00 55 97 05 00 00 00 ....{P....U..... .....E....U.....
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] 48: 00 00 00 64 00 14 80 00 3B FF C4 8E 14 94 F3 24 B1 E2 2D 2D 11 80 E2 BC ...d....;......$ ...d......--....
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] 64: 19 83 5A 56 DC 1B A7 7B 7D FB 99 CE 06 96 CD AC 23 D3 17 57 18 3F 91 3B 63 E0 E9 09 2A 67 0D ...{}.......#..W .ZV...?.;c...*g.
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] 80: 50 20 20 22 85 9C BA 47 CF C6 F0 13 AD 40 38 4B AE FB D6 94 32 39 5A 2C D2 2C 58 2C 5F 3E B4 00 P "...G.....@8K ....29Z,.,X,_>..
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] 96: AA 99 1D 6B 2A C0 0E 20 25 68 E8 EB 9E 46 93 49 29 86 FE 22 FC B9 B3 C7 AE 5C 57 26 92 D7 4E ...k*.. .I)..".. %h...F....\W&..N
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] 112: 10 B3 87 97 53 AD 1A 9E 7D 9E 5C A0 75 4E D5 9E F2 14 08 60 96 A4 74 78 46 C4 11 FB 33 64 F3 27 ....S...}.\.uN.. ...`..txF...3d.'
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] 128: 92 FE A4 8D 4F 34 D3 1B 4D 04 9D 12 1D 62 3D C4 83 73 AE AE 8B 36 E4 F5 80 00 55 97 ....O4..M.....U. .b=..s...6....U.
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] 144: 08 00 00 00 00 00 00 10 00 00 00 00 80 00 55 97 ..............U.
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] 160: 0D 00 00 00 00 00 00 10 00 00 00 00 ............
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] processing PB-TNC SDATA batch
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] processing PB-PA message (164 bytes)
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001 0x005597/0x01
</pre>
containing a PA-TNC message with the 'DH Nonce Finish', 'Get TPM Version Information' and 'Get Attestation Identity Key'
attributes from the TCG namespace:
<pre>
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[IMC] IMC 1 "Attestation" received message for Connection ID 1 from IMV 1
Feb 9 14:53:48 pin1212a00 charon: 14[TNC] 04[TNC] processing PA-TNC message with ID 0x7b50c713 0x8345bdd1
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] processing PA-TNC attribute type 'TCG/DH Nonce Finish' 0x005597/0x05000000
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] => 88 bytes @ 0x9137fdc 0x826a928
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] 0: 00 14 80 00 3B FF C4 8E 14 94 F3 24 19 1B A7 7B B1 E2 2D 2D 11 80 E2 BC 83 5A 56 DC ....;......$...{ ......--.....ZV.
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] 16: 7D 1B 18 3F 91 3B 63 E0 E9 09 2A 67 0D AE FB 99 CE 06 96 CD AC 23 D3 17 57 50 20 20 22 D6 94 }.......#..WP " ..?.;c...*g.....
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] 32: 85 9C BA 47 CF C6 F0 13 AD 40 38 4B AA 99 1D 6B 32 39 5A 2C D2 2C 58 2C 5F 3E B4 00 25 68 E8 EB ...G.....@8K...k 29Z,.,X,_>..%h..
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] 48: 2A C0 0E 20 9E 46 93 49 29 86 FE 22 FC B9 10 B3 87 97 C7 AE 5C 57 26 92 D7 4E F2 14 08 60 *.. .I).."...... .F....\W&..N...`
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] 64: 53 AD 1A 9E 7D 9E 5C A0 75 4E D5 9E 92 FE 96 A4 8D 74 78 46 C4 11 FB 33 64 F3 27 1D 62 3D C4 S...}.\.uN...... ..txF...3d.'.b=.
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] 80: 4F 34 D3 1B 4D 04 9D 12 83 73 AE AE 8B 36 E4 F5 O4..M... .s...6..
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] processing PA-TNC attribute type 'TCG/Get TPM Version Information' 0x005597/0x08000000
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] => 4 bytes @ 0x9138040 0x826a98c
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] 0: 00 00 00 00 ....
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] processing PA-TNC attribute type 'TCG/Get Attestation Identity Key' 0x005597/0x0d000000
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] => 4 bytes @ 0x9138050 0x826a99c
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[TNC] 04[TNC] 0: 00 00 00 00 ....
</pre>
The PTS-IMV reports that it selected SHA-1 as the DH hash algorithm and provides its 20 byte nonce and 32 byte public DH factor
so that the share DH secret can be computed:
<pre>
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[PTS] 04[PTS] selected DH hash algorithm is HASH_SHA1
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[PTS] 04[PTS] initiator nonce: => 20 bytes @ 0x9138668 0x82594a4
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[PTS] 04[PTS] 0: 7D 9E 5C A0 75 4E D5 9E 92 FE A4 8D 4F 34 D3 1B 46 C4 11 FB 33 64 F3 27 1D 62 3D C4 83 73 AE AE }.\.uN......O4.. F...3d.'.b=..s..
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[PTS] 04[PTS] 16: 4D 04 9D 12 8B 36 E4 F5 M... .6..
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[PTS] 04[PTS] responder nonce: => 20 bytes @ 0x91370d8 0x8266a7c
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[PTS] 04[PTS] 0: B9 FD DB 13 D2 BE 4E BA E2 FF 33 25 CD A0 C8 79 AA B1 9A 5C 9B 47 D0 0D EF 3B F4 48 7A 55 EF DA ......N...3%...y ...\.G...;.HzU..
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[PTS] 04[PTS] 16: AE 1A 51 D8 89 55 D3 74 ..Q. .U.t
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[PTS] 04[PTS] shared DH secret: => 32 bytes @ 0x9138ad0 0x826c8e4
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[PTS] 04[PTS] 0: 17 DE 46 03 F0 0F 07 4F E4 E5 07 1B A5 61 E8 7D D7 8C C8 DF 4E 5C 5A B7 48 75 38 0C 35 36 B8 ..F....O......56 a.}....N\Z.Hu8..
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[PTS] 04[PTS] 16: F6 6B 7B EA A4 AF 4A E8 2D 23 08 8E E2 BD 5E 19 C6 F5 AA 73 D5 B9 25 04 F8 03 BA 35 9F 3A 52 .k{...J...^....s -#.....%....5.:R
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[PTS] 04[PTS] secret assessment value: => 20 bytes @ 0x9138250 0x8266ea4
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[PTS] 04[PTS] 0: CE 50 79 31 50 D6 FC 62 0F 99 D3 B8 C6 42 D0 B1 E1 1B 01 B4 FF 2B 56 83 24 AD AD AD 8B 7B 36 B7 .Py1P..b.....B.. .....+V.$....{6.
Feb 9 14:53:48 pin1212a00 Nov 29 07:39:23 merthyr charon: 14[PTS] 04[PTS] 16: 6E 06 C0 FB FF CA D9 59 n...
...Y
</pre>
Answering the 'Get TPM Version Information' request, the following TPM version info is returned in binary form:
<pre>
Nov 29 07:39:23 merthyr charon: 04[PTS] TPM 1.2 Version Info: Chip Version: 1.2.1.2, Spec Level: 2, Errata Rev: 0, Vendor ID: IFX
</pre>
Besides the 'TPM Version Information' attribute, also the 'Attestation Identity Key' is included in the PA-TNC message to be forwarded to the PTS-IMV:
<pre>
Nov 29 07:39:23 merthyr charon: 04[TNC] creating PA-TNC message with ID 0x1e82d806
Nov 29 07:39:23 merthyr charon: 04[TNC] creating PA-TNC attribute type 'TCG/TPM Version Information' 0x005597/0x09000000
Nov 29 07:39:23 merthyr charon: 04[TNC] => 15 bytes @ 0x826a9ec
Nov 29 07:39:23 merthyr charon: 04[TNC] 0: 00 30 01 02 01 02 00 02 00 49 46 58 00 00 00 .0.......IFX...
Nov 29 07:39:23 merthyr charon: 04[TNC] creating PA-TNC attribute type 'TCG/Attestation Identity Key' 0x005597/0x0e000000
Nov 29 07:39:23 merthyr charon: 04[TNC] => 1334 bytes @ 0x826e274
Nov 29 07:39:23 merthyr charon: 04[TNC] 0: 00 30 82 05 31 30 82 04 19 A0 03 02 01 02 02 10 .0..10..........
Nov 29 07:39:23 merthyr charon: 04[TNC] 16: 15 C8 E6 07 AD F7 B6 3C 0A F2 87 51 0C 34 F7 BA .......<...Q.4..
Nov 29 07:39:23 merthyr charon: 04[TNC] 32: 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 30 0...*.H........0
Nov 29 07:39:23 merthyr charon: 04[TNC] 48: 4D 31 16 30 14 06 03 55 04 0A 13 0D 70 72 69 76 M1.0...U....priv
Nov 29 07:39:23 merthyr charon: 04[TNC] 64: 61 63 79 63 61 2E 63 6F 6D 31 33 30 31 06 03 55 acyca.com1301..U
Nov 29 07:39:23 merthyr charon: 04[TNC] 80: 04 03 13 2A 50 72 69 76 61 63 79 20 43 41 20 45 ...*Privacy CA E
Nov 29 07:39:23 merthyr charon: 04[TNC] 96: 4B 2D 43 65 72 74 2D 43 68 65 63 6B 65 64 20 41 K-Cert-Checked A
Nov 29 07:39:23 merthyr charon: 04[TNC] 112: 49 4B 20 43 65 72 74 69 66 69 63 61 74 65 30 1E IK Certificate0.
Nov 29 07:39:23 merthyr charon: 04[TNC] 128: 17 0D 31 31 31 31 30 32 30 37 35 30 35 31 5A 17 ..111102075051Z.
Nov 29 07:39:23 merthyr charon: 04[TNC] 144: 0D 31 32 31 31 30 32 30 37 35 30 35 31 5A 30 00 .121102075051Z0.
Nov 29 07:39:23 merthyr charon: 04[TNC] 160: 30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0.."0...*.H.....
Nov 29 07:39:23 merthyr charon: 04[TNC] 176: 01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01 ........0.......
Nov 29 07:39:23 merthyr charon: 04[TNC] 192: 00 E9 1C 5F 57 5B 73 5F 35 15 BD AF 29 89 13 F1 ..._W[s_5...)...
Nov 29 07:39:23 merthyr charon: 04[TNC] 208: F9 8D 83 62 6C 73 C0 5F 8B 90 5A B8 1A 72 B9 D2 ...bls._..Z..r..
Nov 29 07:39:23 merthyr charon: 04[TNC] 224: 51 F8 DC 24 CF 0D 9E E2 0B F8 8D 11 CD B2 E5 6B Q..$...........k
Nov 29 07:39:23 merthyr charon: 04[TNC] 240: CB C2 AB FA BD F4 74 D2 25 B3 AE CE 47 66 58 A6 ......t.%...GfX.
Nov 29 07:39:23 merthyr charon: 04[TNC] 256: 65 A4 CA 36 24 1E 6E 22 A4 9F 88 C5 63 78 AD 53 e..6$.n"....cx.S
Nov 29 07:39:23 merthyr charon: 04[TNC] 272: 33 90 22 91 6F 83 8F 2A A8 98 0C 15 3E 89 19 48 3.".o..*....>..H
Nov 29 07:39:23 merthyr charon: 04[TNC] 288: 63 BE 4C 35 02 F4 03 7E 10 8E 4D DB 5A D1 63 9A c.L5...~..M.Z.c.
Nov 29 07:39:23 merthyr charon: 04[TNC] 304: 3C D9 63 F5 7B C6 73 0F 23 05 B6 00 30 3B 34 6C <.c.{.s.#...0;4l
Nov 29 07:39:23 merthyr charon: 04[TNC] 320: 3C 10 A9 A5 4A 79 2E 62 88 E3 CC 7F 7B A7 5A E3 <...Jy.b....{.Z.
Nov 29 07:39:23 merthyr charon: 04[TNC] 336: 6F 13 7A BD BF 86 1D 3C E3 12 3A 8C 0E 7D 47 55 o.z....<..:..}GU
Nov 29 07:39:23 merthyr charon: 04[TNC] 352: C6 76 A9 D3 61 16 22 8A 32 C5 E7 CD 17 DB 5F A1 .v..a.".2....._.
Nov 29 07:39:23 merthyr charon: 04[TNC] 368: 67 CC 1D F5 D9 25 51 01 33 1E 05 45 85 53 2E 2C g....%Q.3..E.S.,
Nov 29 07:39:23 merthyr charon: 04[TNC] 384: 2B 1D 59 E5 FE C2 61 26 36 12 05 F2 5C 95 F8 70 +.Y...a&6...\..p
Nov 29 07:39:23 merthyr charon: 04[TNC] 400: E6 6A DB BF 30 1E 46 05 E6 0E 94 3C 0C C6 1C 96 .j..0.F....<....
Nov 29 07:39:23 merthyr charon: 04[TNC] 416: B4 59 AC 5C 63 15 8C 77 E8 45 91 6B 8B B1 0D DB .Y.\c..w.E.k....
Nov 29 07:39:23 merthyr charon: 04[TNC] 432: 26 3C E5 34 1C E8 B9 B5 6E 7F 9B 6E 7D 24 82 6E &<.4....n..n}$.n
Nov 29 07:39:23 merthyr charon: 04[TNC] 448: 2B 02 03 01 00 01 A3 82 02 58 30 82 02 54 30 81 +........X0..T0.
Nov 29 07:39:23 merthyr charon: 04[TNC] 464: 93 06 03 55 1D 09 04 81 8B 30 81 88 30 3A 06 03 ...U.....0..0:..
Nov 29 07:39:23 merthyr charon: 04[TNC] 480: 55 04 34 31 33 30 0B 30 09 06 05 2B 0E 03 02 1A U.4130.0...+....
Nov 29 07:39:23 merthyr charon: 04[TNC] 496: 05 00 30 24 30 22 06 09 2A 86 48 86 F7 0D 01 01 ..0$0"..*.H.....
Nov 29 07:39:23 merthyr charon: 04[TNC] 512: 07 30 15 A2 13 30 11 06 09 2A 86 48 86 F7 0D 01 .0...0...*.H....
Nov 29 07:39:23 merthyr charon: 04[TNC] 528: 01 09 04 04 54 43 50 41 30 16 06 05 67 81 05 02 ....TCPA0...g...
Nov 29 07:39:23 merthyr charon: 04[TNC] 544: 10 31 0D 30 0B 0C 03 31 2E 32 02 01 02 02 01 00 .1.0...1.2......
Nov 29 07:39:23 merthyr charon: 04[TNC] 560: 30 32 06 05 67 81 05 02 12 31 29 30 27 01 01 FF 02..g....1)0'...
Nov 29 07:39:23 merthyr charon: 04[TNC] 576: A0 03 0A 01 01 A1 03 0A 01 00 A2 03 0A 01 00 A3 ................
Nov 29 07:39:23 merthyr charon: 04[TNC] 592: 10 30 0E 16 03 33 2E 30 0A 01 04 0A 01 00 01 01 .0...3.0........
Nov 29 07:39:23 merthyr charon: 04[TNC] 608: FF 01 01 FF 30 62 06 03 55 1D 11 01 01 FF 04 58 ....0b..U......X
Nov 29 07:39:23 merthyr charon: 04[TNC] 624: 30 56 A4 47 30 45 31 16 30 14 06 05 67 81 05 02 0V.G0E1.0...g...
Nov 29 07:39:23 merthyr charon: 04[TNC] 640: 01 0C 0B 69 64 3A 34 39 34 36 35 38 30 30 31 17 ...id:494658001.
Nov 29 07:39:23 merthyr charon: 04[TNC] 656: 30 15 06 05 67 81 05 02 02 0C 0C 53 4C 42 39 36 0...g......SLB96
Nov 29 07:39:23 merthyr charon: 04[TNC] 672: 33 35 54 54 31 2E 32 31 12 30 10 06 05 67 81 05 35TT1.21.0...g..
Nov 29 07:39:23 merthyr charon: 04[TNC] 688: 02 03 0C 07 69 64 3A 30 31 30 32 A0 0B 06 05 67 ....id:0102....g
Nov 29 07:39:23 merthyr charon: 04[TNC] 704: 81 05 02 0F A0 02 0C 00 30 0C 06 03 55 1D 13 01 ........0...U...
Nov 29 07:39:23 merthyr charon: 04[TNC] 720: 01 FF 04 02 30 00 30 82 01 27 06 03 55 1D 20 01 ....0.0..'..U. .
Nov 29 07:39:23 merthyr charon: 04[TNC] 736: 01 FF 04 82 01 1B 30 82 01 17 30 67 06 0A 2B 06 ......0...0g..+.
Nov 29 07:39:23 merthyr charon: 04[TNC] 752: 01 04 01 81 E3 42 01 11 30 59 30 29 06 08 2B 06 .....B..0Y0)..+.
Nov [ Incomplete diff, document too large... ]