TNC Client with PTS-IMC » History » Version 64
Version 63 (Andreas Steffen, 10.02.2012 13:15) → Version 64/69 (Andreas Steffen, 10.02.2012 13:22)
h1. TNC Client with PTS-IMC
This HOWTO explains in a step-for-step fashion how a strongSwan IPsec client with integrated TNC client functionality and an attached Platform Trust Service Integrity Measurement Collector (PTS-IMC) can provide remote attestation measurement data to a TNC server via the IKEv2 EAP-TTLS protocol.
{{>toc}}
h2. Installation and Configuration
The following steps describe the installation of the strongSwan software
<pre>
wget http://download.strongswan.org/strongswan-4.6.2rc1.tar.bz2
tar xjf strongswan-4.6.2rc1.tar.bz2
cd strongswan-4.6.2rc1
./configure --prefix=/usr --sysconfdir=/etc --disable-pluto --enable-openssl --enable-curl
--enable-eap-identity --enable-eap-md5 --enable-eap-ttls --enable-eap-tnc
--enable-tnccs-20 --enable-tnc-imc --enable-imc-attestation
make
[sudo] make install
</pre>
The strongSwan *imc-attestation.so* dynamic PTS-IMC library depends on the "TrouSerS":http://sourceforge.net/projects/trousers/ libtspi library. For compilation additionally the /usr/include/trousers/ header files are required.
The connection between IPsec client *carol* and IPsec gateway *moon* is defined in the /etc/ipsec.conf file:
<pre>
# ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="tnc 3, imc 3, pts 3"
conn home
left=%any
leftid=carol@strongswan.org
leftauth=eap
right=192.168.0.1
rightid=@moon.strongswan.org
rightsendcert=never
rightsubnet=10.1.0.0/16
auto=start
</pre>
The debug levels for the TNC, IMC, and PTS components are increased to 3, so that HEX dumps of PB-TNC (IF-TNCCS 2.0) messages and PA-TNC (IF-M) attributes will be included in the log file.
The IKEv2 client *carol* is going to use EAP-based authentication with the user credentials being stored in the /etc/ipsec.secrets file:
<pre>
# /etc/ipsec.secrets - strongSwan IPsec secrets file
carol@strongswan.org : EAP "Ar3etTnp"
</pre>
The following IKEv2 charon and Attestation IMC options are defined in the /etc/strongswan.conf file
<pre>
# strongswan.conf - strongSwan configuration file
charon {
load = sha1 random gmp pkcs1 pkcs8 pem x509 pubkey openssl hmac revocation curl kernel-netlink socket-default eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 eap-identity resolve stroke
plugins {
eap-tnc {
protocol = tnccs-2.0
}
tnc-imc {
preferred_language = en
}
}
}
libimcv {
plugins {
imc-attestation {
aik_cert = /home/andi/privacyca/AIK_3_Cert.der
aik_blob = /home/andi/privacyca/AIK_3_Blob.bin
pcr17_meas = d537d437f058136eb3d7be517dbe7647b623c619
pcr17_before = 1717171717171717171717171717171717171717
pcr17_after = ffffffffffffffffffffffffffffffffffffffff
pcr18_meas = 160d2b04d11eb225fb148615b699081869e15b6c
pcr18_before = 1818181818181818181818181818181818181818
pcr18_after = ffffffffffffffffffffffffffffffffffffffff
}
}
}
</pre>
h2. IKEv2 Negotiation
h3. Startup and Initialization
The command
<pre>
ipsec start
</pre>
starts the TNC-enabled IPsec client:
<pre>
FFeb 10 09:05:16 pin1212a00 charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.6.2rc1)
Feb 10 09:05:16 pin1212a00 charon: 00[KNL] listening on interfaces:
Feb 10 09:05:16 pin1212a00 charon: 00[KNL] eth0
Feb 10 09:05:16 pin1212a00 charon: 00[KNL] 152.96.31.100
Feb 10 09:05:16 pin1212a00 charon: 00[KNL] fe80::219:99ff:feb3:92c3
Feb 10 09:05:16 pin1212a00 charon: 00[KNL] umlbr0
Feb 10 09:05:16 pin1212a00 charon: 00[KNL] 192.168.0.254
Feb 10 09:05:16 pin1212a00 charon: 00[KNL] fe80::9cb8:adff:fe5a:270a
</pre>
The file /etc/tnc_config
<pre>
# IMC configuration file for strongSwan client
IMC "Attestation" /usr/lib/ipsec/imcvs/imc-attestation.so
</pre>
defines which IMCs are loaded by the TNC client:
<pre>
Feb 10 09:05:16 pin1212a00 charon: 00[TNC] loading IMCs from '/etc/tnc_config'
Feb 10 09:05:16 pin1212a00 charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA1[sha1] available
Feb 10 09:05:16 pin1212a00 charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA256[openssl] available
Feb 10 09:05:16 pin1212a00 charon: 00[PTS] optional PTS measurement algorithm HASH_SHA384[openssl] available
Feb 10 09:05:16 pin1212a00 charon: 00[PTS] optional PTS DH group MODP_2048[gmp] available
Feb 10 09:05:16 pin1212a00 charon: 00[PTS] optional PTS DH group MODP_1536[gmp] available
Feb 10 09:05:16 pin1212a00 charon: 00[PTS] optional PTS DH group MODP_1024[gmp] available
Feb 10 09:05:16 pin1212a00 charon: 00[PTS] mandatory PTS DH group ECP_256[openssl] available
Feb 10 09:05:16 pin1212a00 charon: 00[PTS] optional PTS DH group ECP_384[openssl] available
Feb 10 09:05:16 pin1212a00 charon: 00[TNC] added IETF attributes
Feb 10 09:05:16 pin1212a00 charon: 00[TNC] added ITA-HSR attributes
Feb 10 09:05:16 pin1212a00 charon: 00[LIB] libimcv initialized
Feb 10 09:05:16 pin1212a00 charon: 00[IMC] IMC 1 "Attestation" initialized
Feb 10 09:05:16 pin1212a00 charon: 00[TNC] added TCG attributes
Feb 10 09:05:16 pin1212a00 charon: 00[PTS] added TCG functional component namespace
Feb 10 09:05:16 pin1212a00 charon: 00[PTS] added ITA-HSR functional component namespace
Feb 10 09:05:16 pin1212a00 charon: 00[PTS] added ITA-HSR functional component 'Trusted GRUB Boot Loader'
Feb 10 09:05:16 pin1212a00 charon: 00[PTS] added ITA-HSR functional component 'Trusted Boot'
Feb 10 09:05:16 pin1212a00 charon: 00[PTS] added ITA-HSR functional component 'Linux IMA'
Feb 10 09:05:16 pin1212a00 charon: 00[LIB] libpts initialized
Feb 10 09:05:16 pin1212a00 charon: 00[IMC] IMC 1 "Attestation" provided with bind function
Feb 10 09:05:16 pin1212a00 charon: 00[TNC] IMC 1 supports 1 message type: 'TCG/PTS' 0x005597/0x00000001
Feb 10 09:05:16 pin1212a00 charon: 00[TNC] IMC 1 "Attestation" loaded from '/usr/lib/ipsec/imcvs/imc-attestation.so'
</pre>
Next the IKEv2 credential,all necessary plugins and the IPsec connection definition are loaded
<pre>
Feb 10 09:05:16 pin1212a00 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Feb 10 09:05:16 pin1212a00 charon: 00[CFG] loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem'
Feb 10 09:05:16 pin1212a00 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Feb 10 09:05:16 pin1212a00 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Feb 10 09:05:16 pin1212a00 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Feb 10 09:05:16 pin1212a00 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Feb 10 09:05:16 pin1212a00 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Feb 10 09:05:16 pin1212a00 charon: 00[CFG] loaded EAP secret for carol@strongswan.org
Feb 10 09:05:16 pin1212a00 charon: 00[DMN] loaded plugins: sha1 random gmp pkcs1 pkcs8 pem x509 pubkey openssl hmac revocation curl kernel-netlink socket-default eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 eap-identity resolve stroke
Feb 10 09:05:16 pin1212a00 charon: 00[JOB] spawning 16 worker threads
Feb 10 09:05:16 pin1212a00 charon: 08[CFG] received stroke: add connection 'home'
Feb 10 09:05:16 pin1212a00 charon: 08[CFG] left nor right host is our side, assuming left=local
Feb 10 09:05:16 pin1212a00 charon: 08[CFG] added configuration 'home'
</pre>
h3. IKEv2 Exchanges
Due to auto=start the IKEv2 negotiation automatically initiates the IKE_SA_INIT exchange
<pre>
Feb 10 09:05:24 pin1212a00 charon: 10[CFG] received stroke: initiate 'home'
Feb 10 09:05:24 pin1212a00 charon: 11[IKE] initiating IKE_SA home[1] to 192.168.0.1
Feb 10 09:05:24 pin1212a00 charon: 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Feb 10 09:05:24 pin1212a00 charon: 11[NET] sending packet: from 192.168.0.254[500] to 192.168.0.1[500]
Feb 10 09:05:24 pin1212a00 charon: 12[NET] received packet: from 192.168.0.1[500] to 192.168.0.254[500]
Feb 10 09:05:24 pin1212a00 charon: 12[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
</pre>
followed by the IKE_AUTH exchange where the IKEv2 gateway proposes a mutual IKEv2 EAP-TTLS only authentication:
<pre>
Feb 10 09:05:24 pin1212a00 charon: 12[IKE] establishing CHILD_SA home
Feb 10 09:05:24 pin1212a00 charon: 12[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Feb 10 09:05:24 pin1212a00 charon: 12[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Feb 10 09:05:24 pin1212a00 charon: 06[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Feb 10 09:05:24 pin1212a00 charon: 06[ENC] parsed IKE_AUTH response 1 [ IDr EAP/REQ/TTLS ]
Feb 10 09:05:24 pin1212a00 charon: 06[IKE] server requested EAP_TTLS authentication (id 0x16)
Feb 10 09:05:24 pin1212a00 charon: 06[TLS] EAP_TTLS version is v0
Feb 10 09:05:24 pin1212a00 charon: 06[IKE] allow mutual EAP-only authentication
</pre>
h3. IKEv2 EAP-TTLS Tunnel
The IKEv2 EAP-TTLS tunnel is set up with certificate-based server authentication
<pre>
Feb 10 09:05:24 pin1212a00 charon: 06[ENC] generating IKE_AUTH request 2 [ EAP/RES/TTLS ]
Feb 10 09:05:24 pin1212a00 charon: 06[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Feb 10 09:05:24 pin1212a00 charon: 13[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Feb 10 09:05:24 pin1212a00 charon: 13[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/TTLS ]
Feb 10 09:05:24 pin1212a00 charon: 13[ENC] generating IKE_AUTH request 3 [ EAP/RES/TTLS ]
Feb 10 09:05:24 pin1212a00 charon: 13[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Feb 10 09:05:24 pin1212a00 charon: 14[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Feb 10 09:05:24 pin1212a00 charon: 14[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/TTLS ]
Feb 10 09:05:24 pin1212a00 charon: 14[TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Feb 10 09:05:24 pin1212a00 charon: 14[TLS] received TLS server certificate 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org'
Feb 10 09:05:24 pin1212a00 charon: 14[CFG] using certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
Feb 10 09:05:24 pin1212a00 charon: 14[CFG] using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Feb 10 09:05:24 pin1212a00 charon: 14[CFG] checking certificate status of "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
Feb 10 09:05:24 pin1212a00 charon: 14[CFG] fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
Feb 10 09:05:24 pin1212a00 charon: 14[CFG] using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Feb 10 09:05:24 pin1212a00 charon: 14[CFG] crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Feb 10 09:05:24 pin1212a00 charon: 14[CFG] crl is valid: until Mar 09 10:28:34 2012
Feb 10 09:05:24 pin1212a00 charon: 14[CFG] certificate status is good
Feb 10 09:05:24 pin1212a00 charon: 14[CFG] reached self-signed root ca with a path length of 0
Feb 10 09:05:24 pin1212a00 charon: 14[ENC] generating IKE_AUTH request 4 [ EAP/RES/TTLS ]
Feb 10 09:05:24 pin1212a00 charon: 14[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
</pre>
h3. Tunneled EAP-Identity
Via the IKEv2 EAP-TTLS tunnel the server requests the EAP client identity
<pre>
Feb 10 09:05:24 pin1212a00 charon: 03[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Feb 10 09:05:24 pin1212a00 charon: 03[ENC] parsed IKE_AUTH response 4 [ EAP/REQ/TTLS ]
Feb 10 09:05:24 pin1212a00 charon: 03[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/ID]
Feb 10 09:05:24 pin1212a00 charon: 03[IKE] server requested EAP_IDENTITY authentication (id 0x00)
Feb 10 09:05:24 pin1212a00 charon: 03[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/ID]
Feb 10 09:05:24 pin1212a00 charon: 03[ENC] generating IKE_AUTH request 5 [ EAP/RES/TTLS ]
Feb 10 09:05:24 pin1212a00 charon: 03[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
</pre>
h3. Tunneled EAP-MD5 Client Authentication
Next follows an EAP-MD5 client authentication
<pre>
Feb 10 09:05:24 pin1212a00 charon: 08[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Feb 10 09:05:24 pin1212a00 charon: 08[ENC] parsed IKE_AUTH response 5 [ EAP/REQ/TTLS ]
Feb 10 09:05:24 pin1212a00 charon: 08[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/MD5]
Feb 10 09:05:24 pin1212a00 charon: 08[IKE] server requested EAP_MD5 authentication (id 0x45)
Feb 10 09:05:24 pin1212a00 charon: 08[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/MD5]
Feb 10 09:05:24 pin1212a00 charon: 08[ENC] generating IKE_AUTH request 6 [ EAP/RES/TTLS ]
Feb 10 09:05:24 pin1212a00 charon: 08[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
</pre>
h3. Tunneled EAP-TNC Transport
Now the EAP-TNC transport protocol connecting the TNC client with the TNC server is started:
<pre>
Feb 10 09:05:24 pin1212a00 charon: 09[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Feb 10 09:05:24 pin1212a00 charon: 09[ENC] parsed IKE_AUTH response 6 [ EAP/REQ/TTLS ]
Feb 10 09:05:24 pin1212a00 charon: 09[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/TNC]
Feb 10 09:05:24 pin1212a00 charon: 09[IKE] server requested EAP_TNC authentication (id 0x1B)
Feb 10 09:05:24 pin1212a00 charon: 09[TLS] EAP_TNC version is v1
</pre>
h2. PB-TNC/IF-TNCCS 2.0 Connection
A new TNCCS connection is instantiated on the TNC client and its IF-TNCCS 2.0 state machine is set to the Init state.
!IF-TNCCS-20-State-Diagram.png!
A first PB-TNC CDATA (IF-TNCCS 2.0 ClientData) batch is prepared and a PB-Language-Preference message for Englisch (en) is added:
<pre>
Feb 10 09:05:24 pin1212a00 charon: 09[TNC] assigned TNCCS Connection ID 1
Feb 10 09:05:24 pin1212a00 charon: 09[TNC] creating PB-TNC CDATA batch
Feb 10 09:05:24 pin1212a00 charon: 09[TNC] adding PB-Language-Preference message
</pre>
An instance of the Attestation PTS-IMC is created which in a first step determines the client operating systen
<pre>
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] platform is 'Ubuntu 11.04 i686'
</pre>
and then loads the AIK certificate and the matching AIK private key, the latter in the form of a TPM-encrypted binary blob
<pre>
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] loaded AIK certificate from '/home/seclab/privacyca/AIK_Cert.der'
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] loaded AIK Blob from '/home/seclab/privacyca/AIK_Blob.bin'
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] AIK Blob: => 559 bytes @ 0x9b5be20
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 0: 01 01 00 00 00 12 00 00 00 04 00 00 00 00 01 00 ................
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 16: 01 00 02 00 00 00 0C 00 00 08 00 00 00 00 02 00 ................
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 32: 00 00 00 00 00 00 00 00 00 01 00 81 E3 38 7C 4D .............8|M
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 48: 46 70 CB D5 33 62 38 50 AD 98 D1 28 56 D3 6E 71 Fp..3b8P...(V.nq
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 64: CF AA E3 C8 31 BD F6 FE 53 6A ED C8 54 0E 7C FB ....1...Sj..T.|.
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 80: 00 98 80 D6 7D C7 57 D4 EC 24 93 59 48 1F DA 67 ....}.W..$.YH..g
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 96: 30 87 4F D3 59 B2 CA A8 9D CE C9 27 9A 03 57 C0 0.O.Y......'..W.
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 112: FE 1F AB EE E5 C2 A8 C6 D5 DC C7 1E 81 74 4D 3D .............tM=
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 128: B5 98 6D 57 22 74 02 F1 41 7C E3 68 C1 1C 1C 2F ..mW"t..A|.h.../
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 144: 57 54 CA 4A FB D6 3D 33 37 A9 BC FF 6F 50 13 CC WT.J..=37...oP..
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 160: C2 D3 83 F1 4B 01 FD 66 A6 EE 7A D3 E0 E2 C0 51 ....K..f..z....Q
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 176: 55 A2 8A AB F4 85 09 74 24 64 03 DD 65 1C 26 2F U......t$d..e.&/
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 192: 35 08 BF 57 D9 28 DA D3 D7 5B ED C8 C6 6C 43 7E 5..W.(...[...lC~
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 208: DE D3 93 F4 D5 D7 36 1E 31 9A A8 42 10 7A F5 94 ......6.1..B.z..
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 224: 93 9C 8F BD 6D BC 66 1D 30 A5 B3 B3 44 4D DA 6D ....m.f.0...DM.m
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 240: 35 64 A6 08 EB D2 A6 99 18 56 01 28 3B 26 94 FD 5d.......V.(;&..
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 256: 6F 7F AD 45 68 3C 8A 7D 38 8C DB D8 5F 76 16 F5 o..Eh<.}8..._v..
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 272: 5E 8A 4B C2 2B 19 8A 27 D9 80 3C C8 13 01 11 70 ^.K.+..'..<....p
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 288: CC D6 EF 57 F3 EF 37 A2 E6 B5 49 00 00 01 00 4C ...W..7...I....L
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 304: DA 76 65 D0 54 8C F9 E8 B6 C4 9E 26 37 70 B4 45 .ve.T......&7p.E
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 320: C0 42 E0 A3 7A 3E 9D 57 96 B0 C8 68 DE 6A 84 76 .B..z>.W...h.j.v
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 336: 9A 9A E3 F9 D7 44 AB E0 A2 4B D2 3E 44 BD D9 92 .....D...K.>D...
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 352: 53 AF 6A 04 26 56 04 FC F9 43 D0 68 E3 63 AD 7B S.j.&V...C.h.c.{
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 368: 5C A2 50 B8 BA A2 F0 53 8C 8B 3A 67 35 49 CA E4 \.P....S..:g5I..
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 384: 35 A3 35 4B E7 31 D0 25 10 D4 6A B9 17 32 F9 53 5.5K.1.%..j..2.S
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 400: 22 E9 13 9D 13 E9 0D F0 59 55 33 36 5C A5 28 FB ".......YU36\.(.
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 416: 86 88 69 69 F0 93 6F 4B 62 76 B0 0E 64 E9 69 2D ..ii..oKbv..d.i-
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 432: 7D 9E 9E ED E1 1E 62 4C 63 AA D8 FD 87 86 77 3C }.....bLc.....w<
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 448: C1 04 E8 63 81 54 FE 75 82 D8 36 96 67 6A D1 18 ...c.T.u..6.gj..
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 464: 78 6C 7D 7B 8C BB 28 A0 AC 84 D8 7B 7E D0 55 38 xl}{..(....{~.U8
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 480: 80 64 4C 3A 38 E0 B0 1A FE A7 C8 C3 A1 F9 21 A5 .dL:8.........!.
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 496: D1 6F DE C4 CE 0B 62 D6 39 DA A4 35 45 B3 B6 D2 .o....b.9..5E...
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 512: D4 73 0B 82 28 B5 C1 79 88 85 D8 7D 54 38 E0 DA .s..(..y...}T8..
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 528: 57 2C 57 C1 34 4D 26 B8 9F A3 81 5B 4A 98 E5 E6 W,W.4M&....[J...
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 544: 89 94 25 A0 3F 9F 5A 3E CF A3 9A 0B 55 74 02 ..%.?.Z>....Ut.
Feb 10 09:05:24 pin1212a00 charon: 09[IMC] IMC 1 "Attestation" created a state for Connection ID 1: IF-TNCCS 2.0 with +long +excl -soh over IF-T for Tunneled EAP 1.1
</pre>
Via the IF-IMC interface the PTS-IMC receives a 'Handshake' state change from the TNC client
<pre>
Feb 10 09:05:24 pin1212a00 charon: 09[IMC] IMC 1 "Attestation" changed state of Connection ID 1 to 'Handshake'
</pre>
The PTS-IMC generates a PA-TNC message of type TCG/PTS targeted at the remote PTS-IMV, containing a single PA-TNC attribute of type 'IETF/Product Information' with the client operating system information:
<pre>
Feb 10 09:05:24 pin1212a00 charon: 09[TNC] creating PA-TNC message with ID 0x35c9dc7b
Feb 10 09:05:24 pin1212a00 charon: 09[TNC] creating PA-TNC attribute type 'IETF/Product Information' 0x000000/0x00000002
Feb 10 09:05:24 pin1212a00 charon: 09[TNC] => 22 bytes @ 0x9b5c120
Feb 10 09:05:24 pin1212a00 charon: 09[TNC] 0: 00 00 00 00 00 55 62 75 6E 74 75 20 31 31 2E 30 .....Ubuntu 11.0
Feb 10 09:05:24 pin1212a00 charon: 09[TNC] 16: 34 20 69 36 38 36 4 i686
Feb 10 09:05:24 pin1212a00 charon: 09[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001
Feb 10 09:05:24 pin1212a00 charon: 09[TNC] adding PB-PA message
</pre>
The PA-TNC message is received by the TNC client via the IF-IMC SendMessage call and is inserted together with the
PB-Language-Preference message into the PB-TNC CDATA batch which is then sent via the IKEv2 EAP-TTLS tunnel to the TNC server.
<pre>
Feb 10 09:05:24 pin1212a00 charon: 09[TNC] PB-TNC state transition from 'Init' to 'Server Working'
Feb 10 09:05:24 pin1212a00 charon: 09[TNC] sending PB-TNC CDATA batch (105 bytes) for Connection ID 1
Feb 10 09:05:24 pin1212a00 charon: 09[TNC] => 105 bytes @ 0x9b5c890
Feb 10 09:05:24 pin1212a00 charon: 09[TNC] 0: 02 00 00 01 00 00 00 69 00 00 00 00 00 00 00 06 .......i........
Feb 10 09:05:24 pin1212a00 charon: 09[TNC] 16: 00 00 00 1F 41 63 63 65 70 74 2D 4C 61 6E 67 75 ....Accept-Langu
Feb 10 09:05:24 pin1212a00 charon: 09[TNC] 32: 61 67 65 3A 20 65 6E 80 00 00 00 00 00 00 01 00 age: en.........
Feb 10 09:05:24 pin1212a00 charon: 09[TNC] 48: 00 00 42 00 00 55 97 00 00 00 01 00 01 FF FF 01 ..B..U..........
Feb 10 09:05:24 pin1212a00 charon: 09[TNC] 64: 00 00 00 35 C9 DC 7B 00 00 00 00 00 00 00 02 00 ...5..{.........
Feb 10 09:05:24 pin1212a00 charon: 09[TNC] 80: 00 00 22 00 00 00 00 00 55 62 75 6E 74 75 20 31 ..".....Ubuntu 1
Feb 10 09:05:24 pin1212a00 charon: 09[TNC] 96: 31 2E 30 34 20 69 36 38 36 1.04 i686
Feb 10 09:05:24 pin1212a00 charon: 09[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/TNC]
Feb 10 09:05:24 pin1212a00 charon: 09[ENC] generating IKE_AUTH request 7 [ EAP/RES/TTLS ]
Feb 10 09:05:24 pin1212a00 charon: 09[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
</pre>
h3. PTS Capability Discovery
As a response a PB-TNC SDATA (IF-TNCCS 2.0 ServerData) batch is received from the TNC server
<pre>
Feb 10 09:05:24 pin1212a00 charon: 11[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Feb 10 09:05:24 pin1212a00 charon: 11[ENC] parsed IKE_AUTH response 7 [ EAP/REQ/TTLS ]
Feb 10 09:05:24 pin1212a00 charon: 11[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/TNC]
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] received TNCCS batch (72 bytes) for Connection ID 1
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] => 72 bytes @ 0x9b56e82
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] 0: 02 80 00 02 00 00 00 48 80 00 00 00 00 00 00 01 .......H........
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] 16: 00 00 00 40 00 00 55 97 00 00 00 01 FF FF 00 01 ...@..U.........
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] 32: 01 00 00 00 8B 08 8D AB 80 00 55 97 01 00 00 00 ..........U.....
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] 48: 00 00 00 10 00 00 00 0E 80 00 55 97 06 00 00 00 ..........U.....
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] 64: 00 00 00 10 00 00 80 00 ........
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] processing PB-TNC SDATA batch
</pre>
containing a PB-PA message of type TCG/PTS to which the PTS-IMC is subscribed:
<pre>
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] processing PB-PA message (64 bytes)
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001
</pre>
The PA-TNC message transferred via the IF-IMC interface to the PTS-IMC contains two PA-TNC attributes from the TCG/PTS namespace:
<pre>
Feb 10 09:05:24 pin1212a00 charon: 11[IMC] IMC 1 "Attestation" received message for Connection ID 1 from IMV 1
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] processing PA-TNC message with ID 0x8b088dab
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] processing PA-TNC attribute type 'TCG/Request PTS Protocol Capabilities' 0x005597/0x01000000
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] => 4 bytes @ 0x9b57b5c
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] 0: 00 00 00 0E ....
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] processing PA-TNC attribute type 'TCG/PTS Measurement Algorithm Request' 0x005597/0x06000000
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] => 4 bytes @ 0x9b57b6c
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] 0: 00 00 80 00 ....
</pre>
namely the requests 'Request PTS Protocol Capabilities' and 'PTS Measurement Algorithm Request'. The PTS-IMV supports the Verification (V), DH Nonce Negotiation (D) and Trusted Platform Evidence (T) PTS protocol capabilities and the PTS-IMC does as well.
<pre>
Feb 10 09:05:24 pin1212a00 charon: 11[PTS] supported PTS protocol capabilities: .VDT.
Feb 10 09:05:24 pin1212a00 charon: 11[PTS] selected PTS measurement algorithm is HASH_SHA1
</pre>
The PTS-IMV proposes SHA-1 only for the PTS measurement algorithm which is accepted by the PTS-IMC. These two selections are sent back to the PTS-IMV in a PA-TNC message containing the TCG attributes 'PTS Protocol Capabilities' and 'PTS Measurement Algorithm":
<pre>
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] creating PA-TNC message with ID 0xace91f02
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] creating PA-TNC attribute type 'TCG/PTS Protocol Capabilities' 0x005597/0x02000000
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] => 4 bytes @ 0x9b5bdd8
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] 0: 00 00 00 0E ....
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] creating PA-TNC attribute type 'TCG/PTS Measurement Algorithm' 0x005597/0x07000000
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] => 4 bytes @ 0x9b5ac98
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] 0: 00 00 80 00 ....
</pre>
This PA-TNC message is sent as a PB-PA payload in a PB-TNC CDATA batch to the TNC server:
<pre>
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] creating PB-TNC CDATA batch
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] adding PB-PA message
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] sending PB-TNC CDATA batch (72 bytes) for Connection ID 1
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] => 72 bytes @ 0x9b5ce70
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] 0: 02 00 00 01 00 00 00 48 80 00 00 00 00 00 00 01 .......H........
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] 16: 00 00 00 40 00 00 55 97 00 00 00 01 00 01 FF FF ...@..U.........
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] 32: 01 00 00 00 AC E9 1F 02 00 00 55 97 02 00 00 00 ..........U.....
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] 48: 00 00 00 10 00 00 00 0E 00 00 55 97 07 00 00 00 ..........U.....
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] 64: 00 00 00 10 00 00 80 00 ........
Feb 10 09:05:24 pin1212a00 charon: 11[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/TNC]
Feb 10 09:05:24 pin1212a00 charon: 11[ENC] generating IKE_AUTH request 8 [ EAP/RES/TTLS ]
Feb 10 09:05:24 pin1212a00 charon: 11[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
</pre>
h3. DH Nonce Parameters
The next PB-TNC SDATA batch is received:
<pre>
Feb 10 09:05:24 pin1212a00 charon: 12[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Feb 10 09:05:24 pin1212a00 charon: 12[ENC] parsed IKE_AUTH response 8 [ EAP/REQ/TTLS ]
Feb 10 09:05:24 pin1212a00 charon: 12[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/TNC]
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] received TNCCS batch (56 bytes) for Connection ID 1
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] => 56 bytes @ 0x9b56e82
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] 0: 02 80 00 02 00 00 00 38 80 00 00 00 00 00 00 01 .......8........
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] 16: 00 00 00 30 00 00 55 97 00 00 00 01 FF FF 00 01 ...0..U.........
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] 32: 01 00 00 00 D5 D8 B7 F7 80 00 55 97 03 00 00 00 ..........U.....
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] 48: 00 00 00 10 00 00 F0 00 ........
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] processing PB-TNC SDATA batch
</pre>
containing a PB-PA message of type TCG/PTS to which the PTS-IMC is subscribed:
<pre>
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] processing PB-PA message (48 bytes)
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001
</pre>
The PA-TNC message contains a 'DH Nonce Parameters Request' from the TCG namespace
<pre>
Feb 10 09:05:24 pin1212a00 charon: 12[IMC] IMC 1 "Attestation" received message for Connection ID 1 from IMV 1
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] processing PA-TNC message with ID 0xd5d8b7f7
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] processing PA-TNC attribute type 'TCG/DH Nonce Parameters Request' 0x005597/0x03000000
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] => 4 bytes @ 0x9b5ce8c
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] 0: 00 00 F0 00 ....
</pre>
and offers the set of IKE DH groups {2, 5, 14, 19} from which the PTS-IMC selects ECP_256 (group 14).
<pre>
Feb 10 09:05:24 pin1212a00 charon: 12[PTS] selected PTS DH group is ECP_256
Feb 10 09:05:24 pin1212a00 charon: 12[PTS] nonce length is 20
</pre>
The PTS-IMC also returns a 20 byte DH responder nonce and the 32 byte ECP_256 DH responder public value:
<pre>
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] creating PA-TNC message with ID 0x4a9b2c31
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] creating PA-TNC attribute type 'TCG/DH Nonce Parameters Response' 0x005597/0x04000000
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] => 92 bytes @ 0x9b5d478
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] 0: 00 00 00 14 10 00 E0 00 1D 14 23 06 97 7D E7 E3 ..........#..}..
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] 16: AF AE B6 57 FB A3 58 DA 59 6A 4C D3 77 49 6B 4B ...W..X.YjL.wIkK
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] 32: 36 35 DF BB 27 3F 62 E7 EA 5B 6E 7C 5E 55 C4 04 65..'?b..[n|^U..
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] 48: 04 89 B4 98 66 31 6A A2 A2 4E 5E AC DE 57 B7 3B ....f1j..N^..W.;
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] 64: 97 72 08 A6 90 7C 3C FB FD B3 45 05 C5 4D 21 10 .r...|<...E..M!.
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] 80: 0E 07 CE 94 B0 61 14 9F C1 22 10 93 .....a..."..
</pre>
This PA-TNC message is carried in a PB-PA message encapsulated in a PB-TNC CDATA batch:
<pre>
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] creating PB-TNC CDATA batch
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] adding PB-PA message
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] sending PB-TNC CDATA batch (144 bytes) for Connection ID 1
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] => 144 bytes @ 0x9b5d410
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] 0: 02 00 00 01 00 00 00 90 80 00 00 00 00 00 00 01 ................
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] 16: 00 00 00 88 00 00 55 97 00 00 00 01 00 01 FF FF ......U.........
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] 32: 01 00 00 00 4A 9B 2C 31 00 00 55 97 04 00 00 00 ....J.,1..U.....
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] 48: 00 00 00 68 00 00 00 14 10 00 E0 00 1D 14 23 06 ...h..........#.
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] 64: 97 7D E7 E3 AF AE B6 57 FB A3 58 DA 59 6A 4C D3 .}.....W..X.YjL.
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] 80: 77 49 6B 4B 36 35 DF BB 27 3F 62 E7 EA 5B 6E 7C wIkK65..'?b..[n|
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] 96: 5E 55 C4 04 04 89 B4 98 66 31 6A A2 A2 4E 5E AC ^U......f1j..N^.
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] 112: DE 57 B7 3B 97 72 08 A6 90 7C 3C FB FD B3 45 05 .W.;.r...|<...E.
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] 128: C5 4D 21 10 0E 07 CE 94 B0 61 14 9F C1 22 10 93 .M!......a..."..
Feb 10 09:05:24 pin1212a00 charon: 12[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/TNC]
Feb 10 09:05:24 pin1212a00 charon: 12[ENC] generating IKE_AUTH request 9 [ EAP/RES/TTLS ]
Feb 10 09:05:24 pin1212a00 charon: 12[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
</pre>
h3. DH Nonce Finish and TPM Version/AIK Info
The next PB-TNC SDATA batch is received:
<pre>
Feb 10 09:05:24 pin1212a00 charon: 06[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Feb 10 09:05:24 pin1212a00 charon: 06[ENC] parsed IKE_AUTH response 9 [ EAP/REQ/TTLS ]
Feb 10 09:05:24 pin1212a00 charon: 06[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/TNC]
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] received TNCCS batch (172 bytes) for Connection ID 1
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] => 172 bytes @ 0x9b5bd52
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] 0: 02 80 00 02 00 00 00 AC 80 00 00 00 00 00 00 01 ................
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] 16: 00 00 00 A4 00 00 55 97 00 00 00 01 FF FF 00 01 ......U.........
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] 32: 01 00 00 00 C7 5A 89 5F 80 00 55 97 05 00 00 00 .....Z._..U.....
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] 48: 00 00 00 64 00 14 80 00 19 14 23 2B 46 C9 C4 56 ...d......#+F..V
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] 64: B5 F6 9C 18 58 A2 78 B0 E4 A7 4A C7 20 21 32 CD ....X.x...J. !2.
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] 80: B2 60 7F DB 0F 7B 35 53 AE FA 23 C0 65 A5 48 35 .`...{5S..#.e.H5
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] 96: FE DF DF B9 72 C4 DD 16 8B 55 E9 84 AE 45 E0 07 ....r....U...E..
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] 112: 05 AF D6 60 32 95 58 81 A6 CA 36 F6 A1 CC 25 1A ...`2.X...6...%.
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] 128: EF 13 9C AC 84 1F F6 9B F1 31 95 A3 80 00 55 97 .........1....U.
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] 144: 08 00 00 00 00 00 00 10 00 00 00 00 80 00 55 97 ..............U.
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] 160: 0D 00 00 00 00 00 00 10 00 00 00 00 ............
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] processing PB-TNC SDATA batch
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] processing PB-PA message (164 bytes)
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001
</pre>
containing a PA-TNC message with the 'DH Nonce Finish', 'Get TPM Version Information' and 'Get Attestation Identity Key'
attributes from the TCG namespace:
<pre>
Feb 10 09:05:24 pin1212a00 charon: 06[IMC] IMC 1 "Attestation" received message for Connection ID 1 from IMV 1
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] processing PA-TNC message with ID 0xc75a895f
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] processing PA-TNC attribute type 'TCG/DH Nonce Finish' 0x005597/0x05000000
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] => 88 bytes @ 0x9b58114
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] 0: 00 14 80 00 19 14 23 2B 46 C9 C4 56 B5 F6 9C 18 ......#+F..V....
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] 16: 58 A2 78 B0 E4 A7 4A C7 20 21 32 CD B2 60 7F DB X.x...J. !2..`..
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] 32: 0F 7B 35 53 AE FA 23 C0 65 A5 48 35 FE DF DF B9 .{5S..#.e.H5....
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] 48: 72 C4 DD 16 8B 55 E9 84 AE 45 E0 07 05 AF D6 60 r....U...E.....`
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] 64: 32 95 58 81 A6 CA 36 F6 A1 CC 25 1A EF 13 9C AC 2.X...6...%.....
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] 80: 84 1F F6 9B F1 31 95 A3 .....1..
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] processing PA-TNC attribute type 'TCG/Get TPM Version Information' 0x005597/0x08000000
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] => 4 bytes @ 0x9b58178
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] 0: 00 00 00 00 ....
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] processing PA-TNC attribute type 'TCG/Get Attestation Identity Key' 0x005597/0x0d000000
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] => 4 bytes @ 0x9b58188
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] 0: 00 00 00 00 ....
</pre>
The PTS-IMV reports that it selected SHA-1 as the DH hash algorithm and provides its 20 byte nonce and 32 byte public DH factor
so that the share DH secret can be computed:
<pre>
Feb 10 09:05:24 pin1212a00 charon: 06[PTS] selected DH hash algorithm is HASH_SHA1
Feb 10 09:05:24 pin1212a00 charon: 06[PTS] initiator nonce: => 20 bytes @ 0x9b5d848
Feb 10 09:05:24 pin1212a00 charon: 06[PTS] 0: A6 CA 36 F6 A1 CC 25 1A EF 13 9C AC 84 1F F6 9B ..6...%.........
Feb 10 09:05:24 pin1212a00 charon: 06[PTS] 16: F1 31 95 A3 .1..
Feb 10 09:05:24 pin1212a00 charon: 06[PTS] responder nonce: => 20 bytes @ 0x9b5bd30
Feb 10 09:05:24 pin1212a00 charon: 06[PTS] 0: 1D 14 23 06 97 7D E7 E3 AF AE B6 57 FB A3 58 DA ..#..}.....W..X.
Feb 10 09:05:24 pin1212a00 charon: 06[PTS] 16: 59 6A 4C D3 YjL.
Feb 10 09:05:24 pin1212a00 charon: 06[PTS] shared DH secret: => 32 bytes @ 0x9b5ce70
Feb 10 09:05:24 pin1212a00 charon: 06[PTS] 0: F1 6A 3B 1C 72 03 B0 18 EA 3C B6 74 D6 AD 33 E9 .j;.r....<.t..3.
Feb 10 09:05:24 pin1212a00 charon: 06[PTS] 16: 23 0B 3C 1C A9 5C 77 12 FE FF FF 67 E5 7F CB 04 #.<..\w....g....
Feb 10 09:05:24 pin1212a00 charon: 06[PTS] secret assessment value: => 20 bytes @ 0x9b5d208
Feb 10 09:05:24 pin1212a00 charon: 06[PTS] 0: 5F A0 83 5D 35 DF 3C 94 28 8B 79 6F AB 35 86 6C _..]5.<.(.yo.5.l
Feb 10 09:05:24 pin1212a00 charon: 06[PTS] 16: E2 23 4C CF .#L.
</pre>
Answering the 'Get TPM Version Information' request, the following TPM version info is returned in binary form:
<pre>
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[PTS] 14[PTS] TPM 1.2 Version Info: Chip Version: 1.2.3.17, Spec Level: 2, Errata Rev: 2, Vendor ID: IFX
</pre>
Besides the 'TPM Version Information' attribute, also the 'Attestation Identity Key' is included in the PA-TNC message to be forwarded to the PTS-IMV:
<pre>
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] creating PA-TNC message with ID 0x9eb3b685 0x9a1a8df2
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] creating PA-TNC attribute type 'TCG/TPM Version Information' 0x005597/0x09000000
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] => 20 bytes @ 0x9b57ac8 0x9138038
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 0: 00 30 01 02 03 11 00 02 02 49 46 58 00 00 05 03 .0.......IFX....
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 16: 11 00 08 00 ....
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] creating PA-TNC attribute type 'TCG/Attestation Identity Key' 0x005597/0x0e000000
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] => 1167 bytes @ 0x9b5e950 0x91398c8
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 0: 00 30 82 04 8A 30 82 03 72 A0 03 02 01 02 02 10 .0...0..r.......
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 16: 33 55 8F BC AE 0F D9 47 78 74 D6 E5 C9 1B 24 28 3U.....Gxt....$(
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 32: 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 30 0...*.H........0
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 48: 50 31 16 30 14 06 03 55 04 0A 13 0D 70 72 69 76 P1.0...U....priv
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 64: 61 63 79 63 61 2E 63 6F 6D 31 36 30 34 06 03 55 acyca.com1604..U
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 80: 04 03 13 2D 50 72 69 76 61 63 79 20 43 41 20 49 ...-Privacy CA I
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 96: 6E 73 65 63 75 72 65 2F 55 6E 63 68 65 63 6B 65 nsecure/Unchecke
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 112: 64 20 41 49 4B 20 43 65 72 74 69 66 69 63 61 74 d AIK Certificat
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 128: 65 30 1E 17 0D 31 32 30 32 30 38 31 30 34 31 32 e0...12020810412
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 144: 30 5A 17 0D 31 33 30 32 30 38 31 30 34 31 32 30 0Z..130208104120
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 160: 5A 30 00 30 82 01 22 30 0D 06 09 2A 86 48 86 F7 Z0.0.."0...*.H..
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 176: 0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A 02 ...........0....
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 192: 82 01 01 00 81 E3 38 7C 4D 46 70 CB D5 33 62 38 ......8|MFp..3b8
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 208: 50 AD 98 D1 28 56 D3 6E 71 CF AA E3 C8 31 BD F6 P...(V.nq....1..
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 224: FE 53 6A ED C8 54 0E 7C FB 00 98 80 D6 7D C7 57 .Sj..T.|.....}.W
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 240: D4 EC 24 93 59 48 1F DA 67 30 87 4F D3 59 B2 CA ..$.YH..g0.O.Y..
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 256: A8 9D CE C9 27 9A 03 57 C0 FE 1F AB EE E5 C2 A8 ....'..W........
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 272: C6 D5 DC C7 1E 81 74 4D 3D B5 98 6D 57 22 74 02 ......tM=..mW"t.
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 288: F1 41 7C E3 68 C1 1C 1C 2F 57 54 CA 4A FB D6 3D .A|.h.../WT.J..=
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 304: 33 37 A9 BC FF 6F 50 13 CC C2 D3 83 F1 4B 01 FD 37...oP......K..
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 320: 66 A6 EE 7A D3 E0 E2 C0 51 55 A2 8A AB F4 85 09 f..z....QU......
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 336: 74 24 64 03 DD 65 1C 26 2F 35 08 BF 57 D9 28 DA t$d..e.&/5..W.(.
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 352: D3 D7 5B ED C8 C6 6C 43 7E DE D3 93 F4 D5 D7 36 ..[...lC~......6
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 368: 1E 31 9A A8 42 10 7A F5 94 93 9C 8F BD 6D BC 66 .1..B.z......m.f
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 384: 1D 30 A5 B3 B3 44 4D DA 6D 35 64 A6 08 EB D2 A6 .0...DM.m5d.....
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 400: 99 18 56 01 28 3B 26 94 FD 6F 7F AD 45 68 3C 8A ..V.(;&..o..Eh<.
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 416: 7D 38 8C DB D8 5F 76 16 F5 5E 8A 4B C2 2B 19 8A }8..._v..^.K.+..
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 432: 27 D9 80 3C C8 13 01 11 70 CC D6 EF 57 F3 EF 37 '..<....p...W..7
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 448: A2 E6 B5 49 02 03 01 00 01 A3 82 01 AE 30 82 01 ...I.........0..
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 464: AA 30 37 06 03 55 1D 09 04 30 30 2E 30 16 06 05 .07..U...00.0...
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 480: 67 81 05 02 10 31 0D 30 0B 0C 03 31 2E 31 02 01 g....1.0...1.1..
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 496: 02 02 01 01 30 14 06 05 67 81 05 02 12 31 0B 30 ....0...g....1.0
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 512: 09 80 01 00 81 01 00 82 01 02 30 5D 06 03 55 1D ..........0]..U.
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 528: 11 01 01 FF 04 53 30 51 A4 42 30 40 31 16 30 14 .....S0Q.B0@1.0.
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 544: 06 05 67 81 05 02 01 0C 0B 69 64 3A 30 30 30 30 ..g......id:0000
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 560: 30 30 30 30 31 12 30 10 06 05 67 81 05 02 02 0C 00001.0...g.....
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 576: 07 55 6E 6B 6E 6F 77 6E 31 12 30 10 06 05 67 81 .Unknown1.0...g.
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 592: 05 02 03 0C 07 69 64 3A 30 30 30 30 A0 0B 06 05 .....id:0000....
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 608: 67 81 05 02 0F A0 02 0C 00 30 0C 06 03 55 1D 13 g........0...U..
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 624: 01 01 FF 04 02 30 00 30 81 E0 06 03 55 1D 20 01 .....0.0....U. .
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 640: 01 FF 04 81 D5 30 81 D2 30 67 06 0A 2B 06 01 04 .....0..0g..+...
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 656: 01 81 E3 42 01 10 30 59 30 29 06 08 2B 06 01 05 ...B..0Y0)..+...
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 672: 05 07 02 01 16 1D 68 74 74 70 3A 2F 2F 77 77 77 ......http://www
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 688: 2E 70 72 69 76 61 63 79 63 61 2E 63 6F 6D 2F 63 .privacyca.com/c
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 704: 70 73 2F 30 2C 06 08 2B 06 01 05 05 07 02 02 30 ps/0,..+.......0
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 720: 20 0C 1E 54 43 50 41 20 54 72 75 73 74 65 64 20 ..TCPA Trusted
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 736: 50 6C 61 74 66 6F 72 6D 20 49 64 65 6E 74 69 74 Platform Identit
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] 752: 79 30 67 06 04 55 1D 20 00 30 5F 30 25 06 08 2B y0g..U. .0_0%..+
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] 768: 06 [ Incomplete diff, document too large... ]
This HOWTO explains in a step-for-step fashion how a strongSwan IPsec client with integrated TNC client functionality and an attached Platform Trust Service Integrity Measurement Collector (PTS-IMC) can provide remote attestation measurement data to a TNC server via the IKEv2 EAP-TTLS protocol.
{{>toc}}
h2. Installation and Configuration
The following steps describe the installation of the strongSwan software
<pre>
wget http://download.strongswan.org/strongswan-4.6.2rc1.tar.bz2
tar xjf strongswan-4.6.2rc1.tar.bz2
cd strongswan-4.6.2rc1
./configure --prefix=/usr --sysconfdir=/etc --disable-pluto --enable-openssl --enable-curl
--enable-eap-identity --enable-eap-md5 --enable-eap-ttls --enable-eap-tnc
--enable-tnccs-20 --enable-tnc-imc --enable-imc-attestation
make
[sudo] make install
</pre>
The strongSwan *imc-attestation.so* dynamic PTS-IMC library depends on the "TrouSerS":http://sourceforge.net/projects/trousers/ libtspi library. For compilation additionally the /usr/include/trousers/ header files are required.
The connection between IPsec client *carol* and IPsec gateway *moon* is defined in the /etc/ipsec.conf file:
<pre>
# ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="tnc 3, imc 3, pts 3"
conn home
left=%any
leftid=carol@strongswan.org
leftauth=eap
right=192.168.0.1
rightid=@moon.strongswan.org
rightsendcert=never
rightsubnet=10.1.0.0/16
auto=start
</pre>
The debug levels for the TNC, IMC, and PTS components are increased to 3, so that HEX dumps of PB-TNC (IF-TNCCS 2.0) messages and PA-TNC (IF-M) attributes will be included in the log file.
The IKEv2 client *carol* is going to use EAP-based authentication with the user credentials being stored in the /etc/ipsec.secrets file:
<pre>
# /etc/ipsec.secrets - strongSwan IPsec secrets file
carol@strongswan.org : EAP "Ar3etTnp"
</pre>
The following IKEv2 charon and Attestation IMC options are defined in the /etc/strongswan.conf file
<pre>
# strongswan.conf - strongSwan configuration file
charon {
load = sha1 random gmp pkcs1 pkcs8 pem x509 pubkey openssl hmac revocation curl kernel-netlink socket-default eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 eap-identity resolve stroke
plugins {
eap-tnc {
protocol = tnccs-2.0
}
tnc-imc {
preferred_language = en
}
}
}
libimcv {
plugins {
imc-attestation {
aik_cert = /home/andi/privacyca/AIK_3_Cert.der
aik_blob = /home/andi/privacyca/AIK_3_Blob.bin
pcr17_meas = d537d437f058136eb3d7be517dbe7647b623c619
pcr17_before = 1717171717171717171717171717171717171717
pcr17_after = ffffffffffffffffffffffffffffffffffffffff
pcr18_meas = 160d2b04d11eb225fb148615b699081869e15b6c
pcr18_before = 1818181818181818181818181818181818181818
pcr18_after = ffffffffffffffffffffffffffffffffffffffff
}
}
}
</pre>
h2. IKEv2 Negotiation
h3. Startup and Initialization
The command
<pre>
ipsec start
</pre>
starts the TNC-enabled IPsec client:
<pre>
FFeb 10 09:05:16 pin1212a00 charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.6.2rc1)
Feb 10 09:05:16 pin1212a00 charon: 00[KNL] listening on interfaces:
Feb 10 09:05:16 pin1212a00 charon: 00[KNL] eth0
Feb 10 09:05:16 pin1212a00 charon: 00[KNL] 152.96.31.100
Feb 10 09:05:16 pin1212a00 charon: 00[KNL] fe80::219:99ff:feb3:92c3
Feb 10 09:05:16 pin1212a00 charon: 00[KNL] umlbr0
Feb 10 09:05:16 pin1212a00 charon: 00[KNL] 192.168.0.254
Feb 10 09:05:16 pin1212a00 charon: 00[KNL] fe80::9cb8:adff:fe5a:270a
</pre>
The file /etc/tnc_config
<pre>
# IMC configuration file for strongSwan client
IMC "Attestation" /usr/lib/ipsec/imcvs/imc-attestation.so
</pre>
defines which IMCs are loaded by the TNC client:
<pre>
Feb 10 09:05:16 pin1212a00 charon: 00[TNC] loading IMCs from '/etc/tnc_config'
Feb 10 09:05:16 pin1212a00 charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA1[sha1] available
Feb 10 09:05:16 pin1212a00 charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA256[openssl] available
Feb 10 09:05:16 pin1212a00 charon: 00[PTS] optional PTS measurement algorithm HASH_SHA384[openssl] available
Feb 10 09:05:16 pin1212a00 charon: 00[PTS] optional PTS DH group MODP_2048[gmp] available
Feb 10 09:05:16 pin1212a00 charon: 00[PTS] optional PTS DH group MODP_1536[gmp] available
Feb 10 09:05:16 pin1212a00 charon: 00[PTS] optional PTS DH group MODP_1024[gmp] available
Feb 10 09:05:16 pin1212a00 charon: 00[PTS] mandatory PTS DH group ECP_256[openssl] available
Feb 10 09:05:16 pin1212a00 charon: 00[PTS] optional PTS DH group ECP_384[openssl] available
Feb 10 09:05:16 pin1212a00 charon: 00[TNC] added IETF attributes
Feb 10 09:05:16 pin1212a00 charon: 00[TNC] added ITA-HSR attributes
Feb 10 09:05:16 pin1212a00 charon: 00[LIB] libimcv initialized
Feb 10 09:05:16 pin1212a00 charon: 00[IMC] IMC 1 "Attestation" initialized
Feb 10 09:05:16 pin1212a00 charon: 00[TNC] added TCG attributes
Feb 10 09:05:16 pin1212a00 charon: 00[PTS] added TCG functional component namespace
Feb 10 09:05:16 pin1212a00 charon: 00[PTS] added ITA-HSR functional component namespace
Feb 10 09:05:16 pin1212a00 charon: 00[PTS] added ITA-HSR functional component 'Trusted GRUB Boot Loader'
Feb 10 09:05:16 pin1212a00 charon: 00[PTS] added ITA-HSR functional component 'Trusted Boot'
Feb 10 09:05:16 pin1212a00 charon: 00[PTS] added ITA-HSR functional component 'Linux IMA'
Feb 10 09:05:16 pin1212a00 charon: 00[LIB] libpts initialized
Feb 10 09:05:16 pin1212a00 charon: 00[IMC] IMC 1 "Attestation" provided with bind function
Feb 10 09:05:16 pin1212a00 charon: 00[TNC] IMC 1 supports 1 message type: 'TCG/PTS' 0x005597/0x00000001
Feb 10 09:05:16 pin1212a00 charon: 00[TNC] IMC 1 "Attestation" loaded from '/usr/lib/ipsec/imcvs/imc-attestation.so'
</pre>
Next the IKEv2 credential,all necessary plugins and the IPsec connection definition are loaded
<pre>
Feb 10 09:05:16 pin1212a00 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Feb 10 09:05:16 pin1212a00 charon: 00[CFG] loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem'
Feb 10 09:05:16 pin1212a00 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Feb 10 09:05:16 pin1212a00 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Feb 10 09:05:16 pin1212a00 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Feb 10 09:05:16 pin1212a00 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Feb 10 09:05:16 pin1212a00 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Feb 10 09:05:16 pin1212a00 charon: 00[CFG] loaded EAP secret for carol@strongswan.org
Feb 10 09:05:16 pin1212a00 charon: 00[DMN] loaded plugins: sha1 random gmp pkcs1 pkcs8 pem x509 pubkey openssl hmac revocation curl kernel-netlink socket-default eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 eap-identity resolve stroke
Feb 10 09:05:16 pin1212a00 charon: 00[JOB] spawning 16 worker threads
Feb 10 09:05:16 pin1212a00 charon: 08[CFG] received stroke: add connection 'home'
Feb 10 09:05:16 pin1212a00 charon: 08[CFG] left nor right host is our side, assuming left=local
Feb 10 09:05:16 pin1212a00 charon: 08[CFG] added configuration 'home'
</pre>
h3. IKEv2 Exchanges
Due to auto=start the IKEv2 negotiation automatically initiates the IKE_SA_INIT exchange
<pre>
Feb 10 09:05:24 pin1212a00 charon: 10[CFG] received stroke: initiate 'home'
Feb 10 09:05:24 pin1212a00 charon: 11[IKE] initiating IKE_SA home[1] to 192.168.0.1
Feb 10 09:05:24 pin1212a00 charon: 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Feb 10 09:05:24 pin1212a00 charon: 11[NET] sending packet: from 192.168.0.254[500] to 192.168.0.1[500]
Feb 10 09:05:24 pin1212a00 charon: 12[NET] received packet: from 192.168.0.1[500] to 192.168.0.254[500]
Feb 10 09:05:24 pin1212a00 charon: 12[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
</pre>
followed by the IKE_AUTH exchange where the IKEv2 gateway proposes a mutual IKEv2 EAP-TTLS only authentication:
<pre>
Feb 10 09:05:24 pin1212a00 charon: 12[IKE] establishing CHILD_SA home
Feb 10 09:05:24 pin1212a00 charon: 12[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Feb 10 09:05:24 pin1212a00 charon: 12[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Feb 10 09:05:24 pin1212a00 charon: 06[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Feb 10 09:05:24 pin1212a00 charon: 06[ENC] parsed IKE_AUTH response 1 [ IDr EAP/REQ/TTLS ]
Feb 10 09:05:24 pin1212a00 charon: 06[IKE] server requested EAP_TTLS authentication (id 0x16)
Feb 10 09:05:24 pin1212a00 charon: 06[TLS] EAP_TTLS version is v0
Feb 10 09:05:24 pin1212a00 charon: 06[IKE] allow mutual EAP-only authentication
</pre>
h3. IKEv2 EAP-TTLS Tunnel
The IKEv2 EAP-TTLS tunnel is set up with certificate-based server authentication
<pre>
Feb 10 09:05:24 pin1212a00 charon: 06[ENC] generating IKE_AUTH request 2 [ EAP/RES/TTLS ]
Feb 10 09:05:24 pin1212a00 charon: 06[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Feb 10 09:05:24 pin1212a00 charon: 13[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Feb 10 09:05:24 pin1212a00 charon: 13[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/TTLS ]
Feb 10 09:05:24 pin1212a00 charon: 13[ENC] generating IKE_AUTH request 3 [ EAP/RES/TTLS ]
Feb 10 09:05:24 pin1212a00 charon: 13[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Feb 10 09:05:24 pin1212a00 charon: 14[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Feb 10 09:05:24 pin1212a00 charon: 14[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/TTLS ]
Feb 10 09:05:24 pin1212a00 charon: 14[TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Feb 10 09:05:24 pin1212a00 charon: 14[TLS] received TLS server certificate 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org'
Feb 10 09:05:24 pin1212a00 charon: 14[CFG] using certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
Feb 10 09:05:24 pin1212a00 charon: 14[CFG] using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Feb 10 09:05:24 pin1212a00 charon: 14[CFG] checking certificate status of "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
Feb 10 09:05:24 pin1212a00 charon: 14[CFG] fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
Feb 10 09:05:24 pin1212a00 charon: 14[CFG] using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Feb 10 09:05:24 pin1212a00 charon: 14[CFG] crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Feb 10 09:05:24 pin1212a00 charon: 14[CFG] crl is valid: until Mar 09 10:28:34 2012
Feb 10 09:05:24 pin1212a00 charon: 14[CFG] certificate status is good
Feb 10 09:05:24 pin1212a00 charon: 14[CFG] reached self-signed root ca with a path length of 0
Feb 10 09:05:24 pin1212a00 charon: 14[ENC] generating IKE_AUTH request 4 [ EAP/RES/TTLS ]
Feb 10 09:05:24 pin1212a00 charon: 14[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
</pre>
h3. Tunneled EAP-Identity
Via the IKEv2 EAP-TTLS tunnel the server requests the EAP client identity
<pre>
Feb 10 09:05:24 pin1212a00 charon: 03[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Feb 10 09:05:24 pin1212a00 charon: 03[ENC] parsed IKE_AUTH response 4 [ EAP/REQ/TTLS ]
Feb 10 09:05:24 pin1212a00 charon: 03[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/ID]
Feb 10 09:05:24 pin1212a00 charon: 03[IKE] server requested EAP_IDENTITY authentication (id 0x00)
Feb 10 09:05:24 pin1212a00 charon: 03[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/ID]
Feb 10 09:05:24 pin1212a00 charon: 03[ENC] generating IKE_AUTH request 5 [ EAP/RES/TTLS ]
Feb 10 09:05:24 pin1212a00 charon: 03[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
</pre>
h3. Tunneled EAP-MD5 Client Authentication
Next follows an EAP-MD5 client authentication
<pre>
Feb 10 09:05:24 pin1212a00 charon: 08[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Feb 10 09:05:24 pin1212a00 charon: 08[ENC] parsed IKE_AUTH response 5 [ EAP/REQ/TTLS ]
Feb 10 09:05:24 pin1212a00 charon: 08[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/MD5]
Feb 10 09:05:24 pin1212a00 charon: 08[IKE] server requested EAP_MD5 authentication (id 0x45)
Feb 10 09:05:24 pin1212a00 charon: 08[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/MD5]
Feb 10 09:05:24 pin1212a00 charon: 08[ENC] generating IKE_AUTH request 6 [ EAP/RES/TTLS ]
Feb 10 09:05:24 pin1212a00 charon: 08[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
</pre>
h3. Tunneled EAP-TNC Transport
Now the EAP-TNC transport protocol connecting the TNC client with the TNC server is started:
<pre>
Feb 10 09:05:24 pin1212a00 charon: 09[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Feb 10 09:05:24 pin1212a00 charon: 09[ENC] parsed IKE_AUTH response 6 [ EAP/REQ/TTLS ]
Feb 10 09:05:24 pin1212a00 charon: 09[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/TNC]
Feb 10 09:05:24 pin1212a00 charon: 09[IKE] server requested EAP_TNC authentication (id 0x1B)
Feb 10 09:05:24 pin1212a00 charon: 09[TLS] EAP_TNC version is v1
</pre>
h2. PB-TNC/IF-TNCCS 2.0 Connection
A new TNCCS connection is instantiated on the TNC client and its IF-TNCCS 2.0 state machine is set to the Init state.
!IF-TNCCS-20-State-Diagram.png!
A first PB-TNC CDATA (IF-TNCCS 2.0 ClientData) batch is prepared and a PB-Language-Preference message for Englisch (en) is added:
<pre>
Feb 10 09:05:24 pin1212a00 charon: 09[TNC] assigned TNCCS Connection ID 1
Feb 10 09:05:24 pin1212a00 charon: 09[TNC] creating PB-TNC CDATA batch
Feb 10 09:05:24 pin1212a00 charon: 09[TNC] adding PB-Language-Preference message
</pre>
An instance of the Attestation PTS-IMC is created which in a first step determines the client operating systen
<pre>
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] platform is 'Ubuntu 11.04 i686'
</pre>
and then loads the AIK certificate and the matching AIK private key, the latter in the form of a TPM-encrypted binary blob
<pre>
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] loaded AIK certificate from '/home/seclab/privacyca/AIK_Cert.der'
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] loaded AIK Blob from '/home/seclab/privacyca/AIK_Blob.bin'
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] AIK Blob: => 559 bytes @ 0x9b5be20
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 0: 01 01 00 00 00 12 00 00 00 04 00 00 00 00 01 00 ................
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 16: 01 00 02 00 00 00 0C 00 00 08 00 00 00 00 02 00 ................
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 32: 00 00 00 00 00 00 00 00 00 01 00 81 E3 38 7C 4D .............8|M
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 48: 46 70 CB D5 33 62 38 50 AD 98 D1 28 56 D3 6E 71 Fp..3b8P...(V.nq
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 64: CF AA E3 C8 31 BD F6 FE 53 6A ED C8 54 0E 7C FB ....1...Sj..T.|.
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 80: 00 98 80 D6 7D C7 57 D4 EC 24 93 59 48 1F DA 67 ....}.W..$.YH..g
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 96: 30 87 4F D3 59 B2 CA A8 9D CE C9 27 9A 03 57 C0 0.O.Y......'..W.
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 112: FE 1F AB EE E5 C2 A8 C6 D5 DC C7 1E 81 74 4D 3D .............tM=
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 128: B5 98 6D 57 22 74 02 F1 41 7C E3 68 C1 1C 1C 2F ..mW"t..A|.h.../
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 144: 57 54 CA 4A FB D6 3D 33 37 A9 BC FF 6F 50 13 CC WT.J..=37...oP..
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 160: C2 D3 83 F1 4B 01 FD 66 A6 EE 7A D3 E0 E2 C0 51 ....K..f..z....Q
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 176: 55 A2 8A AB F4 85 09 74 24 64 03 DD 65 1C 26 2F U......t$d..e.&/
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 192: 35 08 BF 57 D9 28 DA D3 D7 5B ED C8 C6 6C 43 7E 5..W.(...[...lC~
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 208: DE D3 93 F4 D5 D7 36 1E 31 9A A8 42 10 7A F5 94 ......6.1..B.z..
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 224: 93 9C 8F BD 6D BC 66 1D 30 A5 B3 B3 44 4D DA 6D ....m.f.0...DM.m
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 240: 35 64 A6 08 EB D2 A6 99 18 56 01 28 3B 26 94 FD 5d.......V.(;&..
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 256: 6F 7F AD 45 68 3C 8A 7D 38 8C DB D8 5F 76 16 F5 o..Eh<.}8..._v..
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 272: 5E 8A 4B C2 2B 19 8A 27 D9 80 3C C8 13 01 11 70 ^.K.+..'..<....p
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 288: CC D6 EF 57 F3 EF 37 A2 E6 B5 49 00 00 01 00 4C ...W..7...I....L
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 304: DA 76 65 D0 54 8C F9 E8 B6 C4 9E 26 37 70 B4 45 .ve.T......&7p.E
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 320: C0 42 E0 A3 7A 3E 9D 57 96 B0 C8 68 DE 6A 84 76 .B..z>.W...h.j.v
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 336: 9A 9A E3 F9 D7 44 AB E0 A2 4B D2 3E 44 BD D9 92 .....D...K.>D...
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 352: 53 AF 6A 04 26 56 04 FC F9 43 D0 68 E3 63 AD 7B S.j.&V...C.h.c.{
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 368: 5C A2 50 B8 BA A2 F0 53 8C 8B 3A 67 35 49 CA E4 \.P....S..:g5I..
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 384: 35 A3 35 4B E7 31 D0 25 10 D4 6A B9 17 32 F9 53 5.5K.1.%..j..2.S
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 400: 22 E9 13 9D 13 E9 0D F0 59 55 33 36 5C A5 28 FB ".......YU36\.(.
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 416: 86 88 69 69 F0 93 6F 4B 62 76 B0 0E 64 E9 69 2D ..ii..oKbv..d.i-
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 432: 7D 9E 9E ED E1 1E 62 4C 63 AA D8 FD 87 86 77 3C }.....bLc.....w<
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 448: C1 04 E8 63 81 54 FE 75 82 D8 36 96 67 6A D1 18 ...c.T.u..6.gj..
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 464: 78 6C 7D 7B 8C BB 28 A0 AC 84 D8 7B 7E D0 55 38 xl}{..(....{~.U8
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 480: 80 64 4C 3A 38 E0 B0 1A FE A7 C8 C3 A1 F9 21 A5 .dL:8.........!.
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 496: D1 6F DE C4 CE 0B 62 D6 39 DA A4 35 45 B3 B6 D2 .o....b.9..5E...
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 512: D4 73 0B 82 28 B5 C1 79 88 85 D8 7D 54 38 E0 DA .s..(..y...}T8..
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 528: 57 2C 57 C1 34 4D 26 B8 9F A3 81 5B 4A 98 E5 E6 W,W.4M&....[J...
Feb 10 09:05:24 pin1212a00 charon: 09[PTS] 544: 89 94 25 A0 3F 9F 5A 3E CF A3 9A 0B 55 74 02 ..%.?.Z>....Ut.
Feb 10 09:05:24 pin1212a00 charon: 09[IMC] IMC 1 "Attestation" created a state for Connection ID 1: IF-TNCCS 2.0 with +long +excl -soh over IF-T for Tunneled EAP 1.1
</pre>
Via the IF-IMC interface the PTS-IMC receives a 'Handshake' state change from the TNC client
<pre>
Feb 10 09:05:24 pin1212a00 charon: 09[IMC] IMC 1 "Attestation" changed state of Connection ID 1 to 'Handshake'
</pre>
The PTS-IMC generates a PA-TNC message of type TCG/PTS targeted at the remote PTS-IMV, containing a single PA-TNC attribute of type 'IETF/Product Information' with the client operating system information:
<pre>
Feb 10 09:05:24 pin1212a00 charon: 09[TNC] creating PA-TNC message with ID 0x35c9dc7b
Feb 10 09:05:24 pin1212a00 charon: 09[TNC] creating PA-TNC attribute type 'IETF/Product Information' 0x000000/0x00000002
Feb 10 09:05:24 pin1212a00 charon: 09[TNC] => 22 bytes @ 0x9b5c120
Feb 10 09:05:24 pin1212a00 charon: 09[TNC] 0: 00 00 00 00 00 55 62 75 6E 74 75 20 31 31 2E 30 .....Ubuntu 11.0
Feb 10 09:05:24 pin1212a00 charon: 09[TNC] 16: 34 20 69 36 38 36 4 i686
Feb 10 09:05:24 pin1212a00 charon: 09[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001
Feb 10 09:05:24 pin1212a00 charon: 09[TNC] adding PB-PA message
</pre>
The PA-TNC message is received by the TNC client via the IF-IMC SendMessage call and is inserted together with the
PB-Language-Preference message into the PB-TNC CDATA batch which is then sent via the IKEv2 EAP-TTLS tunnel to the TNC server.
<pre>
Feb 10 09:05:24 pin1212a00 charon: 09[TNC] PB-TNC state transition from 'Init' to 'Server Working'
Feb 10 09:05:24 pin1212a00 charon: 09[TNC] sending PB-TNC CDATA batch (105 bytes) for Connection ID 1
Feb 10 09:05:24 pin1212a00 charon: 09[TNC] => 105 bytes @ 0x9b5c890
Feb 10 09:05:24 pin1212a00 charon: 09[TNC] 0: 02 00 00 01 00 00 00 69 00 00 00 00 00 00 00 06 .......i........
Feb 10 09:05:24 pin1212a00 charon: 09[TNC] 16: 00 00 00 1F 41 63 63 65 70 74 2D 4C 61 6E 67 75 ....Accept-Langu
Feb 10 09:05:24 pin1212a00 charon: 09[TNC] 32: 61 67 65 3A 20 65 6E 80 00 00 00 00 00 00 01 00 age: en.........
Feb 10 09:05:24 pin1212a00 charon: 09[TNC] 48: 00 00 42 00 00 55 97 00 00 00 01 00 01 FF FF 01 ..B..U..........
Feb 10 09:05:24 pin1212a00 charon: 09[TNC] 64: 00 00 00 35 C9 DC 7B 00 00 00 00 00 00 00 02 00 ...5..{.........
Feb 10 09:05:24 pin1212a00 charon: 09[TNC] 80: 00 00 22 00 00 00 00 00 55 62 75 6E 74 75 20 31 ..".....Ubuntu 1
Feb 10 09:05:24 pin1212a00 charon: 09[TNC] 96: 31 2E 30 34 20 69 36 38 36 1.04 i686
Feb 10 09:05:24 pin1212a00 charon: 09[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/TNC]
Feb 10 09:05:24 pin1212a00 charon: 09[ENC] generating IKE_AUTH request 7 [ EAP/RES/TTLS ]
Feb 10 09:05:24 pin1212a00 charon: 09[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
</pre>
h3. PTS Capability Discovery
As a response a PB-TNC SDATA (IF-TNCCS 2.0 ServerData) batch is received from the TNC server
<pre>
Feb 10 09:05:24 pin1212a00 charon: 11[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Feb 10 09:05:24 pin1212a00 charon: 11[ENC] parsed IKE_AUTH response 7 [ EAP/REQ/TTLS ]
Feb 10 09:05:24 pin1212a00 charon: 11[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/TNC]
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] received TNCCS batch (72 bytes) for Connection ID 1
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] => 72 bytes @ 0x9b56e82
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] 0: 02 80 00 02 00 00 00 48 80 00 00 00 00 00 00 01 .......H........
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] 16: 00 00 00 40 00 00 55 97 00 00 00 01 FF FF 00 01 ...@..U.........
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] 32: 01 00 00 00 8B 08 8D AB 80 00 55 97 01 00 00 00 ..........U.....
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] 48: 00 00 00 10 00 00 00 0E 80 00 55 97 06 00 00 00 ..........U.....
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] 64: 00 00 00 10 00 00 80 00 ........
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] processing PB-TNC SDATA batch
</pre>
containing a PB-PA message of type TCG/PTS to which the PTS-IMC is subscribed:
<pre>
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] processing PB-PA message (64 bytes)
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001
</pre>
The PA-TNC message transferred via the IF-IMC interface to the PTS-IMC contains two PA-TNC attributes from the TCG/PTS namespace:
<pre>
Feb 10 09:05:24 pin1212a00 charon: 11[IMC] IMC 1 "Attestation" received message for Connection ID 1 from IMV 1
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] processing PA-TNC message with ID 0x8b088dab
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] processing PA-TNC attribute type 'TCG/Request PTS Protocol Capabilities' 0x005597/0x01000000
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] => 4 bytes @ 0x9b57b5c
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] 0: 00 00 00 0E ....
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] processing PA-TNC attribute type 'TCG/PTS Measurement Algorithm Request' 0x005597/0x06000000
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] => 4 bytes @ 0x9b57b6c
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] 0: 00 00 80 00 ....
</pre>
namely the requests 'Request PTS Protocol Capabilities' and 'PTS Measurement Algorithm Request'. The PTS-IMV supports the Verification (V), DH Nonce Negotiation (D) and Trusted Platform Evidence (T) PTS protocol capabilities and the PTS-IMC does as well.
<pre>
Feb 10 09:05:24 pin1212a00 charon: 11[PTS] supported PTS protocol capabilities: .VDT.
Feb 10 09:05:24 pin1212a00 charon: 11[PTS] selected PTS measurement algorithm is HASH_SHA1
</pre>
The PTS-IMV proposes SHA-1 only for the PTS measurement algorithm which is accepted by the PTS-IMC. These two selections are sent back to the PTS-IMV in a PA-TNC message containing the TCG attributes 'PTS Protocol Capabilities' and 'PTS Measurement Algorithm":
<pre>
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] creating PA-TNC message with ID 0xace91f02
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] creating PA-TNC attribute type 'TCG/PTS Protocol Capabilities' 0x005597/0x02000000
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] => 4 bytes @ 0x9b5bdd8
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] 0: 00 00 00 0E ....
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] creating PA-TNC attribute type 'TCG/PTS Measurement Algorithm' 0x005597/0x07000000
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] => 4 bytes @ 0x9b5ac98
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] 0: 00 00 80 00 ....
</pre>
This PA-TNC message is sent as a PB-PA payload in a PB-TNC CDATA batch to the TNC server:
<pre>
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] creating PB-TNC CDATA batch
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] adding PB-PA message
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] sending PB-TNC CDATA batch (72 bytes) for Connection ID 1
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] => 72 bytes @ 0x9b5ce70
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] 0: 02 00 00 01 00 00 00 48 80 00 00 00 00 00 00 01 .......H........
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] 16: 00 00 00 40 00 00 55 97 00 00 00 01 00 01 FF FF ...@..U.........
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] 32: 01 00 00 00 AC E9 1F 02 00 00 55 97 02 00 00 00 ..........U.....
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] 48: 00 00 00 10 00 00 00 0E 00 00 55 97 07 00 00 00 ..........U.....
Feb 10 09:05:24 pin1212a00 charon: 11[TNC] 64: 00 00 00 10 00 00 80 00 ........
Feb 10 09:05:24 pin1212a00 charon: 11[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/TNC]
Feb 10 09:05:24 pin1212a00 charon: 11[ENC] generating IKE_AUTH request 8 [ EAP/RES/TTLS ]
Feb 10 09:05:24 pin1212a00 charon: 11[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
</pre>
h3. DH Nonce Parameters
The next PB-TNC SDATA batch is received:
<pre>
Feb 10 09:05:24 pin1212a00 charon: 12[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Feb 10 09:05:24 pin1212a00 charon: 12[ENC] parsed IKE_AUTH response 8 [ EAP/REQ/TTLS ]
Feb 10 09:05:24 pin1212a00 charon: 12[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/TNC]
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] received TNCCS batch (56 bytes) for Connection ID 1
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] => 56 bytes @ 0x9b56e82
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] 0: 02 80 00 02 00 00 00 38 80 00 00 00 00 00 00 01 .......8........
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] 16: 00 00 00 30 00 00 55 97 00 00 00 01 FF FF 00 01 ...0..U.........
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] 32: 01 00 00 00 D5 D8 B7 F7 80 00 55 97 03 00 00 00 ..........U.....
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] 48: 00 00 00 10 00 00 F0 00 ........
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] processing PB-TNC SDATA batch
</pre>
containing a PB-PA message of type TCG/PTS to which the PTS-IMC is subscribed:
<pre>
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] processing PB-PA message (48 bytes)
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001
</pre>
The PA-TNC message contains a 'DH Nonce Parameters Request' from the TCG namespace
<pre>
Feb 10 09:05:24 pin1212a00 charon: 12[IMC] IMC 1 "Attestation" received message for Connection ID 1 from IMV 1
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] processing PA-TNC message with ID 0xd5d8b7f7
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] processing PA-TNC attribute type 'TCG/DH Nonce Parameters Request' 0x005597/0x03000000
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] => 4 bytes @ 0x9b5ce8c
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] 0: 00 00 F0 00 ....
</pre>
and offers the set of IKE DH groups {2, 5, 14, 19} from which the PTS-IMC selects ECP_256 (group 14).
<pre>
Feb 10 09:05:24 pin1212a00 charon: 12[PTS] selected PTS DH group is ECP_256
Feb 10 09:05:24 pin1212a00 charon: 12[PTS] nonce length is 20
</pre>
The PTS-IMC also returns a 20 byte DH responder nonce and the 32 byte ECP_256 DH responder public value:
<pre>
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] creating PA-TNC message with ID 0x4a9b2c31
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] creating PA-TNC attribute type 'TCG/DH Nonce Parameters Response' 0x005597/0x04000000
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] => 92 bytes @ 0x9b5d478
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] 0: 00 00 00 14 10 00 E0 00 1D 14 23 06 97 7D E7 E3 ..........#..}..
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] 16: AF AE B6 57 FB A3 58 DA 59 6A 4C D3 77 49 6B 4B ...W..X.YjL.wIkK
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] 32: 36 35 DF BB 27 3F 62 E7 EA 5B 6E 7C 5E 55 C4 04 65..'?b..[n|^U..
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] 48: 04 89 B4 98 66 31 6A A2 A2 4E 5E AC DE 57 B7 3B ....f1j..N^..W.;
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] 64: 97 72 08 A6 90 7C 3C FB FD B3 45 05 C5 4D 21 10 .r...|<...E..M!.
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] 80: 0E 07 CE 94 B0 61 14 9F C1 22 10 93 .....a..."..
</pre>
This PA-TNC message is carried in a PB-PA message encapsulated in a PB-TNC CDATA batch:
<pre>
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] creating PB-TNC CDATA batch
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] adding PB-PA message
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] sending PB-TNC CDATA batch (144 bytes) for Connection ID 1
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] => 144 bytes @ 0x9b5d410
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] 0: 02 00 00 01 00 00 00 90 80 00 00 00 00 00 00 01 ................
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] 16: 00 00 00 88 00 00 55 97 00 00 00 01 00 01 FF FF ......U.........
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] 32: 01 00 00 00 4A 9B 2C 31 00 00 55 97 04 00 00 00 ....J.,1..U.....
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] 48: 00 00 00 68 00 00 00 14 10 00 E0 00 1D 14 23 06 ...h..........#.
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] 64: 97 7D E7 E3 AF AE B6 57 FB A3 58 DA 59 6A 4C D3 .}.....W..X.YjL.
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] 80: 77 49 6B 4B 36 35 DF BB 27 3F 62 E7 EA 5B 6E 7C wIkK65..'?b..[n|
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] 96: 5E 55 C4 04 04 89 B4 98 66 31 6A A2 A2 4E 5E AC ^U......f1j..N^.
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] 112: DE 57 B7 3B 97 72 08 A6 90 7C 3C FB FD B3 45 05 .W.;.r...|<...E.
Feb 10 09:05:24 pin1212a00 charon: 12[TNC] 128: C5 4D 21 10 0E 07 CE 94 B0 61 14 9F C1 22 10 93 .M!......a..."..
Feb 10 09:05:24 pin1212a00 charon: 12[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/TNC]
Feb 10 09:05:24 pin1212a00 charon: 12[ENC] generating IKE_AUTH request 9 [ EAP/RES/TTLS ]
Feb 10 09:05:24 pin1212a00 charon: 12[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
</pre>
h3. DH Nonce Finish and TPM Version/AIK Info
The next PB-TNC SDATA batch is received:
<pre>
Feb 10 09:05:24 pin1212a00 charon: 06[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Feb 10 09:05:24 pin1212a00 charon: 06[ENC] parsed IKE_AUTH response 9 [ EAP/REQ/TTLS ]
Feb 10 09:05:24 pin1212a00 charon: 06[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/TNC]
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] received TNCCS batch (172 bytes) for Connection ID 1
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] => 172 bytes @ 0x9b5bd52
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] 0: 02 80 00 02 00 00 00 AC 80 00 00 00 00 00 00 01 ................
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] 16: 00 00 00 A4 00 00 55 97 00 00 00 01 FF FF 00 01 ......U.........
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] 32: 01 00 00 00 C7 5A 89 5F 80 00 55 97 05 00 00 00 .....Z._..U.....
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] 48: 00 00 00 64 00 14 80 00 19 14 23 2B 46 C9 C4 56 ...d......#+F..V
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] 64: B5 F6 9C 18 58 A2 78 B0 E4 A7 4A C7 20 21 32 CD ....X.x...J. !2.
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] 80: B2 60 7F DB 0F 7B 35 53 AE FA 23 C0 65 A5 48 35 .`...{5S..#.e.H5
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] 96: FE DF DF B9 72 C4 DD 16 8B 55 E9 84 AE 45 E0 07 ....r....U...E..
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] 112: 05 AF D6 60 32 95 58 81 A6 CA 36 F6 A1 CC 25 1A ...`2.X...6...%.
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] 128: EF 13 9C AC 84 1F F6 9B F1 31 95 A3 80 00 55 97 .........1....U.
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] 144: 08 00 00 00 00 00 00 10 00 00 00 00 80 00 55 97 ..............U.
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] 160: 0D 00 00 00 00 00 00 10 00 00 00 00 ............
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] processing PB-TNC SDATA batch
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] processing PB-PA message (164 bytes)
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001
</pre>
containing a PA-TNC message with the 'DH Nonce Finish', 'Get TPM Version Information' and 'Get Attestation Identity Key'
attributes from the TCG namespace:
<pre>
Feb 10 09:05:24 pin1212a00 charon: 06[IMC] IMC 1 "Attestation" received message for Connection ID 1 from IMV 1
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] processing PA-TNC message with ID 0xc75a895f
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] processing PA-TNC attribute type 'TCG/DH Nonce Finish' 0x005597/0x05000000
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] => 88 bytes @ 0x9b58114
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] 0: 00 14 80 00 19 14 23 2B 46 C9 C4 56 B5 F6 9C 18 ......#+F..V....
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] 16: 58 A2 78 B0 E4 A7 4A C7 20 21 32 CD B2 60 7F DB X.x...J. !2..`..
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] 32: 0F 7B 35 53 AE FA 23 C0 65 A5 48 35 FE DF DF B9 .{5S..#.e.H5....
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] 48: 72 C4 DD 16 8B 55 E9 84 AE 45 E0 07 05 AF D6 60 r....U...E.....`
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] 64: 32 95 58 81 A6 CA 36 F6 A1 CC 25 1A EF 13 9C AC 2.X...6...%.....
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] 80: 84 1F F6 9B F1 31 95 A3 .....1..
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] processing PA-TNC attribute type 'TCG/Get TPM Version Information' 0x005597/0x08000000
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] => 4 bytes @ 0x9b58178
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] 0: 00 00 00 00 ....
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] processing PA-TNC attribute type 'TCG/Get Attestation Identity Key' 0x005597/0x0d000000
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] => 4 bytes @ 0x9b58188
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] 0: 00 00 00 00 ....
</pre>
The PTS-IMV reports that it selected SHA-1 as the DH hash algorithm and provides its 20 byte nonce and 32 byte public DH factor
so that the share DH secret can be computed:
<pre>
Feb 10 09:05:24 pin1212a00 charon: 06[PTS] selected DH hash algorithm is HASH_SHA1
Feb 10 09:05:24 pin1212a00 charon: 06[PTS] initiator nonce: => 20 bytes @ 0x9b5d848
Feb 10 09:05:24 pin1212a00 charon: 06[PTS] 0: A6 CA 36 F6 A1 CC 25 1A EF 13 9C AC 84 1F F6 9B ..6...%.........
Feb 10 09:05:24 pin1212a00 charon: 06[PTS] 16: F1 31 95 A3 .1..
Feb 10 09:05:24 pin1212a00 charon: 06[PTS] responder nonce: => 20 bytes @ 0x9b5bd30
Feb 10 09:05:24 pin1212a00 charon: 06[PTS] 0: 1D 14 23 06 97 7D E7 E3 AF AE B6 57 FB A3 58 DA ..#..}.....W..X.
Feb 10 09:05:24 pin1212a00 charon: 06[PTS] 16: 59 6A 4C D3 YjL.
Feb 10 09:05:24 pin1212a00 charon: 06[PTS] shared DH secret: => 32 bytes @ 0x9b5ce70
Feb 10 09:05:24 pin1212a00 charon: 06[PTS] 0: F1 6A 3B 1C 72 03 B0 18 EA 3C B6 74 D6 AD 33 E9 .j;.r....<.t..3.
Feb 10 09:05:24 pin1212a00 charon: 06[PTS] 16: 23 0B 3C 1C A9 5C 77 12 FE FF FF 67 E5 7F CB 04 #.<..\w....g....
Feb 10 09:05:24 pin1212a00 charon: 06[PTS] secret assessment value: => 20 bytes @ 0x9b5d208
Feb 10 09:05:24 pin1212a00 charon: 06[PTS] 0: 5F A0 83 5D 35 DF 3C 94 28 8B 79 6F AB 35 86 6C _..]5.<.(.yo.5.l
Feb 10 09:05:24 pin1212a00 charon: 06[PTS] 16: E2 23 4C CF .#L.
</pre>
Answering the 'Get TPM Version Information' request, the following TPM version info is returned in binary form:
<pre>
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[PTS] 14[PTS] TPM 1.2 Version Info: Chip Version: 1.2.3.17, Spec Level: 2, Errata Rev: 2, Vendor ID: IFX
</pre>
Besides the 'TPM Version Information' attribute, also the 'Attestation Identity Key' is included in the PA-TNC message to be forwarded to the PTS-IMV:
<pre>
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] creating PA-TNC message with ID 0x9eb3b685 0x9a1a8df2
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] creating PA-TNC attribute type 'TCG/TPM Version Information' 0x005597/0x09000000
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] => 20 bytes @ 0x9b57ac8 0x9138038
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 0: 00 30 01 02 03 11 00 02 02 49 46 58 00 00 05 03 .0.......IFX....
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 16: 11 00 08 00 ....
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] creating PA-TNC attribute type 'TCG/Attestation Identity Key' 0x005597/0x0e000000
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] => 1167 bytes @ 0x9b5e950 0x91398c8
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 0: 00 30 82 04 8A 30 82 03 72 A0 03 02 01 02 02 10 .0...0..r.......
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 16: 33 55 8F BC AE 0F D9 47 78 74 D6 E5 C9 1B 24 28 3U.....Gxt....$(
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 32: 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 30 0...*.H........0
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 48: 50 31 16 30 14 06 03 55 04 0A 13 0D 70 72 69 76 P1.0...U....priv
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 64: 61 63 79 63 61 2E 63 6F 6D 31 36 30 34 06 03 55 acyca.com1604..U
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 80: 04 03 13 2D 50 72 69 76 61 63 79 20 43 41 20 49 ...-Privacy CA I
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 96: 6E 73 65 63 75 72 65 2F 55 6E 63 68 65 63 6B 65 nsecure/Unchecke
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 112: 64 20 41 49 4B 20 43 65 72 74 69 66 69 63 61 74 d AIK Certificat
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 128: 65 30 1E 17 0D 31 32 30 32 30 38 31 30 34 31 32 e0...12020810412
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 144: 30 5A 17 0D 31 33 30 32 30 38 31 30 34 31 32 30 0Z..130208104120
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 160: 5A 30 00 30 82 01 22 30 0D 06 09 2A 86 48 86 F7 Z0.0.."0...*.H..
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 176: 0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A 02 ...........0....
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 192: 82 01 01 00 81 E3 38 7C 4D 46 70 CB D5 33 62 38 ......8|MFp..3b8
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 208: 50 AD 98 D1 28 56 D3 6E 71 CF AA E3 C8 31 BD F6 P...(V.nq....1..
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 224: FE 53 6A ED C8 54 0E 7C FB 00 98 80 D6 7D C7 57 .Sj..T.|.....}.W
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 240: D4 EC 24 93 59 48 1F DA 67 30 87 4F D3 59 B2 CA ..$.YH..g0.O.Y..
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 256: A8 9D CE C9 27 9A 03 57 C0 FE 1F AB EE E5 C2 A8 ....'..W........
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 272: C6 D5 DC C7 1E 81 74 4D 3D B5 98 6D 57 22 74 02 ......tM=..mW"t.
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 288: F1 41 7C E3 68 C1 1C 1C 2F 57 54 CA 4A FB D6 3D .A|.h.../WT.J..=
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 304: 33 37 A9 BC FF 6F 50 13 CC C2 D3 83 F1 4B 01 FD 37...oP......K..
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 320: 66 A6 EE 7A D3 E0 E2 C0 51 55 A2 8A AB F4 85 09 f..z....QU......
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 336: 74 24 64 03 DD 65 1C 26 2F 35 08 BF 57 D9 28 DA t$d..e.&/5..W.(.
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 352: D3 D7 5B ED C8 C6 6C 43 7E DE D3 93 F4 D5 D7 36 ..[...lC~......6
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 368: 1E 31 9A A8 42 10 7A F5 94 93 9C 8F BD 6D BC 66 .1..B.z......m.f
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 384: 1D 30 A5 B3 B3 44 4D DA 6D 35 64 A6 08 EB D2 A6 .0...DM.m5d.....
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 400: 99 18 56 01 28 3B 26 94 FD 6F 7F AD 45 68 3C 8A ..V.(;&..o..Eh<.
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 416: 7D 38 8C DB D8 5F 76 16 F5 5E 8A 4B C2 2B 19 8A }8..._v..^.K.+..
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 432: 27 D9 80 3C C8 13 01 11 70 CC D6 EF 57 F3 EF 37 '..<....p...W..7
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 448: A2 E6 B5 49 02 03 01 00 01 A3 82 01 AE 30 82 01 ...I.........0..
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 464: AA 30 37 06 03 55 1D 09 04 30 30 2E 30 16 06 05 .07..U...00.0...
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 480: 67 81 05 02 10 31 0D 30 0B 0C 03 31 2E 31 02 01 g....1.0...1.1..
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 496: 02 02 01 01 30 14 06 05 67 81 05 02 12 31 0B 30 ....0...g....1.0
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 512: 09 80 01 00 81 01 00 82 01 02 30 5D 06 03 55 1D ..........0]..U.
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 528: 11 01 01 FF 04 53 30 51 A4 42 30 40 31 16 30 14 .....S0Q.B0@1.0.
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 544: 06 05 67 81 05 02 01 0C 0B 69 64 3A 30 30 30 30 ..g......id:0000
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 560: 30 30 30 30 31 12 30 10 06 05 67 81 05 02 02 0C 00001.0...g.....
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 576: 07 55 6E 6B 6E 6F 77 6E 31 12 30 10 06 05 67 81 .Unknown1.0...g.
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 592: 05 02 03 0C 07 69 64 3A 30 30 30 30 A0 0B 06 05 .....id:0000....
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 608: 67 81 05 02 0F A0 02 0C 00 30 0C 06 03 55 1D 13 g........0...U..
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 624: 01 01 FF 04 02 30 00 30 81 E0 06 03 55 1D 20 01 .....0.0....U. .
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 640: 01 FF 04 81 D5 30 81 D2 30 67 06 0A 2B 06 01 04 .....0..0g..+...
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 656: 01 81 E3 42 01 10 30 59 30 29 06 08 2B 06 01 05 ...B..0Y0)..+...
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 672: 05 07 02 01 16 1D 68 74 74 70 3A 2F 2F 77 77 77 ......http://www
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 688: 2E 70 72 69 76 61 63 79 63 61 2E 63 6F 6D 2F 63 .privacyca.com/c
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 704: 70 73 2F 30 2C 06 08 2B 06 01 05 05 07 02 02 30 ps/0,..+.......0
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 720: 20 0C 1E 54 43 50 41 20 54 72 75 73 74 65 64 20 ..TCPA Trusted
Feb 10 09:05:24 9 14:53:48 pin1212a00 charon: 06[TNC] 14[TNC] 736: 50 6C 61 74 66 6F 72 6D 20 49 64 65 6E 74 69 74 Platform Identit
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] 752: 79 30 67 06 04 55 1D 20 00 30 5F 30 25 06 08 2B y0g..U. .0_0%..+
Feb 10 09:05:24 pin1212a00 charon: 06[TNC] 768: 06 [ Incomplete diff, document too large... ]