TNC Server with PTS-IMV » History » Version 12
« Previous -
Version 12/57
(diff) -
Next » -
Current version
Andreas Steffen, 30.11.2011 16:03
TNC Server with PTS-IMV¶
This HOWTO explains in a step-for-step fashion how a strongSwan IPsec gateway with integrated TNC server functionality and an attached Platform Trust Service Integrity Measurement Verifier (PTS-IMV) can verify remote attestation measurement data provided by a TNC client via the IKEv2 EAP-TTLS protocol.
- Table of contents
- TNC Server with PTS-IMV
Installation and Configuration¶
The following steps describe the installation of the strongSwan software
wget http://download.strongswan.org/strongswan-4.6.2dr1.tar.bz2
tar xjf strongswan-4.6.2dr1.tar.bz2
cd strongswan-4.6.2dr1
./configure --prefix=/usr --sysconfdir=/etc --disable-pluto --enable-openssl --enable-curl
--enable-eap-identity --enable-eap-md5 --enable-eap-ttls --enable-eap-tnc
--enable-tnccs-20 --enable-tnc-imv --enable-imv-attestation
make
[sudo] make install
The imv-attestation dynamic library depends on the TrouSerS library which has to be present including the header files during the build and of course during the runtime.
The /etc/ipsec.conf file defines an IPsec remote access policy either allowing access to the production network (rw-allow) or to a remediation network (rw-isolate):
# ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="tnc 3, imc 3, pts 3"
conn rw-allow
rightgroups=allow
leftsubnet=10.1.0.0/28
also=rw-eap
auto=add
conn rw-isolate
rightgroups=isolate
leftsubnet=10.1.0.16/28
also=rw-eap
auto=add
conn rw-eap
left=192.168.0.1
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftauth=eap-ttls
rightauth=eap-ttls
rightid=*@strongswan.org
rightsendcert=never
right=%any
The following IKEv2 charon and Attestation IMV options, among them an SQLite URI to the PTS measurement database and the patch to the Privacy CA certificates directory, are defined in the /etc/strongswan.conf file:
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = curl sha1 pem pkcs1 gmp random pubkey x509 openssl revocation hmac kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 sqlite tnc-imv stroke
plugins {
eap-ttls {
phase2_method = md5
phase2_piggyback = yes
phase2_tnc = yes
}
eap-tnc {
protocol = tnccs-2.0
}
}
}
libimcv {
plugins {
imv-attestation {
database = sqlite:///etc/pts/config.db
cadir = /etc/pts/cacerts
hash_algorithm = sha1
}
}
}
IKEv2 Negotiation¶
Startup and Initialization¶
The command
ipsec start
starts the TNC-enabled IPsec gateway:
Nov 29 07:39:14 moon charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.6.2dr1) Nov 29 07:39:15 moon charon: 00[KNL] listening on interfaces: Nov 29 07:39:15 moon charon: 00[KNL] eth0 Nov 29 07:39:15 moon charon: 00[KNL] 192.168.0.1 Nov 29 07:39:15 moon charon: 00[KNL] fec0::1 Nov 29 07:39:15 moon charon: 00[KNL] fe80::fcfd:c0ff:fea8:1 Nov 29 07:39:15 moon charon: 00[KNL] eth1 Nov 29 07:39:15 moon charon: 00[KNL] 10.1.0.1 Nov 29 07:39:15 moon charon: 00[KNL] fec1::1 Nov 29 07:39:15 moon charon: 00[KNL] fe80::fcfd:aff:fe01:1
The file /etc/tnc_config
IMV configuration file for strongSwan client IMV "Attestation" /usr/lib/ipsec/imcvs/imv-attestation.so
defines which IMVs are loaded by the TNC server. Also the Privacy CA certificates which are required to establish trust in the AIK certificates are loaded:
Nov 29 07:39:15 moon charon: 00[TNC] TNC recommendation policy is 'default' Nov 29 07:39:15 moon charon: 00[TNC] loading IMVs from '/etc/tnc_config' Nov 29 07:39:15 moon charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA1[sha1] available Nov 29 07:39:15 moon charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA256[openssl] available Nov 29 07:39:15 moon charon: 00[PTS] optional PTS measurement algorithm HASH_SHA384[openssl] available Nov 29 07:39:15 moon charon: 00[PTS] optional PTS DH group MODP_2048[gmp] available Nov 29 07:39:15 moon charon: 00[PTS] optional PTS DH group MODP_1536[gmp] available Nov 29 07:39:15 moon charon: 00[PTS] optional PTS DH group MODP_1024[gmp] available Nov 29 07:39:15 moon charon: 00[PTS] mandatory PTS DH group ECP_256[openssl] available Nov 29 07:39:15 moon charon: 00[PTS] optional PTS DH group ECP_384[openssl] available Nov 29 07:39:15 moon charon: 00[TNC] added IETF attributes Nov 29 07:39:15 moon charon: 00[TNC] added ITA-HSR attributes Nov 29 07:39:15 moon charon: 00[LIB] libimcv initialized Nov 29 07:39:15 moon charon: 00[IMV] IMV 1 "Attestation" initialized Nov 29 07:39:15 moon charon: 00[TNC] added TCG attributes Nov 29 07:39:15 moon charon: 00[PTS] added TCG functional component namespace Nov 29 07:39:15 moon charon: 00[PTS] added ITA-HSR functional component namespace Nov 29 07:39:15 moon charon: 00[PTS] added ITA-HSR functional component 'Trusted GRUB Boot Loader' Nov 29 07:39:15 moon charon: 00[PTS] added ITA-HSR functional component 'Trusted Boot' Nov 29 07:39:15 moon charon: 00[PTS] added ITA-HSR functional component 'Linux IMA' Nov 29 07:39:15 moon charon: 00[LIB] libpts initialized Nov 29 07:39:15 moon charon: 00[PTS] loading PTS ca certificates from '/etc/pts/cacerts' Nov 29 07:39:15 moon charon: 00[PTS] loaded ca certificate "O=privacyca.com, CN=Privacy CA Root Certificate" from '/etc/pts/cacerts/privacy_ca_root.pem' Nov 29 07:39:15 moon charon: 00[PTS] loaded ca certificate "O=privacyca.com, CN=Privacy CA Insecure/Unchecked AIK Certificate" from '/etc/pts/cacerts/privacy_ca_level_0.pem' Nov 29 07:39:15 moon charon: 00[PTS] loaded ca certificate "O=privacyca.com, CN=Privacy CA EK-Cert-Checked AIK Certificate" from '/etc/pts/cacerts/privacy_ca_level_1.pem' Nov 29 07:39:15 moon charon: 00[PTS] loaded ca certificate "O=privacyca.com, CN=Privacy CA EK+Platform-Cert-Checked AIK Certificate" from '/etc/pts/cacerts/privacy_ca_level_2.pem' Nov 29 07:39:15 moon charon: 00[IMV] IMV 1 "Attestation" provided with bind function Nov 29 07:39:15 moon charon: 00[TNC] IMV 1 supports 1 message type: 0x00559701 Nov 29 07:39:15 moon charon: 00[TNC] IMV 1 "Attestation" loaded from '/usr/lib/ipsec/imcvs/imv-attestation.so'
Next the IKEv2 credentials, all necessary plugins and the IPsec connection definitions are loaded
Nov 29 07:39:15 moon charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Nov 29 07:39:15 moon charon: 00[CFG] loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem' Nov 29 07:39:15 moon charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Nov 29 07:39:15 moon charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Nov 29 07:39:15 moon charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Nov 29 07:39:15 moon charon: 00[CFG] loading crls from '/etc/ipsec.d/crls' Nov 29 07:39:15 moon charon: 00[CFG] loading secrets from '/etc/ipsec.secrets' Nov 29 07:39:15 moon charon: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/moonKey.pem' Nov 29 07:39:15 moon charon: 00[CFG] loaded EAP secret for carol@strongswan.org Nov 29 07:39:15 moon charon: 00[CFG] loaded EAP secret for dave@strongswan.org Nov 29 07:39:15 moon charon: 00[DMN] loaded plugins: curl sha1 pem pkcs1 gmp random pubkey x509 openssl revocation hmac kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnccs-20 sqlite tnc-imv stroke Nov 29 07:39:16 moon charon: 00[JOB] spawning 16 worker threads Nov 29 07:39:16 moon charon: 16[CFG] received stroke: add connection 'rw-allow' Nov 29 07:39:16 moon charon: 16[CFG] loaded certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" from 'moonCert.pem' Nov 29 07:39:16 moon charon: 16[CFG] added configuration 'rw-allow' Nov 29 07:39:16 moon charon: 16[CFG] received stroke: add connection 'rw-isolate' Nov 29 07:39:16 moon charon: 16[CFG] loaded certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" from 'moonCert.pem' Nov 29 07:39:16 moon charon: 16[CFG] added configuration 'rw-isolate'
IKEv2 Exchanges¶
The IPsec gateway moon is passively waiting for IPsec clients to initiate an IKEv2 negotiation starting with an IKE_SA_INIT exchange:
Nov 29 07:39:22 moon charon: 16[NET] received packet: from 192.168.0.254[500] to 192.168.0.1[500] Nov 29 07:39:22 moon charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Nov 29 07:39:22 moon charon: 16[IKE] 192.168.0.254 is initiating an IKE_SA Nov 29 07:39:22 moon charon: 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Nov 29 07:39:22 moon charon: 16[NET] sending packet: from 192.168.0.1[500] to 192.168.0.254[500]
followed by the IKE_AUTH exchange where the IKEv2 gateway proposes a mutual IKEv2 EAP-TTLS only authentication:
Nov 29 07:39:22 moon charon: 08[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500] Nov 29 07:39:22 moon charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) ] Nov 29 07:39:22 moon charon: 08[CFG] looking for peer configs matching 192.168.0.1[moon.strongswan.org]...192.168.0.254[carol@strongswan.org] Nov 29 07:39:22 moon charon: 08[CFG] selected peer config 'rw-allow' Nov 29 07:39:22 moon charon: 08[IKE] initiating EAP_TTLS method (id 0xA8) Nov 29 07:39:22 moon charon: 08[IKE] peer supports MOBIKE Nov 29 07:39:22 moon charon: 08[ENC] generating IKE_AUTH response 1 [ IDr EAP/REQ/TTLS ] Nov 29 07:39:22 moon charon: 08[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
IKEv2 EAP-TTLS Tunnel¶
The IKEv2 EAP-TTLS tunnel is set up with certificate-based server authentication
Nov 29 07:39:22 moon charon: 09[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500] Nov 29 07:39:22 moon charon: 09[ENC] parsed IKE_AUTH request 2 [ EAP/RES/TTLS ] Nov 29 07:39:22 moon charon: 09[TLS] received TLS 'signature algorithms' extension Nov 29 07:39:22 moon charon: 09[TLS] received TLS 'elliptic curves' extension Nov 29 07:39:22 moon charon: 09[TLS] received TLS 'ec point formats' extension Nov 29 07:39:22 moon charon: 09[TLS] received TLS 'server name' extension Nov 29 07:39:22 moon charon: 09[TLS] negotiated TLS version TLS 1.2 with suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Nov 29 07:39:22 moon charon: 09[TLS] sending TLS server certificate 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' Nov 29 07:39:22 moon charon: 09[ENC] generating IKE_AUTH response 2 [ EAP/REQ/TTLS ] Nov 29 07:39:22 moon charon: 09[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500] Nov 29 07:39:22 moon charon: 06[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500] Nov 29 07:39:22 moon charon: 06[ENC] parsed IKE_AUTH request 3 [ EAP/RES/TTLS ] Nov 29 07:39:22 moon charon: 06[ENC] generating IKE_AUTH response 3 [ EAP/REQ/TTLS ] Nov 29 07:39:22 moon charon: 06[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500] Nov 29 07:39:22 moon charon: 05[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500] Nov 29 07:39:22 moon charon: 05[ENC] parsed IKE_AUTH request 4 [ EAP/RES/TTLS ]
Tunneled EAP-Identity¶
Via the IKEv2 EAP-TTLS tunnel the server requests the EAP client identity
Nov 29 07:39:22 moon charon: 05[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/ID] Nov 29 07:39:22 moon charon: 05[ENC] generating IKE_AUTH response 4 [ EAP/REQ/TTLS ] Nov 29 07:39:22 moon charon: 05[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500] Nov 29 07:39:22 moon charon: 04[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500] Nov 29 07:39:22 moon charon: 04[ENC] parsed IKE_AUTH request 5 [ EAP/RES/TTLS ] Nov 29 07:39:22 moon charon: 04[IKE] received tunneled EAP-TTLS AVP [EAP/RES/ID] Nov 29 07:39:22 moon charon: 04[IKE] received EAP identity 'carol@strongswan.org'
Tunneled EAP-MD5 Client Authentication¶
Next follows an EAP-MD5 client authentication
Nov 29 07:39:22 moon charon: 04[IKE] phase2 method EAP_MD5 selected Nov 29 07:39:22 moon charon: 04[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/MD5] Nov 29 07:39:22 moon charon: 04[ENC] generating IKE_AUTH response 5 [ EAP/REQ/TTLS ] Nov 29 07:39:22 moon charon: 04[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500] Nov 29 07:39:22 moon charon: 03[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500] Nov 29 07:39:22 moon charon: 03[ENC] parsed IKE_AUTH request 6 [ EAP/RES/TTLS ] Nov 29 07:39:22 moon charon: 03[IKE] received tunneled EAP-TTLS AVP [EAP/RES/MD5] Nov 29 07:39:22 moon charon: 03[IKE] EAP_TTLS phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful
Tunneled EAP-TNC Transport¶
Now the EAP-TNC transport protocol connecting the TNC client with the TNC server is started:
Nov 29 07:39:22 moon charon: 03[IKE] phase2 method EAP_TNC selected Nov 29 07:39:22 moon charon: 03[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/TNC] Nov 29 07:39:22 moon charon: 03[ENC] generating IKE_AUTH response 6 [ EAP/REQ/TTLS ] Nov 29 07:39:22 moon charon: 03[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
PB-TNC/IF-TNCCS 2.0 Connection¶
A first PB-TNC CDATA (IF-TNCCS 2.0 ClientData) batch from the TNC client is received
Nov 29 07:39:23 moon charon: 02[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500] Nov 29 07:39:23 moon charon: 02[ENC] parsed IKE_AUTH request 7 [ EAP/RES/TTLS ] Nov 29 07:39:23 moon charon: 02[IKE] received tunneled EAP-TTLS AVP [EAP/RES/TNC] Nov 29 07:39:23 moon charon: 02[TNC] assigned TNCCS Connection ID 1 Nov 29 07:39:23 moon charon: 02[IMV] IMV 1 "Attestation" created a state for Connection ID 1 Nov 29 07:39:23 moon charon: 02[IMV] IMV 1 "Attestation" changed state of Connection ID 1 to 'Handshake' Nov 29 07:39:23 moon charon: 02[TNC] received TNCCS batch (105 bytes) for Connection ID 1 Nov 29 07:39:23 moon charon: 02[TNC] => 105 bytes @ 0x80ba6b6 Nov 29 07:39:23 moon charon: 02[TNC] 0: 02 00 00 01 00 00 00 69 00 00 00 00 00 00 00 06 .......i........ Nov 29 07:39:23 moon charon: 02[TNC] 16: 00 00 00 1F 41 63 63 65 70 74 2D 4C 61 6E 67 75 ....Accept-Langu Nov 29 07:39:23 moon charon: 02[TNC] 32: 61 67 65 3A 20 65 6E 80 00 00 00 00 00 00 01 00 age: en......... Nov 29 07:39:23 moon charon: 02[TNC] 48: 00 00 42 00 00 55 97 00 00 00 01 00 01 FF FF 01 ..B..U.......... Nov 29 07:39:23 moon charon: 02[TNC] 64: 00 00 00 56 9E 52 8E 00 00 00 00 00 00 00 02 00 ...V.R.......... Nov 29 07:39:23 moon charon: 02[TNC] 80: 00 00 22 00 00 00 00 00 55 62 75 6E 74 75 20 31 ..".....Ubuntu 1 Nov 29 07:39:23 moon charon: 02[TNC] 96: 31 2E 31 30 20 69 36 38 36 1.10 i686 Nov 29 07:39:23 moon charon: 02[TNC] PB-TNC state transition from 'Init' to 'Server Working' Nov 29 07:39:23 moon charon: 02[TNC] processing PB-TNC CDATA batch
containing a 'PB-Language-Preference' and a 'PB-PA' message
Nov 29 07:39:23 moon charon: 02[TNC] processing PB-Language-Preference message (31 bytes) Nov 29 07:39:23 moon charon: 02[TNC] processing PB-PA message (66 bytes)
This causes a new TNCCS connection to be instantiated on the TNC server. Its IF-TNCCS 2.0 state machine immediately transitions from the Init to the ServerWorking state.
The language preference is set to English (en) and the PB-PA message is forwarded to the PTS-IMV which subscribed to this PA message type:
Nov 29 07:39:23 moon charon: 02[TNC] setting language preference to 'en' Nov 29 07:39:23 moon charon: 02[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x01
The PA-TNC message contains an 'IETF/Product Information' attribute which carries information about the operating system the PTS-IMC is running on:
Nov 29 07:39:23 moon charon: 02[IMV] IMV 1 "Attestation" received message type 0x00559701 for Connection ID 1 Nov 29 07:39:23 moon charon: 02[TNC] processing PA-TNC message with ID 0x569e528e Nov 29 07:39:23 moon charon: 02[TNC] processing PA-TNC attribute type 'IETF/Product Information' 0x000000/0x00000002 Nov 29 07:39:23 moon charon: 02[TNC] => 22 bytes @ 0x80b4d20 Nov 29 07:39:23 moon charon: 02[TNC] 0: 00 00 00 00 00 55 62 75 6E 74 75 20 31 31 2E 31 .....Ubuntu 11.1 Nov 29 07:39:23 moon charon: 02[TNC] 16: 30 20 69 36 38 36 0 i686
PTS Capability Discovery¶
The PTS-IMV creates a PA-TNC message containing a 'Request PTS Protocol Capabilities' and a 'PTS Measurement Algorithm Request' attribute from the TCG namespace. SHA-1 is the only PTS measurement algorithm proposed by the PTS-IMV.
Nov 29 07:39:23 moon charon: 02[TNC] creating PA-TNC message with ID 0x10fbc931 Nov 29 07:39:23 moon charon: 02[TNC] creating PA-TNC attribute type 'TCG/Request PTS Protocol Capabilities' 0x005597/0x01000000 Nov 29 07:39:23 moon charon: 02[TNC] => 4 bytes @ 0x80bfd54 Nov 29 07:39:23 moon charon: 02[TNC] 0: 00 00 00 0E .... Nov 29 07:39:23 moon charon: 02[TNC] creating PA-TNC attribute type 'TCG/PTS Measurement Algorithm Request' 0x005597/0x06000000 Nov 29 07:39:23 moon charon: 02[TNC] => 4 bytes @ 0x80bfe3c Nov 29 07:39:23 moon charon: 02[TNC] 0: 00 00 80 00 ....
The PB-PA message is sent in a PB-TNC SDATA (IF-TNCCS 2.0 ServerData) batch to the TNC client:
Nov 29 07:39:23 moon charon: 02[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x01 Nov 29 07:39:23 moon charon: 02[TNC] creating PB-TNC SDATA batch Nov 29 07:39:23 moon charon: 02[TNC] adding PB-PA message Nov 29 07:39:23 moon charon: 02[TNC] PB-TNC state transition from 'Server Working' to 'Client Working' Nov 29 07:39:23 moon charon: 02[TNC] sending PB-TNC SDATA batch (72 bytes) for Connection ID 1 Nov 29 07:39:23 moon charon: 02[TNC] => 72 bytes @ 0x80b65c4 Nov 29 07:39:23 moon charon: 02[TNC] 0: 02 80 00 02 00 00 00 48 80 00 00 00 00 00 00 01 .......H........ Nov 29 07:39:23 moon charon: 02[TNC] 16: 00 00 00 40 00 00 55 97 00 00 00 01 FF FF 00 01 ...@..U......... Nov 29 07:39:23 moon charon: 02[TNC] 32: 01 00 00 00 10 FB C9 31 80 00 55 97 01 00 00 00 .......1..U..... Nov 29 07:39:23 moon charon: 02[TNC] 48: 00 00 00 10 00 00 00 0E 80 00 55 97 06 00 00 00 ..........U..... Nov 29 07:39:23 moon charon: 02[TNC] 64: 00 00 00 10 00 00 80 00 ........ Nov 29 07:39:23 moon charon: 02[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/TNC] Nov 29 07:39:23 moon charon: 02[ENC] generating IKE_AUTH response 7 [ EAP/REQ/TTLS ] Nov 29 07:39:23 moon charon: 02[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
As a response a PB-TNC CDATA batch is received from the TNC client
Nov 29 07:39:23 moon charon: 01[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500] Nov 29 07:39:23 moon charon: 01[ENC] parsed IKE_AUTH request 8 [ EAP/RES/TTLS ] Nov 29 07:39:23 moon charon: 01[IKE] received tunneled EAP-TTLS AVP [EAP/RES/TNC] Nov 29 07:39:23 moon charon: 01[TNC] received TNCCS batch (72 bytes) for Connection ID 1 Nov 29 07:39:23 moon charon: 01[TNC] => 72 bytes @ 0x80be80e Nov 29 07:39:23 moon charon: 01[TNC] 0: 02 00 00 01 00 00 00 48 80 00 00 00 00 00 00 01 .......H........ Nov 29 07:39:23 moon charon: 01[TNC] 16: 00 00 00 40 00 00 55 97 00 00 00 01 00 01 FF FF ...@..U......... Nov 29 07:39:23 moon charon: 01[TNC] 32: 01 00 00 00 0E D3 F1 F3 00 00 55 97 02 00 00 00 ..........U..... Nov 29 07:39:23 moon charon: 01[TNC] 48: 00 00 00 10 00 00 00 0E 00 00 55 97 07 00 00 00 ..........U..... Nov 29 07:39:23 moon charon: 01[TNC] 64: 00 00 00 10 00 00 80 00 ........ Nov 29 07:39:23 moon charon: 01[TNC] PB-TNC state transition from 'Client Working' to 'Server Working' Nov 29 07:39:23 moon charon: 01[TNC] processing PB-TNC CDATA batch
containing a PB-PA message with a PA message of type TCG/PTS to which the PTS-IMV is subscribed:
Nov 29 07:39:23 moon charon: 01[TNC] processing PB-PA message (64 bytes) Nov 29 07:39:23 moon charon: 01[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x01
The PA-TNC message contains a 'PTS Protocol Capabilities' and a 'PTS Measurement Algorithm' attribute from the TCG namespace:
Nov 29 07:39:23 moon charon: 01[IMV] IMV 1 "Attestation" received message type 0x00559701 for Connection ID 1 Nov 29 07:39:23 moon charon: 01[TNC] processing PA-TNC message with ID 0x0ed3f1f3 Nov 29 07:39:23 moon charon: 01[TNC] processing PA-TNC attribute type 'TCG/PTS Protocol Capabilities' 0x005597/0x02000000 Nov 29 07:39:23 moon charon: 01[TNC] => 4 bytes @ 0x80be670 Nov 29 07:39:23 moon charon: 01[TNC] 0: 00 00 00 0E .... Nov 29 07:39:23 moon charon: 01[TNC] processing PA-TNC attribute type 'TCG/PTS Measurement Algorithm' 0x005597/0x07000000 Nov 29 07:39:23 moon charon: 01[TNC] => 4 bytes @ 0x80be680 Nov 29 07:39:23 moon charon: 01[TNC] 0: 00 00 80 00 ....
The PTS-IMC supports the Verification (V), DH Nonce Negotiation (D) and Trusted Platform Evidence (T) PTS protocol capabilities all of which the PTS-IMV proposed in the capabilities request. Also SHA-1 is confirmed by the PTS-IMC to be used as PTS measurement algorithm.
Nov 29 07:39:23 moon charon: 01[PTS] supported PTS protocol capabilities: .VDT. Nov 29 07:39:23 moon charon: 01[PTS] selected PTS measurement algorithm is HASH_SHA1
DH Nonce Parameters¶
Nov 29 07:39:23 moon charon: 01[TNC] creating PA-TNC message with ID 0xc2d18ef1 Nov 29 07:39:23 moon charon: 01[TNC] creating PA-TNC attribute type 'TCG/DH Nonce Parameters Request' 0x005597/0x03000000 Nov 29 07:39:23 moon charon: 01[TNC] => 4 bytes @ 0x80bdf9c Nov 29 07:39:23 moon charon: 01[TNC] 0: 00 00 F0 00 ....
Nov 29 07:39:23 moon charon: 01[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x01 Nov 29 07:39:23 moon charon: 01[TNC] creating PB-TNC SDATA batch Nov 29 07:39:23 moon charon: 01[TNC] adding PB-PA message Nov 29 07:39:23 moon charon: 01[TNC] PB-TNC state transition from 'Server Working' to 'Client Working' Nov 29 07:39:23 moon charon: 01[TNC] sending PB-TNC SDATA batch (56 bytes) for Connection ID 1 Nov 29 07:39:23 moon charon: 01[TNC] => 56 bytes @ 0x80a30fc Nov 29 07:39:23 moon charon: 01[TNC] 0: 02 80 00 02 00 00 00 38 80 00 00 00 00 00 00 01 .......8........ Nov 29 07:39:23 moon charon: 01[TNC] 16: 00 00 00 30 00 00 55 97 00 00 00 01 FF FF 00 01 ...0..U......... Nov 29 07:39:23 moon charon: 01[TNC] 32: 01 00 00 00 C2 D1 8E F1 80 00 55 97 03 00 00 00 ..........U..... Nov 29 07:39:23 moon charon: 01[TNC] 48: 00 00 00 10 00 00 F0 00 ........ Nov 29 07:39:23 moon charon: 01[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/TNC] Nov 29 07:39:23 moon charon: 01[ENC] generating IKE_AUTH response 8 [ EAP/REQ/TTLS ] Nov 29 07:39:23 moon charon: 01[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:23 moon charon: 13[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:23 moon charon: 13[ENC] parsed IKE_AUTH request 9 [ EAP/RES/TTLS ]
Nov 29 07:39:23 moon charon: 13[IKE] received tunneled EAP-TTLS AVP [EAP/RES/TNC]
Nov 29 07:39:23 moon charon: 13[TNC] received TNCCS batch (144 bytes) for Connection ID 1
Nov 29 07:39:23 moon charon: 13[TNC] => 144 bytes @ 0x80bb0e6
Nov 29 07:39:23 moon charon: 13[TNC] 0: 02 00 00 01 00 00 00 90 80 00 00 00 00 00 00 01 ................
Nov 29 07:39:23 moon charon: 13[TNC] 16: 00 00 00 88 00 00 55 97 00 00 00 01 00 01 FF FF ......U.........
Nov 29 07:39:23 moon charon: 13[TNC] 32: 01 00 00 00 A6 9F 8B 02 00 00 55 97 04 00 00 00 ..........U.....
Nov 29 07:39:23 moon charon: 13[TNC] 48: 00 00 00 68 00 00 00 14 10 00 E0 00 AA B1 9A 5C ...h...........\
Nov 29 07:39:23 moon charon: 13[TNC] 64: 9B 47 D0 0D EF 3B F4 48 7A 55 EF DA 89 55 D3 74 .G...;.HzU...U.t
Nov 29 07:39:23 moon charon: 13[TNC] 80: DF CE B2 FB 44 16 FD 98 44 1D 79 1F 36 7A A5 67 ....D...D.y.6z.g
Nov 29 07:39:23 moon charon: 13[TNC] 96: 94 30 81 C8 38 A8 1A AD 99 55 0E 91 2F E4 36 62 .0..8....U../.6b
Nov 29 07:39:23 moon charon: 13[TNC] 112: FA C2 08 63 88 69 41 79 35 D4 64 8C 4C D4 CB E9 ...c.iAy5.d.L...
Nov 29 07:39:23 moon charon: 13[TNC] 128: 7B 5E CF 0A E0 E9 74 66 4C BB 06 3B F8 DE 96 2E {^....tfL..;....
Nov 29 07:39:23 moon charon: 13[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
Nov 29 07:39:23 moon charon: 13[TNC] processing PB-TNC CDATA batch
Nov 29 07:39:23 moon charon: 13[TNC] processing PB-PA message (136 bytes) Nov 29 07:39:23 moon charon: 13[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x01
Nov 29 07:39:23 moon charon: 13[IMV] IMV 1 "Attestation" received message type 0x00559701 for Connection ID 1
Nov 29 07:39:23 moon charon: 13[TNC] processing PA-TNC message with ID 0xa69f8b02
Nov 29 07:39:23 moon charon: 13[TNC] processing PA-TNC attribute type 'TCG/DH Nonce Parameters Response' 0x005597/0x04000000
Nov 29 07:39:23 moon charon: 13[TNC] => 92 bytes @ 0x80b4c38
Nov 29 07:39:23 moon charon: 13[TNC] 0: 00 00 00 14 10 00 E0 00 AA B1 9A 5C 9B 47 D0 0D ...........\.G..
Nov 29 07:39:23 moon charon: 13[TNC] 16: EF 3B F4 48 7A 55 EF DA 89 55 D3 74 DF CE B2 FB .;.HzU...U.t....
Nov 29 07:39:23 moon charon: 13[TNC] 32: 44 16 FD 98 44 1D 79 1F 36 7A A5 67 94 30 81 C8 D...D.y.6z.g.0..
Nov 29 07:39:23 moon charon: 13[TNC] 48: 38 A8 1A AD 99 55 0E 91 2F E4 36 62 FA C2 08 63 8....U../.6b...c
Nov 29 07:39:23 moon charon: 13[TNC] 64: 88 69 41 79 35 D4 64 8C 4C D4 CB E9 7B 5E CF 0A .iAy5.d.L...{^..
Nov 29 07:39:23 moon charon: 13[TNC] 80: E0 E9 74 66 4C BB 06 3B F8 DE 96 2E ..tfL..;....
Nov 29 07:39:23 moon charon: 13[PTS] selected DH hash algorithm is HASH_SHA1
Nov 29 07:39:23 moon charon: 13[PTS] selected PTS DH group is ECP_256
Nov 29 07:39:23 moon charon: 13[PTS] nonce length is 20
Nov 29 07:39:23 moon charon: 13[PTS] initiator nonce: => 20 bytes @ 0x80be424
Nov 29 07:39:23 moon charon: 13[PTS] 0: 46 C4 11 FB 33 64 F3 27 1D 62 3D C4 83 73 AE AE F...3d.'.b=..s..
Nov 29 07:39:23 moon charon: 13[PTS] 16: 8B 36 E4 F5 .6..
Nov 29 07:39:23 moon charon: 13[PTS] responder nonce: => 20 bytes @ 0x80bbd24
Nov 29 07:39:23 moon charon: 13[PTS] 0: AA B1 9A 5C 9B 47 D0 0D EF 3B F4 48 7A 55 EF DA ...\.G...;.HzU..
Nov 29 07:39:23 moon charon: 13[PTS] 16: 89 55 D3 74 .U.t
Nov 29 07:39:23 moon charon: 13[PTS] shared DH secret: => 32 bytes @ 0x80c1f84
Nov 29 07:39:23 moon charon: 13[PTS] 0: 61 E8 7D D7 8C C8 DF 4E 5C 5A B7 48 75 38 0C B8 a.}....N\Z.Hu8..
Nov 29 07:39:23 moon charon: 13[PTS] 16: 2D 23 08 8E E2 D5 B9 25 04 F8 03 BA 35 9F 3A 52 -#.....%....5.:R
Nov 29 07:39:23 moon charon: 13[PTS] secret assessment value: => 20 bytes @ 0x80b2afc
Nov 29 07:39:23 moon charon: 13[PTS] 0: E1 1B 01 B4 FF 2B 56 83 24 AD AD AD 8B 7B 36 B7 .....+V.$....{6.
Nov 29 07:39:23 moon charon: 13[PTS] 16: FF CA D9 59 ...Y