TNC Server with PTS-IMV » History » Version 40
Version 39 (Andreas Steffen, 09.02.2012 14:25) → Version 40/57 (Andreas Steffen, 09.02.2012 15:49)
h1. TNC Server with PTS-IMV
This HOWTO explains in a step-for-step fashion how a strongSwan IPsec gateway with integrated TNC server functionality and an attached Platform Trust Service Integrity Measurement Verifier (PTS-IMV) can verify remote attestation measurement data provided by a TNC client via the IKEv2 EAP-TTLS protocol.
{{>toc}}
h2. Installation and Configuration
h3. Installing the strongSwan Software
The following steps describe the installation of the strongSwan software
<pre>
wget http://download.strongswan.org/strongswan-4.6.2rc1.tar.bz2
tar xjf strongswan-4.6.2rc1.tar.bz2
cd strongswan-4.6.2rc1
./configure --prefix=/usr --sysconfdir=/etc --disable-pluto --enable-openssl --enable-curl
--enable-eap-identity --enable-eap-md5 --enable-eap-ttls --enable-eap-tnc
--enable-tnccs-20 --enable-tnc-imv --enable-imv-attestation
make
[sudo] make install
</pre>
The strongSwan *imv-attestation.so* dynamic PTS-IMV library depends on the "TrouSerS":http://sourceforge.net/projects/trousers/ libtspi library. For compilation additionally the /usr/include/trousers/ header files are required.
h3. Configuring the strongSwan Software
The /etc/ipsec.conf file defines an IPsec remote access policy either allowing access to the production network (rw-allow) or to a remediation network (rw-isolate):
<pre>
# ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="tnc 3, imc 3, pts 3"
conn rw-allow
rightgroups=allow
leftsubnet=10.1.0.0/28
also=rw-eap
auto=add
conn rw-isolate
rightgroups=isolate
leftsubnet=10.1.0.16/28
also=rw-eap
auto=add
conn rw-eap
left=192.168.0.1
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftauth=eap-ttls
rightauth=eap-ttls
rightid=*@strongswan.org
rightsendcert=never
right=%any
</pre>
The IKEv2 server *moon* is going to use public key based authentication with the location of the private key defined in the /etc/ipsec.secrets file:
<pre>
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA moonKey.pem
carol@strongswan.org : EAP "Ar3etTnp"
</pre>
The following IKEv2 charon and Attestation IMV options are defined in the /etc/strongswan.conf file. Among the options there is an SQLite URI pointing to the PTS measurement database and the path to the directory where the Privacy CA certificates are stored:
<pre>
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = curl sha1 pem pkcs1 pkcs8 gmp random pubkey x509 openssl revocation hmac kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 sqlite tnc-imv stroke
plugins {
eap-ttls {
phase2_method = md5
phase2_piggyback = yes
phase2_tnc = yes
}
eap-tnc {
protocol = tnccs-2.0
}
}
}
libimcv {
plugins {
imv-attestation {
database = sqlite:///etc/pts/config.db
cadir = /etc/pts/cacerts
hash_algorithm = sha1
}
}
}
attest {
database = sqlite:///etc/pts/config.db
}
</pre>
h3. Initializing the PTS Measurement Database
The SQLite database is initialized using the *tables.sql* and *data.sql* files from the strongSwan src/libpts/plugins/imv_attestation source directory:
<pre>
cat tables.sql data.sql | sqlite3 /etc/pts/config.db
</pre>
The following query lists the PTS component functional names defined in the database which currently are all from the ITA-HSR namespace.
<pre>
moon# ipsec attest --components
1: 0x00902a/0x00000001-0x21 ITA-HSR/Trusted GRUB Boot Loader [K.] Trusted Platform
2: 0x00902a/0x00000002-0x21 ITA-HSR/Trusted Boot [K.] Trusted Platform
3: 0x00902a/0x00000003-0x21 ITA-HSR/Linux IMA [K.] Trusted Platform
3 components found
</pre>
In order to authorize the PTS functional component measurements, the fingerprint of TNC client *carol*'s AIK certificate AIK_Cert.der must be entered into the database and must be linked to the component measurements to be executed:
<pre>
moon# ipsec attest --add --owner "Carol, pin1212a00 (Fujitsu Siemens Celsius W510)" --aik AIK_Cert.der --cid 3
key '78:6a:c9:86:11:42:72:af:a1:6b:72:3d:36:5a:81:57:88:7b:47:f3' inserted into database
key/component pair (2/3) inserted into database
moon# ipsec attest --add --kid 2 --cid 2
key/component pair (2/2) inserted into database
</pre>
The entered data can be checked with the commands
<pre>
moon# ipsec attest --keys
2: 78:6a:c9:86:11:42:72:af:a1:6b:72:3d:36:5a:81:57:88:7b:47:f3 'Carol, pin1212a00 (Fujitsu Siemens Celsius W510)'
1: b7:72:a6:73:07:76:b9:f0:28:e5:ad:fc:cd:40:b5:5c:32:0a:13:b6 'Andreas, merthyr (Fujitsu Siemens Lifebook S6420)'
2 keys found
moon ~ # ipsec attest --components --kid 2
2: 0x00902a/0x00000002-0x21 ITA-HSR/Trusted Boot [K.] Trusted Platform
3: 0x00902a/0x00000003-0x21 ITA-HSR/Linux IMA [K.] Trusted Platform
2 components found for key 78:6a:c9:86:11:42:72:af:a1:6b:72:3d:36:5a:81:57:88:7b:47:f3
</pre>
h2. IKEv2 Negotiation
h3. Startup and Initialization
The command
<pre>
ipsec start
</pre>
starts the TNC-enabled IPsec gateway:
<pre>
Feb 9 14:53:31 Nov 29 07:39:14 moon charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.6.2rc1) 4.6.2dr1)
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[KNL] listening on interfaces:
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[KNL] eth0
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[KNL] 192.168.0.1
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[KNL] fec0::1
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[KNL] fe80::fcfd:c0ff:fea8:1
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[KNL] eth1
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[KNL] 10.1.0.1
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[KNL] fec1::1
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[KNL] fe80::fcfd:aff:fe01:1
</pre>
The file /etc/tnc_config
<pre>
# IMV configuration file for strongSwan client
IMV "Attestation" /usr/lib/ipsec/imcvs/imv-attestation.so
</pre>
defines which IMVs are loaded by the TNC server. Also the Privacy CA certificates which are required to establish trust in the AIK certificates are loaded:
<pre>
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[TNC] TNC recommendation policy is 'default'
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[TNC] loading IMVs from '/etc/tnc_config'
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA1[sha1] available
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA256[openssl] available
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[PTS] optional PTS measurement algorithm HASH_SHA384[openssl] available
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[PTS] optional PTS DH group MODP_2048[gmp] available
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[PTS] optional PTS DH group MODP_1536[gmp] available
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[PTS] optional PTS DH group MODP_1024[gmp] available
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[PTS] mandatory PTS DH group ECP_256[openssl] available
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[PTS] optional PTS DH group ECP_384[openssl] available
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[TNC] added IETF attributes
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[TNC] added ITA-HSR attributes
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[LIB] libimcv initialized
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[IMV] IMV 1 "Attestation" initialized
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[TNC] added TCG attributes
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[PTS] added TCG functional component namespace
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[PTS] added ITA-HSR functional component namespace
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[PTS] added ITA-HSR functional component 'Trusted GRUB Boot Loader'
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[PTS] added ITA-HSR functional component 'Trusted Boot'
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[PTS] added ITA-HSR functional component 'Linux IMA'
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[LIB] libpts initialized
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[PTS] loading PTS ca certificates from '/etc/pts/cacerts'
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[PTS] loaded ca certificate "O=privacyca.com, CN=Privacy CA EK+Platform-Cert-Checked AIK Root Certificate" from '/etc/pts/cacerts/privacy_ca_level_2_cert.pem' '/etc/pts/cacerts/privacy_ca_root.pem'
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[PTS] loaded ca certificate "O=privacyca.com, CN=Privacy CA Insecure/Unchecked AIK Certificate" from '/etc/pts/cacerts/privacy_ca_level_0_cert.pem' '/etc/pts/cacerts/privacy_ca_level_0.pem'
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[PTS] loaded ca certificate "O=privacyca.com, CN=Privacy CA Root EK-Cert-Checked AIK Certificate" from '/etc/pts/cacerts/privacy_ca_root_cert.pem' '/etc/pts/cacerts/privacy_ca_level_1.pem'
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[PTS] loaded ca certificate "O=privacyca.com, CN=Privacy CA EK-Cert-Checked EK+Platform-Cert-Checked AIK Certificate" from '/etc/pts/cacerts/privacy_ca_level_1_cert.pem' '/etc/pts/cacerts/privacy_ca_level_2.pem'
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[IMV] IMV 1 "Attestation" provided with bind function
Nov 29 07:39:15 moon charon: 00[TNC] IMV 1 supports 1 message type: 'TCG/PTS' 0x005597/0x00000001 0x00559701
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[TNC] IMV 1 "Attestation" loaded from '/usr/lib/ipsec/imcvs/imv-attestation.so'
</pre>
Next the IKEv2 credentials, all necessary plugins and the IPsec connection definitions are loaded
<pre>
Nov 29 07:39:15 moon charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Nov 29 07:39:15 moon charon: 00[CFG] loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem'
Nov 29 07:39:15 moon charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Nov 29 07:39:15 moon charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Nov 29 07:39:15 moon charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Nov 29 07:39:15 moon charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Nov 29 07:39:15 moon charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Nov 29 07:39:15 moon charon: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/moonKey.pem'
Nov 29 07:39:15 moon charon: 00[CFG] loaded EAP secret for carol@strongswan.org
Nov 29 07:39:15 moon charon: 00[CFG] loaded EAP secret for dave@strongswan.org
Nov 29 07:39:15 moon charon: 00[DMN] loaded plugins: curl sha1 pem pkcs1 gmp random pubkey x509 openssl revocation hmac kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnccs-20 sqlite tnc-imv stroke
Nov 29 07:39:16 moon charon: 00[JOB] spawning 16 worker threads
Nov 29 07:39:16 moon charon: 16[CFG] received stroke: add connection 'rw-allow'
Nov 29 07:39:16 moon charon: 16[CFG] loaded certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" from 'moonCert.pem'
Nov 29 07:39:16 moon charon: 16[CFG] added configuration 'rw-allow'
Nov 29 07:39:16 moon charon: 16[CFG] received stroke: add connection 'rw-isolate'
Nov 29 07:39:16 moon charon: 16[CFG] loaded certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" from 'moonCert.pem'
Nov 29 07:39:16 moon charon: 16[CFG] added configuration 'rw-isolate'
</pre>
h3. IKEv2 Exchanges
The IPsec gateway *moon* is passively waiting for IPsec clients to initiate an IKEv2 negotiation starting with an IKE_SA_INIT exchange:
<pre>
Nov 29 07:39:22 moon charon: 16[NET] received packet: from 192.168.0.254[500] to 192.168.0.1[500]
Nov 29 07:39:22 moon charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Nov 29 07:39:22 moon charon: 16[IKE] 192.168.0.254 is initiating an IKE_SA
Nov 29 07:39:22 moon charon: 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Nov 29 07:39:22 moon charon: 16[NET] sending packet: from 192.168.0.1[500] to 192.168.0.254[500]
</pre>
followed by the IKE_AUTH exchange where the IKEv2 gateway proposes a mutual IKEv2 EAP-TTLS only authentication:
<pre>
Nov 29 07:39:22 moon charon: 08[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:22 moon charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) ]
Nov 29 07:39:22 moon charon: 08[CFG] looking for peer configs matching 192.168.0.1[moon.strongswan.org]...192.168.0.254[carol@strongswan.org]
Nov 29 07:39:22 moon charon: 08[CFG] selected peer config 'rw-allow'
Nov 29 07:39:22 moon charon: 08[IKE] initiating EAP_TTLS method (id 0xA8)
Nov 29 07:39:22 moon charon: 08[IKE] peer supports MOBIKE
Nov 29 07:39:22 moon charon: 08[ENC] generating IKE_AUTH response 1 [ IDr EAP/REQ/TTLS ]
Nov 29 07:39:22 moon charon: 08[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
</pre>
h3. IKEv2 EAP-TTLS Tunnel
The IKEv2 EAP-TTLS tunnel is set up with certificate-based server authentication
<pre>
Nov 29 07:39:22 moon charon: 09[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:22 moon charon: 09[ENC] parsed IKE_AUTH request 2 [ EAP/RES/TTLS ]
Nov 29 07:39:22 moon charon: 09[TLS] received TLS 'signature algorithms' extension
Nov 29 07:39:22 moon charon: 09[TLS] received TLS 'elliptic curves' extension
Nov 29 07:39:22 moon charon: 09[TLS] received TLS 'ec point formats' extension
Nov 29 07:39:22 moon charon: 09[TLS] received TLS 'server name' extension
Nov 29 07:39:22 moon charon: 09[TLS] negotiated TLS version TLS 1.2 with suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Nov 29 07:39:22 moon charon: 09[TLS] sending TLS server certificate 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org'
Nov 29 07:39:22 moon charon: 09[ENC] generating IKE_AUTH response 2 [ EAP/REQ/TTLS ]
Nov 29 07:39:22 moon charon: 09[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:22 moon charon: 06[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:22 moon charon: 06[ENC] parsed IKE_AUTH request 3 [ EAP/RES/TTLS ]
Nov 29 07:39:22 moon charon: 06[ENC] generating IKE_AUTH response 3 [ EAP/REQ/TTLS ]
Nov 29 07:39:22 moon charon: 06[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:22 moon charon: 05[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:22 moon charon: 05[ENC] parsed IKE_AUTH request 4 [ EAP/RES/TTLS ]
</pre>
h3. Tunneled EAP-Identity
Via the IKEv2 EAP-TTLS tunnel the server requests the EAP client identity
<pre>
Nov 29 07:39:22 moon charon: 05[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/ID]
Nov 29 07:39:22 moon charon: 05[ENC] generating IKE_AUTH response 4 [ EAP/REQ/TTLS ]
Nov 29 07:39:22 moon charon: 05[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:22 moon charon: 04[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:22 moon charon: 04[ENC] parsed IKE_AUTH request 5 [ EAP/RES/TTLS ]
Nov 29 07:39:22 moon charon: 04[IKE] received tunneled EAP-TTLS AVP [EAP/RES/ID]
Nov 29 07:39:22 moon charon: 04[IKE] received EAP identity 'carol@strongswan.org'
</pre>
h3. Tunneled EAP-MD5 Client Authentication
Next follows an EAP-MD5 client authentication
<pre>
Nov 29 07:39:22 moon charon: 04[IKE] phase2 method EAP_MD5 selected
Nov 29 07:39:22 moon charon: 04[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/MD5]
Nov 29 07:39:22 moon charon: 04[ENC] generating IKE_AUTH response 5 [ EAP/REQ/TTLS ]
Nov 29 07:39:22 moon charon: 04[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:22 moon charon: 03[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:22 moon charon: 03[ENC] parsed IKE_AUTH request 6 [ EAP/RES/TTLS ]
Nov 29 07:39:22 moon charon: 03[IKE] received tunneled EAP-TTLS AVP [EAP/RES/MD5]
Nov 29 07:39:22 moon charon: 03[IKE] EAP_TTLS phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful
</pre>
h3. Tunneled EAP-TNC Transport
Now the EAP-TNC transport protocol connecting the TNC client with the TNC server is started:
<pre>
Nov 29 07:39:22 moon charon: 03[IKE] phase2 method EAP_TNC selected
Nov 29 07:39:22 moon charon: 03[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/TNC]
Nov 29 07:39:22 moon charon: 03[ENC] generating IKE_AUTH response 6 [ EAP/REQ/TTLS ]
Nov 29 07:39:22 moon charon: 03[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
</pre>
h2. PB-TNC/IF-TNCCS 2.0 Connection
A first PB-TNC CDATA (IF-TNCCS 2.0 ClientData) batch from the TNC client is received
<pre>
Nov 29 07:39:23 moon charon: 02[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:23 moon charon: 02[ENC] parsed IKE_AUTH request 7 [ EAP/RES/TTLS ]
Nov 29 07:39:23 moon charon: 02[IKE] received tunneled EAP-TTLS AVP [EAP/RES/TNC]
Nov 29 07:39:23 moon charon: 02[TNC] assigned TNCCS Connection ID 1
Nov 29 07:39:23 moon charon: 02[IMV] IMV 1 "Attestation" created a state for Connection ID 1
Nov 29 07:39:23 moon charon: 02[IMV] IMV 1 "Attestation" changed state of Connection ID 1 to 'Handshake'
Nov 29 07:39:23 moon charon: 02[TNC] received TNCCS batch (105 bytes) for Connection ID 1
Nov 29 07:39:23 moon charon: 02[TNC] => 105 bytes @ 0x80ba6b6
Nov 29 07:39:23 moon charon: 02[TNC] 0: 02 00 00 01 00 00 00 69 00 00 00 00 00 00 00 06 .......i........
Nov 29 07:39:23 moon charon: 02[TNC] 16: 00 00 00 1F 41 63 63 65 70 74 2D 4C 61 6E 67 75 ....Accept-Langu
Nov 29 07:39:23 moon charon: 02[TNC] 32: 61 67 65 3A 20 65 6E 80 00 00 00 00 00 00 01 00 age: en.........
Nov 29 07:39:23 moon charon: 02[TNC] 48: 00 00 42 00 00 55 97 00 00 00 01 00 01 FF FF 01 ..B..U..........
Nov 29 07:39:23 moon charon: 02[TNC] 64: 00 00 00 56 9E 52 8E 00 00 00 00 00 00 00 02 00 ...V.R..........
Nov 29 07:39:23 moon charon: 02[TNC] 80: 00 00 22 00 00 00 00 00 55 62 75 6E 74 75 20 31 ..".....Ubuntu 1
Nov 29 07:39:23 moon charon: 02[TNC] 96: 31 2E 31 30 20 69 36 38 36 1.10 i686
Nov 29 07:39:23 moon charon: 02[TNC] PB-TNC state transition from 'Init' to 'Server Working'
Nov 29 07:39:23 moon charon: 02[TNC] processing PB-TNC CDATA batch
</pre>
containing a 'PB-Language-Preference' and a 'PB-PA' message
<pre>
Nov 29 07:39:23 moon charon: 02[TNC] processing PB-Language-Preference message (31 bytes)
Nov 29 07:39:23 moon charon: 02[TNC] processing PB-PA message (66 bytes)
</pre>
This causes a new TNCCS connection to be instantiated on the TNC server. Its IF-TNCCS 2.0 state machine immediately transitions from the Init to the ServerWorking state.
!IF-TNCCS-20-State-Diagram.png!
The language preference is set to English (en) and the PB-PA message is forwarded to the PTS-IMV which subscribed to this PA message type:
<pre>
Nov 29 07:39:23 moon charon: 02[TNC] setting language preference to 'en'
Nov 29 07:39:23 moon charon: 02[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x01
</pre>
The PA-TNC message contains an 'IETF/Product Information' attribute which carries information about the operating system the PTS-IMC is running on:
<pre>
Nov 29 07:39:23 moon charon: 02[IMV] IMV 1 "Attestation" received message type 0x00559701 for Connection ID 1
Nov 29 07:39:23 moon charon: 02[TNC] processing PA-TNC message with ID 0x569e528e
Nov 29 07:39:23 moon charon: 02[TNC] processing PA-TNC attribute type 'IETF/Product Information' 0x000000/0x00000002
Nov 29 07:39:23 moon charon: 02[TNC] => 22 bytes @ 0x80b4d20
Nov 29 07:39:23 moon charon: 02[TNC] 0: 00 00 00 00 00 55 62 75 6E 74 75 20 31 31 2E 31 .....Ubuntu 11.1
Nov 29 07:39:23 moon charon: 02[TNC] 16: 30 20 69 36 38 36 0 i686
</pre>
h3. PTS Capability Discovery
The PTS-IMV creates a PA-TNC message containing a 'Request PTS Protocol Capabilities' and a 'PTS Measurement Algorithm Request' attribute from the TCG namespace. SHA-1 is the only PTS measurement algorithm proposed by the PTS-IMV.
<pre>
Nov 29 07:39:23 moon charon: 02[TNC] creating PA-TNC message with ID 0x10fbc931
Nov 29 07:39:23 moon charon: 02[TNC] creating PA-TNC attribute type 'TCG/Request PTS Protocol Capabilities' 0x005597/0x01000000
Nov 29 07:39:23 moon charon: 02[TNC] => 4 bytes @ 0x80bfd54
Nov 29 07:39:23 moon charon: 02[TNC] 0: 00 00 00 0E ....
Nov 29 07:39:23 moon charon: 02[TNC] creating PA-TNC attribute type 'TCG/PTS Measurement Algorithm Request' 0x005597/0x06000000
Nov 29 07:39:23 moon charon: 02[TNC] => 4 bytes @ 0x80bfe3c
Nov 29 07:39:23 moon charon: 02[TNC] 0: 00 00 80 00 ....
</pre>
The PB-PA message is sent in a PB-TNC SDATA (IF-TNCCS 2.0 ServerData) batch to the TNC client:
<pre>
Nov 29 07:39:23 moon charon: 02[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x01
Nov 29 07:39:23 moon charon: 02[TNC] creating PB-TNC SDATA batch
Nov 29 07:39:23 moon charon: 02[TNC] adding PB-PA message
Nov 29 07:39:23 moon charon: 02[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
Nov 29 07:39:23 moon charon: 02[TNC] sending PB-TNC SDATA batch (72 bytes) for Connection ID 1
Nov 29 07:39:23 moon charon: 02[TNC] => 72 bytes @ 0x80b65c4
Nov 29 07:39:23 moon charon: 02[TNC] 0: 02 80 00 02 00 00 00 48 80 00 00 00 00 00 00 01 .......H........
Nov 29 07:39:23 moon charon: 02[TNC] 16: 00 00 00 40 00 00 55 97 00 00 00 01 FF FF 00 01 ...@..U.........
Nov 29 07:39:23 moon charon: 02[TNC] 32: 01 00 00 00 10 FB C9 31 80 00 55 97 01 00 00 00 .......1..U.....
Nov 29 07:39:23 moon charon: 02[TNC] 48: 00 00 00 10 00 00 00 0E 80 00 55 97 06 00 00 00 ..........U.....
Nov 29 07:39:23 moon charon: 02[TNC] 64: 00 00 00 10 00 00 80 00 ........
Nov 29 07:39:23 moon charon: 02[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/TNC]
Nov 29 07:39:23 moon charon: 02[ENC] generating IKE_AUTH response 7 [ EAP/REQ/TTLS ]
Nov 29 07:39:23 moon charon: 02[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
</pre>
As a response a PB-TNC CDATA batch is received from the TNC client
<pre>
Nov 29 07:39:23 moon charon: 01[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:23 moon charon: 01[ENC] parsed IKE_AUTH request 8 [ EAP/RES/TTLS ]
Nov 29 07:39:23 moon charon: 01[IKE] received tunneled EAP-TTLS AVP [EAP/RES/TNC]
Nov 29 07:39:23 moon charon: 01[TNC] received TNCCS batch (72 bytes) for Connection ID 1
Nov 29 07:39:23 moon charon: 01[TNC] => 72 bytes @ 0x80be80e
Nov 29 07:39:23 moon charon: 01[TNC] 0: 02 00 00 01 00 00 00 48 80 00 00 00 00 00 00 01 .......H........
Nov 29 07:39:23 moon charon: 01[TNC] 16: 00 00 00 40 00 00 55 97 00 00 00 01 00 01 FF FF ...@..U.........
Nov 29 07:39:23 moon charon: 01[TNC] 32: 01 00 00 00 0E D3 F1 F3 00 00 55 97 02 00 00 00 ..........U.....
Nov 29 07:39:23 moon charon: 01[TNC] 48: 00 00 00 10 00 00 00 0E 00 00 55 97 07 00 00 00 ..........U.....
Nov 29 07:39:23 moon charon: 01[TNC] 64: 00 00 00 10 00 00 80 00 ........
Nov 29 07:39:23 moon charon: 01[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
Nov 29 07:39:23 moon charon: 01[TNC] processing PB-TNC CDATA batch
</pre>
containing a PB-PA message with PA message type TCG/PTS to which the PTS-IMV is subscribed:
<pre>
Nov 29 07:39:23 moon charon: 01[TNC] processing PB-PA message (64 bytes)
Nov 29 07:39:23 moon charon: 01[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x01
</pre>
The PA-TNC message contains a 'PTS Protocol Capabilities' and a 'PTS Measurement Algorithm' attribute from the TCG namespace:
<pre>
Nov 29 07:39:23 moon charon: 01[IMV] IMV 1 "Attestation" received message type 0x00559701 for Connection ID 1
Nov 29 07:39:23 moon charon: 01[TNC] processing PA-TNC message with ID 0x0ed3f1f3
Nov 29 07:39:23 moon charon: 01[TNC] processing PA-TNC attribute type 'TCG/PTS Protocol Capabilities' 0x005597/0x02000000
Nov 29 07:39:23 moon charon: 01[TNC] => 4 bytes @ 0x80be670
Nov 29 07:39:23 moon charon: 01[TNC] 0: 00 00 00 0E ....
Nov 29 07:39:23 moon charon: 01[TNC] processing PA-TNC attribute type 'TCG/PTS Measurement Algorithm' 0x005597/0x07000000
Nov 29 07:39:23 moon charon: 01[TNC] => 4 bytes @ 0x80be680
Nov 29 07:39:23 moon charon: 01[TNC] 0: 00 00 80 00 ....
</pre>
The PTS-IMC supports the Verification (V), DH Nonce Negotiation (D) and Trusted Platform Evidence (T) PTS protocol capabilities all of which the PTS-IMV proposed in the capabilities request. Also SHA-1 is confirmed by the PTS-IMC to be used as PTS measurement algorithm.
<pre>
Nov 29 07:39:23 moon charon: 01[PTS] supported PTS protocol capabilities: .VDT.
Nov 29 07:39:23 moon charon: 01[PTS] selected PTS measurement algorithm is HASH_SHA1
</pre>
h3. DH Nonce Parameters
The PTS-IMV creates a PA-TNC message containing the 'DH Nonce Parameters Request' from the TCG namespace which offers the set of IKE DH groups {2, 5, 14, 19}:
<pre>
Nov 29 07:39:23 moon charon: 01[TNC] creating PA-TNC message with ID 0xc2d18ef1
Nov 29 07:39:23 moon charon: 01[TNC] creating PA-TNC attribute type 'TCG/DH Nonce Parameters Request' 0x005597/0x03000000
Nov 29 07:39:23 moon charon: 01[TNC] => 4 bytes @ 0x80bdf9c
Nov 29 07:39:23 moon charon: 01[TNC] 0: 00 00 F0 00 ....
</pre>
The corresponding PB-PA message is embedded into a PB-TNC SDATA batch and sent to the TNC client
<pre>
Nov 29 07:39:23 moon charon: 01[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x01
Nov 29 07:39:23 moon charon: 01[TNC] creating PB-TNC SDATA batch
Nov 29 07:39:23 moon charon: 01[TNC] adding PB-PA message
Nov 29 07:39:23 moon charon: 01[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
Nov 29 07:39:23 moon charon: 01[TNC] sending PB-TNC SDATA batch (56 bytes) for Connection ID 1
Nov 29 07:39:23 moon charon: 01[TNC] => 56 bytes @ 0x80a30fc
Nov 29 07:39:23 moon charon: 01[TNC] 0: 02 80 00 02 00 00 00 38 80 00 00 00 00 00 00 01 .......8........
Nov 29 07:39:23 moon charon: 01[TNC] 16: 00 00 00 30 00 00 55 97 00 00 00 01 FF FF 00 01 ...0..U.........
Nov 29 07:39:23 moon charon: 01[TNC] 32: 01 00 00 00 C2 D1 8E F1 80 00 55 97 03 00 00 00 ..........U.....
Nov 29 07:39:23 moon charon: 01[TNC] 48: 00 00 00 10 00 00 F0 00 ........
Nov 29 07:39:23 moon charon: 01[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/TNC]
Nov 29 07:39:23 moon charon: 01[ENC] generating IKE_AUTH response 8 [ EAP/REQ/TTLS ]
Nov 29 07:39:23 moon charon: 01[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
</pre>
In response a PB-TNC CDATA batch is received from the TNC client
<pre>
Nov 29 07:39:23 moon charon: 13[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:23 moon charon: 13[ENC] parsed IKE_AUTH request 9 [ EAP/RES/TTLS ]
Nov 29 07:39:23 moon charon: 13[IKE] received tunneled EAP-TTLS AVP [EAP/RES/TNC]
Nov 29 07:39:23 moon charon: 13[TNC] received TNCCS batch (144 bytes) for Connection ID 1
Nov 29 07:39:23 moon charon: 13[TNC] => 144 bytes @ 0x80bb0e6
Nov 29 07:39:23 moon charon: 13[TNC] 0: 02 00 00 01 00 00 00 90 80 00 00 00 00 00 00 01 ................
Nov 29 07:39:23 moon charon: 13[TNC] 16: 00 00 00 88 00 00 55 97 00 00 00 01 00 01 FF FF ......U.........
Nov 29 07:39:23 moon charon: 13[TNC] 32: 01 00 00 00 A6 9F 8B 02 00 00 55 97 04 00 00 00 ..........U.....
Nov 29 07:39:23 moon charon: 13[TNC] 48: 00 00 00 68 00 00 00 14 10 00 E0 00 AA B1 9A 5C ...h...........\
Nov 29 07:39:23 moon charon: 13[TNC] 64: 9B 47 D0 0D EF 3B F4 48 7A 55 EF DA 89 55 D3 74 .G...;.HzU...U.t
Nov 29 07:39:23 moon charon: 13[TNC] 80: DF CE B2 FB 44 16 FD 98 44 1D 79 1F 36 7A A5 67 ....D...D.y.6z.g
Nov 29 07:39:23 moon charon: 13[TNC] 96: 94 30 81 C8 38 A8 1A AD 99 55 0E 91 2F E4 36 62 .0..8....U../.6b
Nov 29 07:39:23 moon charon: 13[TNC] 112: FA C2 08 63 88 69 41 79 35 D4 64 8C 4C D4 CB E9 ...c.iAy5.d.L...
Nov 29 07:39:23 moon charon: 13[TNC] 128: 7B 5E CF 0A E0 E9 74 66 4C BB 06 3B F8 DE 96 2E {^....tfL..;....
Nov 29 07:39:23 moon charon: 13[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
Nov 29 07:39:23 moon charon: 13[TNC] processing PB-TNC CDATA batch
</pre>
containing a PB-PA message with PA message type TCG/PTS to which the PTS-IMV is subscribed:
<pre>
Nov 29 07:39:23 moon charon: 13[TNC] processing PB-PA message (136 bytes)
Nov 29 07:39:23 moon charon: 13[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x01
</pre>
The PA-TNC message contains a 'DH Nonce Parameters Response' from the TGC namespace
<pre>
Nov 29 07:39:23 moon charon: 13[IMV] IMV 1 "Attestation" received message type 0x00559701 for Connection ID 1
Nov 29 07:39:23 moon charon: 13[TNC] processing PA-TNC message with ID 0xa69f8b02
Nov 29 07:39:23 moon charon: 13[TNC] processing PA-TNC attribute type 'TCG/DH Nonce Parameters Response' 0x005597/0x04000000
Nov 29 07:39:23 moon charon: 13[TNC] => 92 bytes @ 0x80b4c38
Nov 29 07:39:23 moon charon: 13[TNC] 0: 00 00 00 14 10 00 E0 00 AA B1 9A 5C 9B 47 D0 0D ...........\.G..
Nov 29 07:39:23 moon charon: 13[TNC] 16: EF 3B F4 48 7A 55 EF DA 89 55 D3 74 DF CE B2 FB .;.HzU...U.t....
Nov 29 07:39:23 moon charon: 13[TNC] 32: 44 16 FD 98 44 1D 79 1F 36 7A A5 67 94 30 81 C8 D...D.y.6z.g.0..
Nov 29 07:39:23 moon charon: 13[TNC] 48: 38 A8 1A AD 99 55 0E 91 2F E4 36 62 FA C2 08 63 8....U../.6b...c
Nov 29 07:39:23 moon charon: 13[TNC] 64: 88 69 41 79 35 D4 64 8C 4C D4 CB E9 7B 5E CF 0A .iAy5.d.L...{^..
Nov 29 07:39:23 moon charon: 13[TNC] 80: E0 E9 74 66 4C BB 06 3B F8 DE 96 2E ..tfL..;....
</pre>
The PTS-IMC selected ECP_256 (IKE DH group 14) as the PTS DH group and returns a 20 byte DH responder nonce and the 32 byte ECP_256 DH responder public value from which together with the PTS-IMV's private DH value the shared DH secret can be derived:
<pre>
Nov 29 07:39:23 moon charon: 13[PTS] selected DH hash algorithm is HASH_SHA1
Nov 29 07:39:23 moon charon: 13[PTS] selected PTS DH group is ECP_256
Nov 29 07:39:23 moon charon: 13[PTS] nonce length is 20
Nov 29 07:39:23 moon charon: 13[PTS] initiator nonce: => 20 bytes @ 0x80be424
Nov 29 07:39:23 moon charon: 13[PTS] 0: 46 C4 11 FB 33 64 F3 27 1D 62 3D C4 83 73 AE AE F...3d.'.b=..s..
Nov 29 07:39:23 moon charon: 13[PTS] 16: 8B 36 E4 F5 .6..
Nov 29 07:39:23 moon charon: 13[PTS] responder nonce: => 20 bytes @ 0x80bbd24
Nov 29 07:39:23 moon charon: 13[PTS] 0: AA B1 9A 5C 9B 47 D0 0D EF 3B F4 48 7A 55 EF DA ...\.G...;.HzU..
Nov 29 07:39:23 moon charon: 13[PTS] 16: 89 55 D3 74 .U.t
Nov 29 07:39:23 moon charon: 13[PTS] shared DH secret: => 32 bytes @ 0x80c1f84
Nov 29 07:39:23 moon charon: 13[PTS] 0: 61 E8 7D D7 8C C8 DF 4E 5C 5A B7 48 75 38 0C B8 a.}....N\Z.Hu8..
Nov 29 07:39:23 moon charon: 13[PTS] 16: 2D 23 08 8E E2 D5 B9 25 04 F8 03 BA 35 9F 3A 52 -#.....%....5.:R
Nov 29 07:39:23 moon charon: 13[PTS] secret assessment value: => 20 bytes @ 0x80b2afc
Nov 29 07:39:23 moon charon: 13[PTS] 0: E1 1B 01 B4 FF 2B 56 83 24 AD AD AD 8B 7B 36 B7 .....+V.$....{6.
Nov 29 07:39:23 moon charon: 13[PTS] 16: FF CA D9 59 ...Y
</pre>
h3. DH Nonce Finish and TPM Version/AIK Info
The PTS-IMV sends its 32 byte ECP_256 DH initiator public value and its 20 byte initiator nonce in the 'DH Nonce Finish' attribute. Additionally the 'Get TPM Version Information' and a 'Get Attestation Identity Key' attributes are include in the PA-TNC message:
<pre>
Nov 29 07:39:23 moon charon: 13[TNC] creating PA-TNC message with ID 0x8345bdd1
Nov 29 07:39:23 moon charon: 13[TNC] creating PA-TNC attribute type 'TCG/DH Nonce Finish' 0x005597/0x05000000
Nov 29 07:39:23 moon charon: 13[TNC] => 88 bytes @ 0x80c26cc
Nov 29 07:39:23 moon charon: 13[TNC] 0: 00 14 80 00 B1 E2 2D 2D 11 80 E2 BC 83 5A 56 DC ......--.....ZV.
Nov 29 07:39:23 moon charon: 13[TNC] 16: 1B 18 3F 91 3B 63 E0 E9 09 2A 67 0D AE FB D6 94 ..?.;c...*g.....
Nov 29 07:39:23 moon charon: 13[TNC] 32: 32 39 5A 2C D2 2C 58 2C 5F 3E B4 00 25 68 E8 EB 29Z,.,X,_>..%h..
Nov 29 07:39:23 moon charon: 13[TNC] 48: 9E 46 93 B3 C7 AE 5C 57 26 92 D7 4E F2 14 08 60 .F....\W&..N...`
Nov 29 07:39:23 moon charon: 13[TNC] 64: 96 A4 74 78 46 C4 11 FB 33 64 F3 27 1D 62 3D C4 ..txF...3d.'.b=.
Nov 29 07:39:23 moon charon: 13[TNC] 80: 83 73 AE AE 8B 36 E4 F5 .s...6..
Nov 29 07:39:23 moon charon: 13[TNC] creating PA-TNC attribute type 'TCG/Get TPM Version Information' 0x005597/0x08000000
Nov 29 07:39:23 moon charon: 13[TNC] => 4 bytes @ 0x80b6fd4
Nov 29 07:39:23 moon charon: 13[TNC] 0: 00 00 00 00 ....
Nov 29 07:39:23 moon charon: 13[TNC] creating PA-TNC attribute type 'TCG/Get Attestation Identity Key' 0x005597/0x0d000000
Nov 29 07:39:23 moon charon: 13[TNC] => 4 bytes @ 0x80c2e34
Nov 29 07:39:23 moon charon: 13[TNC] 0: 00 00 00 00 ....
</pre>
The PA-TNC message transfered via the IF-IMV SendMessage function call is inserted as a PB-PA message in an outbound PB-TNC SDATA batch:
<pre>
Nov 29 07:39:23 moon charon: 13[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x01
Nov 29 07:39:23 moon charon: 13[TNC] creating PB-TNC SDATA batch
Nov 29 07:39:23 moon charon: 13[TNC] adding PB-PA message
Nov 29 07:39:23 moon charon: 13[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
Nov 29 07:39:23 moon charon: 13[TNC] sending PB-TNC SDATA batch (172 bytes) for Connection ID 1
Nov 29 07:39:23 moon charon: 13[TNC] => 172 bytes @ 0x80bf50c
Nov 29 07:39:23 moon charon: 13[TNC] 0: 02 80 00 02 00 00 00 AC 80 00 00 00 00 00 00 01 ................
Nov 29 07:39:23 moon charon: 13[TNC] 16: 00 00 00 A4 00 00 55 97 00 00 00 01 FF FF 00 01 ......U.........
Nov 29 07:39:23 moon charon: 13[TNC] 32: 01 00 00 00 83 45 BD D1 80 00 55 97 05 00 00 00 .....E....U.....
Nov 29 07:39:23 moon charon: 13[TNC] 48: 00 00 00 64 00 14 80 00 B1 E2 2D 2D 11 80 E2 BC ...d......--....
Nov 29 07:39:23 moon charon: 13[TNC] 64: 83 5A 56 DC 1B 18 3F 91 3B 63 E0 E9 09 2A 67 0D .ZV...?.;c...*g.
Nov 29 07:39:23 moon charon: 13[TNC] 80: AE FB D6 94 32 39 5A 2C D2 2C 58 2C 5F 3E B4 00 ....29Z,.,X,_>..
Nov 29 07:39:23 moon charon: 13[TNC] 96: 25 68 E8 EB 9E 46 93 B3 C7 AE 5C 57 26 92 D7 4E %h...F....\W&..N
Nov 29 07:39:23 moon charon: 13[TNC] 112: F2 14 08 60 96 A4 74 78 46 C4 11 FB 33 64 F3 27 ...`..txF...3d.'
Nov 29 07:39:23 moon charon: 13[TNC] 128: 1D 62 3D C4 83 73 AE AE 8B 36 E4 F5 80 00 55 97 .b=..s...6....U.
Nov 29 07:39:23 moon charon: 13[TNC] 144: 08 00 00 00 00 00 00 10 00 00 00 00 80 00 55 97 ..............U.
Nov 29 07:39:23 moon charon: 13[TNC] 160: 0D 00 00 00 00 00 00 10 00 00 00 00 ............
Nov 29 07:39:23 moon charon: 13[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/TNC]
Nov 29 07:39:23 moon charon: 13[ENC] generating IKE_AUTH response 9 [ EAP/REQ/TTLS ]
Nov 29 07:39:23 moon charon: 13[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
</pre>
In response a PB-TNC CDATA batch is received
<pre>
ov 29 07:39:23 moon charon: 16[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:23 moon charon: 16[ENC] parsed IKE_AUTH request 10 [ EAP/RES/TTLS ]
Nov 29 07:39:23 moon charon: 16[ENC] generating IKE_AUTH response 10 [ EAP/REQ/TTLS ]
Nov 29 07:39:23 moon charon: 16[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:23 moon charon: 08[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:23 moon charon: 08[ENC] parsed IKE_AUTH request 11 [ EAP/RES/TTLS ]
Nov 29 07:39:23 moon charon: 08[IKE] received tunneled EAP-TTLS AVP [EAP/RES/TNC]
Nov 29 07:39:23 moon charon: 08[TNC] received TNCCS batch (1413 bytes) for Connection ID 1
Nov 29 07:39:23 moon charon: 08[TNC] => 1413 bytes @ 0x80c3bbe
Nov 29 07:39:23 moon charon: 08[TNC] 0: 02 00 00 01 00 00 05 85 80 00 00 00 00 00 00 01 ................
Nov 29 07:39:23 moon charon: 08[TNC] 16: 00 00 05 7D 00 00 55 97 00 00 00 01 00 01 FF FF ...}..U.........
Nov 29 07:39:23 moon charon: 08[TNC] 32: 01 00 00 00 1E 82 D8 06 00 00 55 97 09 00 00 00 ..........U.....
Nov 29 07:39:23 moon charon: 08[TNC] 48: 00 00 00 1B 00 30 01 02 01 02 00 02 00 49 46 58 .....0.......IFX
Nov 29 07:39:23 moon charon: 08[TNC] 64: 00 00 00 00 00 55 97 0E 00 00 00 00 00 05 42 00 .....U........B.
Nov 29 07:39:23 moon charon: 08[TNC] 80: 30 82 05 31 30 82 04 19 A0 03 02 01 02 02 10 15 0..10...........
Nov 29 07:39:23 moon charon: 08[TNC] 96: C8 E6 07 AD F7 B6 3C 0A F2 87 51 0C 34 F7 BA 30 ......<...Q.4..0
Nov 29 07:39:23 moon charon: 08[TNC] 112: 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 30 4D ...*.H........0M
Nov 29 07:39:23 moon charon: 08[TNC] 128: 31 16 30 14 06 03 55 04 0A 13 0D 70 72 69 76 61 1.0...U....priva
Nov 29 07:39:23 moon charon: 08[TNC] 144: 63 79 63 61 2E 63 6F 6D 31 33 30 31 06 03 55 04 cyca.com1301..U.
Nov 29 07:39:23 moon charon: 08[TNC] 160: 03 13 2A 50 72 69 76 61 63 79 20 43 41 20 45 4B ..*Privacy CA EK
Nov 29 07:39:23 moon charon: 08[TNC] 176: 2D 43 65 72 74 2D 43 68 65 63 6B 65 64 20 41 49 -Cert-Checked AI
Nov 29 07:39:23 moon charon: 08[TNC] 192: 4B 20 43 65 72 74 69 66 69 63 61 74 65 30 1E 17 K Certificate0..
Nov 29 07:39:23 moon charon: 08[TNC] 208: 0D 31 31 31 31 30 32 30 37 35 30 35 31 5A 17 0D .111102075051Z..
Nov 29 07:39:23 moon charon: 08[TNC] 224: 31 32 31 31 30 32 30 37 35 30 35 31 5A 30 00 30 121102075051Z0.0
Nov 29 07:39:23 moon charon: 08[TNC] 240: 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 .."0...*.H......
Nov 29 07:39:23 moon charon: 08[TNC] 256: 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01 00 .......0........
Nov 29 07:39:23 moon charon: 08[TNC] 272: E9 1C 5F 57 5B 73 5F 35 15 BD AF 29 89 13 F1 F9 .._W[s_5...)....
Nov 29 07:39:23 moon charon: 08[TNC] 288: 8D 83 62 6C 73 C0 5F 8B 90 5A B8 1A 72 B9 D2 51 ..bls._..Z..r..Q
Nov 29 07:39:23 moon charon: 08[TNC] 304: F8 DC 24 CF 0D 9E E2 0B F8 8D 11 CD B2 E5 6B CB ..$...........k.
Nov 29 07:39:23 moon charon: 08[TNC] 320: C2 AB FA BD F4 74 D2 25 B3 AE CE 47 66 58 A6 65 .....t.%...GfX.e
Nov 29 07:39:23 moon charon: 08[TNC] 336: A4 CA 36 24 1E 6E 22 A4 9F 88 C5 63 78 AD 53 33 ..6$.n"....cx.S3
Nov 29 07:39:23 moon charon: 08[TNC] 352: 90 22 91 6F 83 8F 2A A8 98 0C 15 3E 89 19 48 63 .".o..*....>..Hc
Nov 29 07:39:23 moon charon: 08[TNC] 368: BE 4C 35 02 F4 03 7E 10 8E 4D DB 5A D1 63 9A 3C .L5...~..M.Z.c.<
Nov 29 07:39:23 moon charon: 08[TNC] 384: D9 63 F5 7B C6 73 0F 23 05 B6 00 30 3B 34 6C 3C .c.{.s.#...0;4l<
Nov 29 07:39:23 moon charon: 08[TNC] 400: 10 A9 A5 4A 79 2E 62 88 E3 CC 7F 7B A7 5A E3 6F ...Jy.b....{.Z.o
Nov 29 07:39:23 moon charon: 08[TNC] 416: 13 7A BD BF 86 1D 3C E3 12 3A 8C 0E 7D 47 55 C6 .z....<..:..}GU.
Nov 29 07:39:23 moon charon: 08[TNC] 432: 76 A9 D3 61 16 22 8A 32 C5 E7 CD 17 DB 5F A1 67 v..a.".2....._.g
Nov 29 07:39:23 moon charon: 08[TNC] 448: CC 1D F5 D9 25 51 01 33 1E 05 45 85 53 2E 2C 2B ....%Q.3..E.S.,+
Nov 29 07:39:23 moon charon: 08[TNC] 464: 1D 59 E5 FE C2 61 26 36 12 05 F2 5C 95 F8 70 E6 .Y...a&6...\..p.
Nov 29 07:39:23 moon charon: 08[TNC] 480: 6A DB BF 30 1E 46 05 E6 0E 94 3C 0C C6 1C 96 B4 j..0.F....<.....
Nov 29 07:39:23 moon charon: 08[TNC] 496: 59 AC 5C 63 15 8C 77 E8 45 91 6B 8B B1 0D DB 26 Y.\c..w.E.k....&
Nov 29 07:39:23 moon charon: 08[TNC] 512: 3C E5 34 1C E8 B9 B5 6E 7F 9B 6E 7D 24 82 6E 2B <.4....n..n}$.n+
Nov 29 07:39:23 moon charon: 08[TNC] 528: 02 03 01 00 01 A3 82 02 58 30 82 02 54 30 81 93 ........X0..T0..
Nov 29 07:39:23 moon charon: 08[TNC] 544: 06 03 55 1D 09 04 81 8B 30 81 88 30 3A 06 03 55 ..U.....0..0:..U
Nov 29 07:39:23 moon charon: 08[TNC] 560: 04 34 31 33 30 0B 30 09 06 05 2B 0E 03 02 1A 05 .4130.0...+.....
Nov 29 07:39:23 moon charon: 08[TNC] 576: 00 30 24 30 22 06 09 2A 86 48 86 F7 0D 01 01 07 .0$0"..*.H......
Nov 29 07:39:23 moon charon: 08[TNC] 592: 30 15 A2 13 30 11 06 09 2A 86 48 86 F7 0D 01 01 0...0...*.H.....
Nov 29 07:39:23 moon charon: 08[TNC] 608: 09 04 04 54 43 50 41 30 16 06 05 67 81 05 02 10 ...TCPA0...g....
Nov 29 07:39:23 moon charon: 08[TNC] 624: 31 0D 30 0B 0C 03 31 2E 32 02 01 02 02 01 00 30 1.0...1.2......0
Nov 29 07:39:23 moon charon: 08[TNC] 640: 32 06 05 67 81 05 02 12 31 29 30 27 01 01 FF A0 2..g....1)0'....
Nov 29 07:39:23 moon charon: 08[TNC] 656: 03 0A 01 01 A1 03 0A 01 00 A2 03 0A 01 00 A3 10 ................
Nov 29 07:39:23 moon charon: 08[TNC] 672: 30 0E 16 03 33 2E 30 0A 01 04 0A 01 00 01 01 FF 0...3.0.........
Nov 29 07:39:23 moon charon: 08[TNC] 688: 01 01 FF 30 62 06 03 55 1D 11 01 01 FF 04 58 30 ...0b..U......X0
Nov 29 07:39:23 moon charon: 08[TNC] 704: 56 A4 47 30 45 31 16 30 14 06 05 67 81 05 02 01 V.G0E1.0...g....
Nov 29 07:39:23 moon charon: 08[TNC] 720: 0C 0B 69 64 3A 34 39 34 36 35 38 30 30 31 17 30 ..id:494658001.0
Nov 29 07:39:23 moon charon: 08[TNC] 736: 15 06 05 67 81 05 02 02 0C 0C 53 4C 42 39 36 33 ...g......SLB963
Nov 29 07:39:23 moon charon: 08[TNC] 752: 35 54 54 31 2E 32 31 12 30 10 06 05 67 81 05 02 5TT1.21.0...g...
Nov 29 07:39:23 moon charon: 08[TNC] 768: 03 0C 07 69 64 3A 30 31 30 32 A0 0B 06 05 67 81 ...id:0102....g.
Nov 29 07:39:23 moon charon: 08[TNC] 784: 05 02 0F A0 02 0C 00 30 0C 06 03 55 1D 13 01 01 .......0...U....
Nov 29 07:39:23 moon charon: 08[TNC] 800: FF 04 02 30 00 30 82 01 27 06 03 55 1D 20 01 01 ...0.0..'..U. ..
Nov 29 07:39:23 moon charon: 08[TNC] 816: FF 04 82 01 1B 30 82 01 17 30 67 06 0A 2B 06 01 .....0...0g..+..
Nov 29 07:39:23 moon charon: 08[TNC] 832: 04 01 81 E3 42 01 11 30 59 30 29 06 08 2B 06 01 ....B..0Y0)..+..
Nov 29 07:39:23 moon charon: 08[TNC] 848: 05 05 07 02 01 16 1D 68 74 74 70 3A 2F 2F 77 77 .......http://ww
Nov 29 07:39:23 moon charon: 08[TNC] 864: 77 2E 70 72 69 76 61 63 79 63 61 2E 63 6F 6D 2F w.privacyca.com/
Nov 29 07:39:23 moon charon: 08[TNC] 880: 63 70 73 2F 30 2C 06 08 2B 06 01 05 05 07 02 02 cps/0,..+.......
Nov 29 07:39:23 moon charon: 08[TNC] 896: 30 20 0C 1E 54 43 50 41 20 54 72 75 73 74 65 64 0 ..TCPA Trusted
Nov 29 07:39:23 moon charon: 08[TNC] 912: 20 50 6C 61 74 66 6F 72 6D 20 49 64 65 6E 74 69 Platform Identi
Nov 29 07:39:23 moon charon: 08[TNC] 928: 74 79 30 81 AB 06 0B 60 86 48 01 86 F8 45 01 07 ty0....`.H...E..
Nov 29 07:39:23 moon charon: 08[TNC] 944: 2F 01 30 81 9B 30 39 06 08 2B 06 01 05 05 07 02 /.0..09..+......
Nov 29 07:39:23 moon charon: 08[TNC] 960: 01 16 2D 68 74 74 70 3A 2F 2F 77 77 77 2E 76 65 ..-http://www.ve
Nov 29 07:39:23 moon charon: 08[TNC] 976: 72 69 73 69 67 6E 2E 63 6F 6D 2F 72 65 70 6F 73 risign.com/repos
Nov 29 07:39:23 moon charon: 08[TNC] 992: 69 74 6F 72 79 2F 69 6E 64 65 78 2E 68 74 6D 6C itory/index.html
Nov 29 07:39:23 moon charon: 08[TNC] 1008: 30 5E 06 08 2B 06 01 05 05 07 02 02 30 52 1E 50 0^..+.......0R.P
Nov 29 07:39:23 moon charon: 08[TNC] 1024: 00 54 00 43 00 50 00 41 00 20 00 54 00 72 00 75 .T.C.P.A. .T.r.u
Nov 29 07:39:23 moon charon: 08[TNC] 1040: 00 73 00 74 00 65 00 64 00 20 00 50 00 6C 00 61 .s.t.e.d. .P.l.a
Nov 29 07:39:23 moon charon: 08[TNC] 1056: 00 74 00 66 00 6F 00 72 00 6D 00 20 00 4D 00 6F .t.f.o.r.m. .M.o
Nov 29 07:39:23 moon charon: 08[TNC] 1072: 00 64 00 75 00 6C 00 65 00 20 00 45 00 6E 00 64 .d.u.l.e. .E.n.d
Nov 29 07:39:23 moon charon: 08[TNC] 1088: 00 6F 00 72 00 73 00 65 00 6D 00 65 00 6E 00 74 .o.r.s.e.m.e.n.t
Nov 29 07:39:23 moon charon: 08[TNC] 1104: 30 1F 06 03 55 1D 23 04 18 30 16 80 14 66 FF 3C 0...U.#..0...f.<
Nov 29 07:39:23 moon charon: 08[TNC] 1120: C0 41 02 0A 60 27 4C BE 29 81 F0 58 DC B2 A3 3E .A..`'L.)..X...>
Nov 29 07:39:23 moon charon: 08[TNC] 1136: A2 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 .0...*.H........
Nov 29 07:39:23 moon charon: 08[TNC] 1152: 03 82 01 01 00 78 17 95 B0 D1 B5 99 AE 90 DF 4A .....x.........J
Nov 29 07:39:23 moon charon: 08[TNC] 1168: AA 02 38 60 9A 05 7A 53 08 00 E9 4B F8 0F 01 A7 ..8`..zS...K....
Nov 29 07:39:23 moon charon: 08[TNC] 1184: 26 B7 54 B0 [ Incomplete diff, document too large... ]
This HOWTO explains in a step-for-step fashion how a strongSwan IPsec gateway with integrated TNC server functionality and an attached Platform Trust Service Integrity Measurement Verifier (PTS-IMV) can verify remote attestation measurement data provided by a TNC client via the IKEv2 EAP-TTLS protocol.
{{>toc}}
h2. Installation and Configuration
h3. Installing the strongSwan Software
The following steps describe the installation of the strongSwan software
<pre>
wget http://download.strongswan.org/strongswan-4.6.2rc1.tar.bz2
tar xjf strongswan-4.6.2rc1.tar.bz2
cd strongswan-4.6.2rc1
./configure --prefix=/usr --sysconfdir=/etc --disable-pluto --enable-openssl --enable-curl
--enable-eap-identity --enable-eap-md5 --enable-eap-ttls --enable-eap-tnc
--enable-tnccs-20 --enable-tnc-imv --enable-imv-attestation
make
[sudo] make install
</pre>
The strongSwan *imv-attestation.so* dynamic PTS-IMV library depends on the "TrouSerS":http://sourceforge.net/projects/trousers/ libtspi library. For compilation additionally the /usr/include/trousers/ header files are required.
h3. Configuring the strongSwan Software
The /etc/ipsec.conf file defines an IPsec remote access policy either allowing access to the production network (rw-allow) or to a remediation network (rw-isolate):
<pre>
# ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="tnc 3, imc 3, pts 3"
conn rw-allow
rightgroups=allow
leftsubnet=10.1.0.0/28
also=rw-eap
auto=add
conn rw-isolate
rightgroups=isolate
leftsubnet=10.1.0.16/28
also=rw-eap
auto=add
conn rw-eap
left=192.168.0.1
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftauth=eap-ttls
rightauth=eap-ttls
rightid=*@strongswan.org
rightsendcert=never
right=%any
</pre>
The IKEv2 server *moon* is going to use public key based authentication with the location of the private key defined in the /etc/ipsec.secrets file:
<pre>
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA moonKey.pem
carol@strongswan.org : EAP "Ar3etTnp"
</pre>
The following IKEv2 charon and Attestation IMV options are defined in the /etc/strongswan.conf file. Among the options there is an SQLite URI pointing to the PTS measurement database and the path to the directory where the Privacy CA certificates are stored:
<pre>
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = curl sha1 pem pkcs1 pkcs8 gmp random pubkey x509 openssl revocation hmac kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 sqlite tnc-imv stroke
plugins {
eap-ttls {
phase2_method = md5
phase2_piggyback = yes
phase2_tnc = yes
}
eap-tnc {
protocol = tnccs-2.0
}
}
}
libimcv {
plugins {
imv-attestation {
database = sqlite:///etc/pts/config.db
cadir = /etc/pts/cacerts
hash_algorithm = sha1
}
}
}
attest {
database = sqlite:///etc/pts/config.db
}
</pre>
h3. Initializing the PTS Measurement Database
The SQLite database is initialized using the *tables.sql* and *data.sql* files from the strongSwan src/libpts/plugins/imv_attestation source directory:
<pre>
cat tables.sql data.sql | sqlite3 /etc/pts/config.db
</pre>
The following query lists the PTS component functional names defined in the database which currently are all from the ITA-HSR namespace.
<pre>
moon# ipsec attest --components
1: 0x00902a/0x00000001-0x21 ITA-HSR/Trusted GRUB Boot Loader [K.] Trusted Platform
2: 0x00902a/0x00000002-0x21 ITA-HSR/Trusted Boot [K.] Trusted Platform
3: 0x00902a/0x00000003-0x21 ITA-HSR/Linux IMA [K.] Trusted Platform
3 components found
</pre>
In order to authorize the PTS functional component measurements, the fingerprint of TNC client *carol*'s AIK certificate AIK_Cert.der must be entered into the database and must be linked to the component measurements to be executed:
<pre>
moon# ipsec attest --add --owner "Carol, pin1212a00 (Fujitsu Siemens Celsius W510)" --aik AIK_Cert.der --cid 3
key '78:6a:c9:86:11:42:72:af:a1:6b:72:3d:36:5a:81:57:88:7b:47:f3' inserted into database
key/component pair (2/3) inserted into database
moon# ipsec attest --add --kid 2 --cid 2
key/component pair (2/2) inserted into database
</pre>
The entered data can be checked with the commands
<pre>
moon# ipsec attest --keys
2: 78:6a:c9:86:11:42:72:af:a1:6b:72:3d:36:5a:81:57:88:7b:47:f3 'Carol, pin1212a00 (Fujitsu Siemens Celsius W510)'
1: b7:72:a6:73:07:76:b9:f0:28:e5:ad:fc:cd:40:b5:5c:32:0a:13:b6 'Andreas, merthyr (Fujitsu Siemens Lifebook S6420)'
2 keys found
moon ~ # ipsec attest --components --kid 2
2: 0x00902a/0x00000002-0x21 ITA-HSR/Trusted Boot [K.] Trusted Platform
3: 0x00902a/0x00000003-0x21 ITA-HSR/Linux IMA [K.] Trusted Platform
2 components found for key 78:6a:c9:86:11:42:72:af:a1:6b:72:3d:36:5a:81:57:88:7b:47:f3
</pre>
h2. IKEv2 Negotiation
h3. Startup and Initialization
The command
<pre>
ipsec start
</pre>
starts the TNC-enabled IPsec gateway:
<pre>
Feb 9 14:53:31 Nov 29 07:39:14 moon charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.6.2rc1) 4.6.2dr1)
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[KNL] listening on interfaces:
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[KNL] eth0
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[KNL] 192.168.0.1
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[KNL] fec0::1
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[KNL] fe80::fcfd:c0ff:fea8:1
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[KNL] eth1
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[KNL] 10.1.0.1
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[KNL] fec1::1
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[KNL] fe80::fcfd:aff:fe01:1
</pre>
The file /etc/tnc_config
<pre>
# IMV configuration file for strongSwan client
IMV "Attestation" /usr/lib/ipsec/imcvs/imv-attestation.so
</pre>
defines which IMVs are loaded by the TNC server. Also the Privacy CA certificates which are required to establish trust in the AIK certificates are loaded:
<pre>
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[TNC] TNC recommendation policy is 'default'
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[TNC] loading IMVs from '/etc/tnc_config'
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA1[sha1] available
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA256[openssl] available
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[PTS] optional PTS measurement algorithm HASH_SHA384[openssl] available
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[PTS] optional PTS DH group MODP_2048[gmp] available
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[PTS] optional PTS DH group MODP_1536[gmp] available
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[PTS] optional PTS DH group MODP_1024[gmp] available
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[PTS] mandatory PTS DH group ECP_256[openssl] available
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[PTS] optional PTS DH group ECP_384[openssl] available
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[TNC] added IETF attributes
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[TNC] added ITA-HSR attributes
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[LIB] libimcv initialized
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[IMV] IMV 1 "Attestation" initialized
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[TNC] added TCG attributes
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[PTS] added TCG functional component namespace
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[PTS] added ITA-HSR functional component namespace
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[PTS] added ITA-HSR functional component 'Trusted GRUB Boot Loader'
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[PTS] added ITA-HSR functional component 'Trusted Boot'
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[PTS] added ITA-HSR functional component 'Linux IMA'
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[LIB] libpts initialized
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[PTS] loading PTS ca certificates from '/etc/pts/cacerts'
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[PTS] loaded ca certificate "O=privacyca.com, CN=Privacy CA EK+Platform-Cert-Checked AIK Root Certificate" from '/etc/pts/cacerts/privacy_ca_level_2_cert.pem' '/etc/pts/cacerts/privacy_ca_root.pem'
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[PTS] loaded ca certificate "O=privacyca.com, CN=Privacy CA Insecure/Unchecked AIK Certificate" from '/etc/pts/cacerts/privacy_ca_level_0_cert.pem' '/etc/pts/cacerts/privacy_ca_level_0.pem'
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[PTS] loaded ca certificate "O=privacyca.com, CN=Privacy CA Root EK-Cert-Checked AIK Certificate" from '/etc/pts/cacerts/privacy_ca_root_cert.pem' '/etc/pts/cacerts/privacy_ca_level_1.pem'
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[PTS] loaded ca certificate "O=privacyca.com, CN=Privacy CA EK-Cert-Checked EK+Platform-Cert-Checked AIK Certificate" from '/etc/pts/cacerts/privacy_ca_level_1_cert.pem' '/etc/pts/cacerts/privacy_ca_level_2.pem'
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[IMV] IMV 1 "Attestation" provided with bind function
Nov 29 07:39:15 moon charon: 00[TNC] IMV 1 supports 1 message type: 'TCG/PTS' 0x005597/0x00000001 0x00559701
Feb 9 14:53:31 Nov 29 07:39:15 moon charon: 00[TNC] IMV 1 "Attestation" loaded from '/usr/lib/ipsec/imcvs/imv-attestation.so'
</pre>
Next the IKEv2 credentials, all necessary plugins and the IPsec connection definitions are loaded
<pre>
Nov 29 07:39:15 moon charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Nov 29 07:39:15 moon charon: 00[CFG] loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem'
Nov 29 07:39:15 moon charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Nov 29 07:39:15 moon charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Nov 29 07:39:15 moon charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Nov 29 07:39:15 moon charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Nov 29 07:39:15 moon charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Nov 29 07:39:15 moon charon: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/moonKey.pem'
Nov 29 07:39:15 moon charon: 00[CFG] loaded EAP secret for carol@strongswan.org
Nov 29 07:39:15 moon charon: 00[CFG] loaded EAP secret for dave@strongswan.org
Nov 29 07:39:15 moon charon: 00[DMN] loaded plugins: curl sha1 pem pkcs1 gmp random pubkey x509 openssl revocation hmac kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnccs-20 sqlite tnc-imv stroke
Nov 29 07:39:16 moon charon: 00[JOB] spawning 16 worker threads
Nov 29 07:39:16 moon charon: 16[CFG] received stroke: add connection 'rw-allow'
Nov 29 07:39:16 moon charon: 16[CFG] loaded certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" from 'moonCert.pem'
Nov 29 07:39:16 moon charon: 16[CFG] added configuration 'rw-allow'
Nov 29 07:39:16 moon charon: 16[CFG] received stroke: add connection 'rw-isolate'
Nov 29 07:39:16 moon charon: 16[CFG] loaded certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" from 'moonCert.pem'
Nov 29 07:39:16 moon charon: 16[CFG] added configuration 'rw-isolate'
</pre>
h3. IKEv2 Exchanges
The IPsec gateway *moon* is passively waiting for IPsec clients to initiate an IKEv2 negotiation starting with an IKE_SA_INIT exchange:
<pre>
Nov 29 07:39:22 moon charon: 16[NET] received packet: from 192.168.0.254[500] to 192.168.0.1[500]
Nov 29 07:39:22 moon charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Nov 29 07:39:22 moon charon: 16[IKE] 192.168.0.254 is initiating an IKE_SA
Nov 29 07:39:22 moon charon: 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Nov 29 07:39:22 moon charon: 16[NET] sending packet: from 192.168.0.1[500] to 192.168.0.254[500]
</pre>
followed by the IKE_AUTH exchange where the IKEv2 gateway proposes a mutual IKEv2 EAP-TTLS only authentication:
<pre>
Nov 29 07:39:22 moon charon: 08[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:22 moon charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) ]
Nov 29 07:39:22 moon charon: 08[CFG] looking for peer configs matching 192.168.0.1[moon.strongswan.org]...192.168.0.254[carol@strongswan.org]
Nov 29 07:39:22 moon charon: 08[CFG] selected peer config 'rw-allow'
Nov 29 07:39:22 moon charon: 08[IKE] initiating EAP_TTLS method (id 0xA8)
Nov 29 07:39:22 moon charon: 08[IKE] peer supports MOBIKE
Nov 29 07:39:22 moon charon: 08[ENC] generating IKE_AUTH response 1 [ IDr EAP/REQ/TTLS ]
Nov 29 07:39:22 moon charon: 08[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
</pre>
h3. IKEv2 EAP-TTLS Tunnel
The IKEv2 EAP-TTLS tunnel is set up with certificate-based server authentication
<pre>
Nov 29 07:39:22 moon charon: 09[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:22 moon charon: 09[ENC] parsed IKE_AUTH request 2 [ EAP/RES/TTLS ]
Nov 29 07:39:22 moon charon: 09[TLS] received TLS 'signature algorithms' extension
Nov 29 07:39:22 moon charon: 09[TLS] received TLS 'elliptic curves' extension
Nov 29 07:39:22 moon charon: 09[TLS] received TLS 'ec point formats' extension
Nov 29 07:39:22 moon charon: 09[TLS] received TLS 'server name' extension
Nov 29 07:39:22 moon charon: 09[TLS] negotiated TLS version TLS 1.2 with suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Nov 29 07:39:22 moon charon: 09[TLS] sending TLS server certificate 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org'
Nov 29 07:39:22 moon charon: 09[ENC] generating IKE_AUTH response 2 [ EAP/REQ/TTLS ]
Nov 29 07:39:22 moon charon: 09[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:22 moon charon: 06[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:22 moon charon: 06[ENC] parsed IKE_AUTH request 3 [ EAP/RES/TTLS ]
Nov 29 07:39:22 moon charon: 06[ENC] generating IKE_AUTH response 3 [ EAP/REQ/TTLS ]
Nov 29 07:39:22 moon charon: 06[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:22 moon charon: 05[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:22 moon charon: 05[ENC] parsed IKE_AUTH request 4 [ EAP/RES/TTLS ]
</pre>
h3. Tunneled EAP-Identity
Via the IKEv2 EAP-TTLS tunnel the server requests the EAP client identity
<pre>
Nov 29 07:39:22 moon charon: 05[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/ID]
Nov 29 07:39:22 moon charon: 05[ENC] generating IKE_AUTH response 4 [ EAP/REQ/TTLS ]
Nov 29 07:39:22 moon charon: 05[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:22 moon charon: 04[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:22 moon charon: 04[ENC] parsed IKE_AUTH request 5 [ EAP/RES/TTLS ]
Nov 29 07:39:22 moon charon: 04[IKE] received tunneled EAP-TTLS AVP [EAP/RES/ID]
Nov 29 07:39:22 moon charon: 04[IKE] received EAP identity 'carol@strongswan.org'
</pre>
h3. Tunneled EAP-MD5 Client Authentication
Next follows an EAP-MD5 client authentication
<pre>
Nov 29 07:39:22 moon charon: 04[IKE] phase2 method EAP_MD5 selected
Nov 29 07:39:22 moon charon: 04[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/MD5]
Nov 29 07:39:22 moon charon: 04[ENC] generating IKE_AUTH response 5 [ EAP/REQ/TTLS ]
Nov 29 07:39:22 moon charon: 04[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:22 moon charon: 03[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:22 moon charon: 03[ENC] parsed IKE_AUTH request 6 [ EAP/RES/TTLS ]
Nov 29 07:39:22 moon charon: 03[IKE] received tunneled EAP-TTLS AVP [EAP/RES/MD5]
Nov 29 07:39:22 moon charon: 03[IKE] EAP_TTLS phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful
</pre>
h3. Tunneled EAP-TNC Transport
Now the EAP-TNC transport protocol connecting the TNC client with the TNC server is started:
<pre>
Nov 29 07:39:22 moon charon: 03[IKE] phase2 method EAP_TNC selected
Nov 29 07:39:22 moon charon: 03[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/TNC]
Nov 29 07:39:22 moon charon: 03[ENC] generating IKE_AUTH response 6 [ EAP/REQ/TTLS ]
Nov 29 07:39:22 moon charon: 03[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
</pre>
h2. PB-TNC/IF-TNCCS 2.0 Connection
A first PB-TNC CDATA (IF-TNCCS 2.0 ClientData) batch from the TNC client is received
<pre>
Nov 29 07:39:23 moon charon: 02[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:23 moon charon: 02[ENC] parsed IKE_AUTH request 7 [ EAP/RES/TTLS ]
Nov 29 07:39:23 moon charon: 02[IKE] received tunneled EAP-TTLS AVP [EAP/RES/TNC]
Nov 29 07:39:23 moon charon: 02[TNC] assigned TNCCS Connection ID 1
Nov 29 07:39:23 moon charon: 02[IMV] IMV 1 "Attestation" created a state for Connection ID 1
Nov 29 07:39:23 moon charon: 02[IMV] IMV 1 "Attestation" changed state of Connection ID 1 to 'Handshake'
Nov 29 07:39:23 moon charon: 02[TNC] received TNCCS batch (105 bytes) for Connection ID 1
Nov 29 07:39:23 moon charon: 02[TNC] => 105 bytes @ 0x80ba6b6
Nov 29 07:39:23 moon charon: 02[TNC] 0: 02 00 00 01 00 00 00 69 00 00 00 00 00 00 00 06 .......i........
Nov 29 07:39:23 moon charon: 02[TNC] 16: 00 00 00 1F 41 63 63 65 70 74 2D 4C 61 6E 67 75 ....Accept-Langu
Nov 29 07:39:23 moon charon: 02[TNC] 32: 61 67 65 3A 20 65 6E 80 00 00 00 00 00 00 01 00 age: en.........
Nov 29 07:39:23 moon charon: 02[TNC] 48: 00 00 42 00 00 55 97 00 00 00 01 00 01 FF FF 01 ..B..U..........
Nov 29 07:39:23 moon charon: 02[TNC] 64: 00 00 00 56 9E 52 8E 00 00 00 00 00 00 00 02 00 ...V.R..........
Nov 29 07:39:23 moon charon: 02[TNC] 80: 00 00 22 00 00 00 00 00 55 62 75 6E 74 75 20 31 ..".....Ubuntu 1
Nov 29 07:39:23 moon charon: 02[TNC] 96: 31 2E 31 30 20 69 36 38 36 1.10 i686
Nov 29 07:39:23 moon charon: 02[TNC] PB-TNC state transition from 'Init' to 'Server Working'
Nov 29 07:39:23 moon charon: 02[TNC] processing PB-TNC CDATA batch
</pre>
containing a 'PB-Language-Preference' and a 'PB-PA' message
<pre>
Nov 29 07:39:23 moon charon: 02[TNC] processing PB-Language-Preference message (31 bytes)
Nov 29 07:39:23 moon charon: 02[TNC] processing PB-PA message (66 bytes)
</pre>
This causes a new TNCCS connection to be instantiated on the TNC server. Its IF-TNCCS 2.0 state machine immediately transitions from the Init to the ServerWorking state.
!IF-TNCCS-20-State-Diagram.png!
The language preference is set to English (en) and the PB-PA message is forwarded to the PTS-IMV which subscribed to this PA message type:
<pre>
Nov 29 07:39:23 moon charon: 02[TNC] setting language preference to 'en'
Nov 29 07:39:23 moon charon: 02[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x01
</pre>
The PA-TNC message contains an 'IETF/Product Information' attribute which carries information about the operating system the PTS-IMC is running on:
<pre>
Nov 29 07:39:23 moon charon: 02[IMV] IMV 1 "Attestation" received message type 0x00559701 for Connection ID 1
Nov 29 07:39:23 moon charon: 02[TNC] processing PA-TNC message with ID 0x569e528e
Nov 29 07:39:23 moon charon: 02[TNC] processing PA-TNC attribute type 'IETF/Product Information' 0x000000/0x00000002
Nov 29 07:39:23 moon charon: 02[TNC] => 22 bytes @ 0x80b4d20
Nov 29 07:39:23 moon charon: 02[TNC] 0: 00 00 00 00 00 55 62 75 6E 74 75 20 31 31 2E 31 .....Ubuntu 11.1
Nov 29 07:39:23 moon charon: 02[TNC] 16: 30 20 69 36 38 36 0 i686
</pre>
h3. PTS Capability Discovery
The PTS-IMV creates a PA-TNC message containing a 'Request PTS Protocol Capabilities' and a 'PTS Measurement Algorithm Request' attribute from the TCG namespace. SHA-1 is the only PTS measurement algorithm proposed by the PTS-IMV.
<pre>
Nov 29 07:39:23 moon charon: 02[TNC] creating PA-TNC message with ID 0x10fbc931
Nov 29 07:39:23 moon charon: 02[TNC] creating PA-TNC attribute type 'TCG/Request PTS Protocol Capabilities' 0x005597/0x01000000
Nov 29 07:39:23 moon charon: 02[TNC] => 4 bytes @ 0x80bfd54
Nov 29 07:39:23 moon charon: 02[TNC] 0: 00 00 00 0E ....
Nov 29 07:39:23 moon charon: 02[TNC] creating PA-TNC attribute type 'TCG/PTS Measurement Algorithm Request' 0x005597/0x06000000
Nov 29 07:39:23 moon charon: 02[TNC] => 4 bytes @ 0x80bfe3c
Nov 29 07:39:23 moon charon: 02[TNC] 0: 00 00 80 00 ....
</pre>
The PB-PA message is sent in a PB-TNC SDATA (IF-TNCCS 2.0 ServerData) batch to the TNC client:
<pre>
Nov 29 07:39:23 moon charon: 02[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x01
Nov 29 07:39:23 moon charon: 02[TNC] creating PB-TNC SDATA batch
Nov 29 07:39:23 moon charon: 02[TNC] adding PB-PA message
Nov 29 07:39:23 moon charon: 02[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
Nov 29 07:39:23 moon charon: 02[TNC] sending PB-TNC SDATA batch (72 bytes) for Connection ID 1
Nov 29 07:39:23 moon charon: 02[TNC] => 72 bytes @ 0x80b65c4
Nov 29 07:39:23 moon charon: 02[TNC] 0: 02 80 00 02 00 00 00 48 80 00 00 00 00 00 00 01 .......H........
Nov 29 07:39:23 moon charon: 02[TNC] 16: 00 00 00 40 00 00 55 97 00 00 00 01 FF FF 00 01 ...@..U.........
Nov 29 07:39:23 moon charon: 02[TNC] 32: 01 00 00 00 10 FB C9 31 80 00 55 97 01 00 00 00 .......1..U.....
Nov 29 07:39:23 moon charon: 02[TNC] 48: 00 00 00 10 00 00 00 0E 80 00 55 97 06 00 00 00 ..........U.....
Nov 29 07:39:23 moon charon: 02[TNC] 64: 00 00 00 10 00 00 80 00 ........
Nov 29 07:39:23 moon charon: 02[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/TNC]
Nov 29 07:39:23 moon charon: 02[ENC] generating IKE_AUTH response 7 [ EAP/REQ/TTLS ]
Nov 29 07:39:23 moon charon: 02[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
</pre>
As a response a PB-TNC CDATA batch is received from the TNC client
<pre>
Nov 29 07:39:23 moon charon: 01[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:23 moon charon: 01[ENC] parsed IKE_AUTH request 8 [ EAP/RES/TTLS ]
Nov 29 07:39:23 moon charon: 01[IKE] received tunneled EAP-TTLS AVP [EAP/RES/TNC]
Nov 29 07:39:23 moon charon: 01[TNC] received TNCCS batch (72 bytes) for Connection ID 1
Nov 29 07:39:23 moon charon: 01[TNC] => 72 bytes @ 0x80be80e
Nov 29 07:39:23 moon charon: 01[TNC] 0: 02 00 00 01 00 00 00 48 80 00 00 00 00 00 00 01 .......H........
Nov 29 07:39:23 moon charon: 01[TNC] 16: 00 00 00 40 00 00 55 97 00 00 00 01 00 01 FF FF ...@..U.........
Nov 29 07:39:23 moon charon: 01[TNC] 32: 01 00 00 00 0E D3 F1 F3 00 00 55 97 02 00 00 00 ..........U.....
Nov 29 07:39:23 moon charon: 01[TNC] 48: 00 00 00 10 00 00 00 0E 00 00 55 97 07 00 00 00 ..........U.....
Nov 29 07:39:23 moon charon: 01[TNC] 64: 00 00 00 10 00 00 80 00 ........
Nov 29 07:39:23 moon charon: 01[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
Nov 29 07:39:23 moon charon: 01[TNC] processing PB-TNC CDATA batch
</pre>
containing a PB-PA message with PA message type TCG/PTS to which the PTS-IMV is subscribed:
<pre>
Nov 29 07:39:23 moon charon: 01[TNC] processing PB-PA message (64 bytes)
Nov 29 07:39:23 moon charon: 01[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x01
</pre>
The PA-TNC message contains a 'PTS Protocol Capabilities' and a 'PTS Measurement Algorithm' attribute from the TCG namespace:
<pre>
Nov 29 07:39:23 moon charon: 01[IMV] IMV 1 "Attestation" received message type 0x00559701 for Connection ID 1
Nov 29 07:39:23 moon charon: 01[TNC] processing PA-TNC message with ID 0x0ed3f1f3
Nov 29 07:39:23 moon charon: 01[TNC] processing PA-TNC attribute type 'TCG/PTS Protocol Capabilities' 0x005597/0x02000000
Nov 29 07:39:23 moon charon: 01[TNC] => 4 bytes @ 0x80be670
Nov 29 07:39:23 moon charon: 01[TNC] 0: 00 00 00 0E ....
Nov 29 07:39:23 moon charon: 01[TNC] processing PA-TNC attribute type 'TCG/PTS Measurement Algorithm' 0x005597/0x07000000
Nov 29 07:39:23 moon charon: 01[TNC] => 4 bytes @ 0x80be680
Nov 29 07:39:23 moon charon: 01[TNC] 0: 00 00 80 00 ....
</pre>
The PTS-IMC supports the Verification (V), DH Nonce Negotiation (D) and Trusted Platform Evidence (T) PTS protocol capabilities all of which the PTS-IMV proposed in the capabilities request. Also SHA-1 is confirmed by the PTS-IMC to be used as PTS measurement algorithm.
<pre>
Nov 29 07:39:23 moon charon: 01[PTS] supported PTS protocol capabilities: .VDT.
Nov 29 07:39:23 moon charon: 01[PTS] selected PTS measurement algorithm is HASH_SHA1
</pre>
h3. DH Nonce Parameters
The PTS-IMV creates a PA-TNC message containing the 'DH Nonce Parameters Request' from the TCG namespace which offers the set of IKE DH groups {2, 5, 14, 19}:
<pre>
Nov 29 07:39:23 moon charon: 01[TNC] creating PA-TNC message with ID 0xc2d18ef1
Nov 29 07:39:23 moon charon: 01[TNC] creating PA-TNC attribute type 'TCG/DH Nonce Parameters Request' 0x005597/0x03000000
Nov 29 07:39:23 moon charon: 01[TNC] => 4 bytes @ 0x80bdf9c
Nov 29 07:39:23 moon charon: 01[TNC] 0: 00 00 F0 00 ....
</pre>
The corresponding PB-PA message is embedded into a PB-TNC SDATA batch and sent to the TNC client
<pre>
Nov 29 07:39:23 moon charon: 01[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x01
Nov 29 07:39:23 moon charon: 01[TNC] creating PB-TNC SDATA batch
Nov 29 07:39:23 moon charon: 01[TNC] adding PB-PA message
Nov 29 07:39:23 moon charon: 01[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
Nov 29 07:39:23 moon charon: 01[TNC] sending PB-TNC SDATA batch (56 bytes) for Connection ID 1
Nov 29 07:39:23 moon charon: 01[TNC] => 56 bytes @ 0x80a30fc
Nov 29 07:39:23 moon charon: 01[TNC] 0: 02 80 00 02 00 00 00 38 80 00 00 00 00 00 00 01 .......8........
Nov 29 07:39:23 moon charon: 01[TNC] 16: 00 00 00 30 00 00 55 97 00 00 00 01 FF FF 00 01 ...0..U.........
Nov 29 07:39:23 moon charon: 01[TNC] 32: 01 00 00 00 C2 D1 8E F1 80 00 55 97 03 00 00 00 ..........U.....
Nov 29 07:39:23 moon charon: 01[TNC] 48: 00 00 00 10 00 00 F0 00 ........
Nov 29 07:39:23 moon charon: 01[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/TNC]
Nov 29 07:39:23 moon charon: 01[ENC] generating IKE_AUTH response 8 [ EAP/REQ/TTLS ]
Nov 29 07:39:23 moon charon: 01[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
</pre>
In response a PB-TNC CDATA batch is received from the TNC client
<pre>
Nov 29 07:39:23 moon charon: 13[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:23 moon charon: 13[ENC] parsed IKE_AUTH request 9 [ EAP/RES/TTLS ]
Nov 29 07:39:23 moon charon: 13[IKE] received tunneled EAP-TTLS AVP [EAP/RES/TNC]
Nov 29 07:39:23 moon charon: 13[TNC] received TNCCS batch (144 bytes) for Connection ID 1
Nov 29 07:39:23 moon charon: 13[TNC] => 144 bytes @ 0x80bb0e6
Nov 29 07:39:23 moon charon: 13[TNC] 0: 02 00 00 01 00 00 00 90 80 00 00 00 00 00 00 01 ................
Nov 29 07:39:23 moon charon: 13[TNC] 16: 00 00 00 88 00 00 55 97 00 00 00 01 00 01 FF FF ......U.........
Nov 29 07:39:23 moon charon: 13[TNC] 32: 01 00 00 00 A6 9F 8B 02 00 00 55 97 04 00 00 00 ..........U.....
Nov 29 07:39:23 moon charon: 13[TNC] 48: 00 00 00 68 00 00 00 14 10 00 E0 00 AA B1 9A 5C ...h...........\
Nov 29 07:39:23 moon charon: 13[TNC] 64: 9B 47 D0 0D EF 3B F4 48 7A 55 EF DA 89 55 D3 74 .G...;.HzU...U.t
Nov 29 07:39:23 moon charon: 13[TNC] 80: DF CE B2 FB 44 16 FD 98 44 1D 79 1F 36 7A A5 67 ....D...D.y.6z.g
Nov 29 07:39:23 moon charon: 13[TNC] 96: 94 30 81 C8 38 A8 1A AD 99 55 0E 91 2F E4 36 62 .0..8....U../.6b
Nov 29 07:39:23 moon charon: 13[TNC] 112: FA C2 08 63 88 69 41 79 35 D4 64 8C 4C D4 CB E9 ...c.iAy5.d.L...
Nov 29 07:39:23 moon charon: 13[TNC] 128: 7B 5E CF 0A E0 E9 74 66 4C BB 06 3B F8 DE 96 2E {^....tfL..;....
Nov 29 07:39:23 moon charon: 13[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
Nov 29 07:39:23 moon charon: 13[TNC] processing PB-TNC CDATA batch
</pre>
containing a PB-PA message with PA message type TCG/PTS to which the PTS-IMV is subscribed:
<pre>
Nov 29 07:39:23 moon charon: 13[TNC] processing PB-PA message (136 bytes)
Nov 29 07:39:23 moon charon: 13[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x01
</pre>
The PA-TNC message contains a 'DH Nonce Parameters Response' from the TGC namespace
<pre>
Nov 29 07:39:23 moon charon: 13[IMV] IMV 1 "Attestation" received message type 0x00559701 for Connection ID 1
Nov 29 07:39:23 moon charon: 13[TNC] processing PA-TNC message with ID 0xa69f8b02
Nov 29 07:39:23 moon charon: 13[TNC] processing PA-TNC attribute type 'TCG/DH Nonce Parameters Response' 0x005597/0x04000000
Nov 29 07:39:23 moon charon: 13[TNC] => 92 bytes @ 0x80b4c38
Nov 29 07:39:23 moon charon: 13[TNC] 0: 00 00 00 14 10 00 E0 00 AA B1 9A 5C 9B 47 D0 0D ...........\.G..
Nov 29 07:39:23 moon charon: 13[TNC] 16: EF 3B F4 48 7A 55 EF DA 89 55 D3 74 DF CE B2 FB .;.HzU...U.t....
Nov 29 07:39:23 moon charon: 13[TNC] 32: 44 16 FD 98 44 1D 79 1F 36 7A A5 67 94 30 81 C8 D...D.y.6z.g.0..
Nov 29 07:39:23 moon charon: 13[TNC] 48: 38 A8 1A AD 99 55 0E 91 2F E4 36 62 FA C2 08 63 8....U../.6b...c
Nov 29 07:39:23 moon charon: 13[TNC] 64: 88 69 41 79 35 D4 64 8C 4C D4 CB E9 7B 5E CF 0A .iAy5.d.L...{^..
Nov 29 07:39:23 moon charon: 13[TNC] 80: E0 E9 74 66 4C BB 06 3B F8 DE 96 2E ..tfL..;....
</pre>
The PTS-IMC selected ECP_256 (IKE DH group 14) as the PTS DH group and returns a 20 byte DH responder nonce and the 32 byte ECP_256 DH responder public value from which together with the PTS-IMV's private DH value the shared DH secret can be derived:
<pre>
Nov 29 07:39:23 moon charon: 13[PTS] selected DH hash algorithm is HASH_SHA1
Nov 29 07:39:23 moon charon: 13[PTS] selected PTS DH group is ECP_256
Nov 29 07:39:23 moon charon: 13[PTS] nonce length is 20
Nov 29 07:39:23 moon charon: 13[PTS] initiator nonce: => 20 bytes @ 0x80be424
Nov 29 07:39:23 moon charon: 13[PTS] 0: 46 C4 11 FB 33 64 F3 27 1D 62 3D C4 83 73 AE AE F...3d.'.b=..s..
Nov 29 07:39:23 moon charon: 13[PTS] 16: 8B 36 E4 F5 .6..
Nov 29 07:39:23 moon charon: 13[PTS] responder nonce: => 20 bytes @ 0x80bbd24
Nov 29 07:39:23 moon charon: 13[PTS] 0: AA B1 9A 5C 9B 47 D0 0D EF 3B F4 48 7A 55 EF DA ...\.G...;.HzU..
Nov 29 07:39:23 moon charon: 13[PTS] 16: 89 55 D3 74 .U.t
Nov 29 07:39:23 moon charon: 13[PTS] shared DH secret: => 32 bytes @ 0x80c1f84
Nov 29 07:39:23 moon charon: 13[PTS] 0: 61 E8 7D D7 8C C8 DF 4E 5C 5A B7 48 75 38 0C B8 a.}....N\Z.Hu8..
Nov 29 07:39:23 moon charon: 13[PTS] 16: 2D 23 08 8E E2 D5 B9 25 04 F8 03 BA 35 9F 3A 52 -#.....%....5.:R
Nov 29 07:39:23 moon charon: 13[PTS] secret assessment value: => 20 bytes @ 0x80b2afc
Nov 29 07:39:23 moon charon: 13[PTS] 0: E1 1B 01 B4 FF 2B 56 83 24 AD AD AD 8B 7B 36 B7 .....+V.$....{6.
Nov 29 07:39:23 moon charon: 13[PTS] 16: FF CA D9 59 ...Y
</pre>
h3. DH Nonce Finish and TPM Version/AIK Info
The PTS-IMV sends its 32 byte ECP_256 DH initiator public value and its 20 byte initiator nonce in the 'DH Nonce Finish' attribute. Additionally the 'Get TPM Version Information' and a 'Get Attestation Identity Key' attributes are include in the PA-TNC message:
<pre>
Nov 29 07:39:23 moon charon: 13[TNC] creating PA-TNC message with ID 0x8345bdd1
Nov 29 07:39:23 moon charon: 13[TNC] creating PA-TNC attribute type 'TCG/DH Nonce Finish' 0x005597/0x05000000
Nov 29 07:39:23 moon charon: 13[TNC] => 88 bytes @ 0x80c26cc
Nov 29 07:39:23 moon charon: 13[TNC] 0: 00 14 80 00 B1 E2 2D 2D 11 80 E2 BC 83 5A 56 DC ......--.....ZV.
Nov 29 07:39:23 moon charon: 13[TNC] 16: 1B 18 3F 91 3B 63 E0 E9 09 2A 67 0D AE FB D6 94 ..?.;c...*g.....
Nov 29 07:39:23 moon charon: 13[TNC] 32: 32 39 5A 2C D2 2C 58 2C 5F 3E B4 00 25 68 E8 EB 29Z,.,X,_>..%h..
Nov 29 07:39:23 moon charon: 13[TNC] 48: 9E 46 93 B3 C7 AE 5C 57 26 92 D7 4E F2 14 08 60 .F....\W&..N...`
Nov 29 07:39:23 moon charon: 13[TNC] 64: 96 A4 74 78 46 C4 11 FB 33 64 F3 27 1D 62 3D C4 ..txF...3d.'.b=.
Nov 29 07:39:23 moon charon: 13[TNC] 80: 83 73 AE AE 8B 36 E4 F5 .s...6..
Nov 29 07:39:23 moon charon: 13[TNC] creating PA-TNC attribute type 'TCG/Get TPM Version Information' 0x005597/0x08000000
Nov 29 07:39:23 moon charon: 13[TNC] => 4 bytes @ 0x80b6fd4
Nov 29 07:39:23 moon charon: 13[TNC] 0: 00 00 00 00 ....
Nov 29 07:39:23 moon charon: 13[TNC] creating PA-TNC attribute type 'TCG/Get Attestation Identity Key' 0x005597/0x0d000000
Nov 29 07:39:23 moon charon: 13[TNC] => 4 bytes @ 0x80c2e34
Nov 29 07:39:23 moon charon: 13[TNC] 0: 00 00 00 00 ....
</pre>
The PA-TNC message transfered via the IF-IMV SendMessage function call is inserted as a PB-PA message in an outbound PB-TNC SDATA batch:
<pre>
Nov 29 07:39:23 moon charon: 13[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x01
Nov 29 07:39:23 moon charon: 13[TNC] creating PB-TNC SDATA batch
Nov 29 07:39:23 moon charon: 13[TNC] adding PB-PA message
Nov 29 07:39:23 moon charon: 13[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
Nov 29 07:39:23 moon charon: 13[TNC] sending PB-TNC SDATA batch (172 bytes) for Connection ID 1
Nov 29 07:39:23 moon charon: 13[TNC] => 172 bytes @ 0x80bf50c
Nov 29 07:39:23 moon charon: 13[TNC] 0: 02 80 00 02 00 00 00 AC 80 00 00 00 00 00 00 01 ................
Nov 29 07:39:23 moon charon: 13[TNC] 16: 00 00 00 A4 00 00 55 97 00 00 00 01 FF FF 00 01 ......U.........
Nov 29 07:39:23 moon charon: 13[TNC] 32: 01 00 00 00 83 45 BD D1 80 00 55 97 05 00 00 00 .....E....U.....
Nov 29 07:39:23 moon charon: 13[TNC] 48: 00 00 00 64 00 14 80 00 B1 E2 2D 2D 11 80 E2 BC ...d......--....
Nov 29 07:39:23 moon charon: 13[TNC] 64: 83 5A 56 DC 1B 18 3F 91 3B 63 E0 E9 09 2A 67 0D .ZV...?.;c...*g.
Nov 29 07:39:23 moon charon: 13[TNC] 80: AE FB D6 94 32 39 5A 2C D2 2C 58 2C 5F 3E B4 00 ....29Z,.,X,_>..
Nov 29 07:39:23 moon charon: 13[TNC] 96: 25 68 E8 EB 9E 46 93 B3 C7 AE 5C 57 26 92 D7 4E %h...F....\W&..N
Nov 29 07:39:23 moon charon: 13[TNC] 112: F2 14 08 60 96 A4 74 78 46 C4 11 FB 33 64 F3 27 ...`..txF...3d.'
Nov 29 07:39:23 moon charon: 13[TNC] 128: 1D 62 3D C4 83 73 AE AE 8B 36 E4 F5 80 00 55 97 .b=..s...6....U.
Nov 29 07:39:23 moon charon: 13[TNC] 144: 08 00 00 00 00 00 00 10 00 00 00 00 80 00 55 97 ..............U.
Nov 29 07:39:23 moon charon: 13[TNC] 160: 0D 00 00 00 00 00 00 10 00 00 00 00 ............
Nov 29 07:39:23 moon charon: 13[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/TNC]
Nov 29 07:39:23 moon charon: 13[ENC] generating IKE_AUTH response 9 [ EAP/REQ/TTLS ]
Nov 29 07:39:23 moon charon: 13[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
</pre>
In response a PB-TNC CDATA batch is received
<pre>
ov 29 07:39:23 moon charon: 16[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:23 moon charon: 16[ENC] parsed IKE_AUTH request 10 [ EAP/RES/TTLS ]
Nov 29 07:39:23 moon charon: 16[ENC] generating IKE_AUTH response 10 [ EAP/REQ/TTLS ]
Nov 29 07:39:23 moon charon: 16[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:23 moon charon: 08[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:23 moon charon: 08[ENC] parsed IKE_AUTH request 11 [ EAP/RES/TTLS ]
Nov 29 07:39:23 moon charon: 08[IKE] received tunneled EAP-TTLS AVP [EAP/RES/TNC]
Nov 29 07:39:23 moon charon: 08[TNC] received TNCCS batch (1413 bytes) for Connection ID 1
Nov 29 07:39:23 moon charon: 08[TNC] => 1413 bytes @ 0x80c3bbe
Nov 29 07:39:23 moon charon: 08[TNC] 0: 02 00 00 01 00 00 05 85 80 00 00 00 00 00 00 01 ................
Nov 29 07:39:23 moon charon: 08[TNC] 16: 00 00 05 7D 00 00 55 97 00 00 00 01 00 01 FF FF ...}..U.........
Nov 29 07:39:23 moon charon: 08[TNC] 32: 01 00 00 00 1E 82 D8 06 00 00 55 97 09 00 00 00 ..........U.....
Nov 29 07:39:23 moon charon: 08[TNC] 48: 00 00 00 1B 00 30 01 02 01 02 00 02 00 49 46 58 .....0.......IFX
Nov 29 07:39:23 moon charon: 08[TNC] 64: 00 00 00 00 00 55 97 0E 00 00 00 00 00 05 42 00 .....U........B.
Nov 29 07:39:23 moon charon: 08[TNC] 80: 30 82 05 31 30 82 04 19 A0 03 02 01 02 02 10 15 0..10...........
Nov 29 07:39:23 moon charon: 08[TNC] 96: C8 E6 07 AD F7 B6 3C 0A F2 87 51 0C 34 F7 BA 30 ......<...Q.4..0
Nov 29 07:39:23 moon charon: 08[TNC] 112: 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 30 4D ...*.H........0M
Nov 29 07:39:23 moon charon: 08[TNC] 128: 31 16 30 14 06 03 55 04 0A 13 0D 70 72 69 76 61 1.0...U....priva
Nov 29 07:39:23 moon charon: 08[TNC] 144: 63 79 63 61 2E 63 6F 6D 31 33 30 31 06 03 55 04 cyca.com1301..U.
Nov 29 07:39:23 moon charon: 08[TNC] 160: 03 13 2A 50 72 69 76 61 63 79 20 43 41 20 45 4B ..*Privacy CA EK
Nov 29 07:39:23 moon charon: 08[TNC] 176: 2D 43 65 72 74 2D 43 68 65 63 6B 65 64 20 41 49 -Cert-Checked AI
Nov 29 07:39:23 moon charon: 08[TNC] 192: 4B 20 43 65 72 74 69 66 69 63 61 74 65 30 1E 17 K Certificate0..
Nov 29 07:39:23 moon charon: 08[TNC] 208: 0D 31 31 31 31 30 32 30 37 35 30 35 31 5A 17 0D .111102075051Z..
Nov 29 07:39:23 moon charon: 08[TNC] 224: 31 32 31 31 30 32 30 37 35 30 35 31 5A 30 00 30 121102075051Z0.0
Nov 29 07:39:23 moon charon: 08[TNC] 240: 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 .."0...*.H......
Nov 29 07:39:23 moon charon: 08[TNC] 256: 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01 00 .......0........
Nov 29 07:39:23 moon charon: 08[TNC] 272: E9 1C 5F 57 5B 73 5F 35 15 BD AF 29 89 13 F1 F9 .._W[s_5...)....
Nov 29 07:39:23 moon charon: 08[TNC] 288: 8D 83 62 6C 73 C0 5F 8B 90 5A B8 1A 72 B9 D2 51 ..bls._..Z..r..Q
Nov 29 07:39:23 moon charon: 08[TNC] 304: F8 DC 24 CF 0D 9E E2 0B F8 8D 11 CD B2 E5 6B CB ..$...........k.
Nov 29 07:39:23 moon charon: 08[TNC] 320: C2 AB FA BD F4 74 D2 25 B3 AE CE 47 66 58 A6 65 .....t.%...GfX.e
Nov 29 07:39:23 moon charon: 08[TNC] 336: A4 CA 36 24 1E 6E 22 A4 9F 88 C5 63 78 AD 53 33 ..6$.n"....cx.S3
Nov 29 07:39:23 moon charon: 08[TNC] 352: 90 22 91 6F 83 8F 2A A8 98 0C 15 3E 89 19 48 63 .".o..*....>..Hc
Nov 29 07:39:23 moon charon: 08[TNC] 368: BE 4C 35 02 F4 03 7E 10 8E 4D DB 5A D1 63 9A 3C .L5...~..M.Z.c.<
Nov 29 07:39:23 moon charon: 08[TNC] 384: D9 63 F5 7B C6 73 0F 23 05 B6 00 30 3B 34 6C 3C .c.{.s.#...0;4l<
Nov 29 07:39:23 moon charon: 08[TNC] 400: 10 A9 A5 4A 79 2E 62 88 E3 CC 7F 7B A7 5A E3 6F ...Jy.b....{.Z.o
Nov 29 07:39:23 moon charon: 08[TNC] 416: 13 7A BD BF 86 1D 3C E3 12 3A 8C 0E 7D 47 55 C6 .z....<..:..}GU.
Nov 29 07:39:23 moon charon: 08[TNC] 432: 76 A9 D3 61 16 22 8A 32 C5 E7 CD 17 DB 5F A1 67 v..a.".2....._.g
Nov 29 07:39:23 moon charon: 08[TNC] 448: CC 1D F5 D9 25 51 01 33 1E 05 45 85 53 2E 2C 2B ....%Q.3..E.S.,+
Nov 29 07:39:23 moon charon: 08[TNC] 464: 1D 59 E5 FE C2 61 26 36 12 05 F2 5C 95 F8 70 E6 .Y...a&6...\..p.
Nov 29 07:39:23 moon charon: 08[TNC] 480: 6A DB BF 30 1E 46 05 E6 0E 94 3C 0C C6 1C 96 B4 j..0.F....<.....
Nov 29 07:39:23 moon charon: 08[TNC] 496: 59 AC 5C 63 15 8C 77 E8 45 91 6B 8B B1 0D DB 26 Y.\c..w.E.k....&
Nov 29 07:39:23 moon charon: 08[TNC] 512: 3C E5 34 1C E8 B9 B5 6E 7F 9B 6E 7D 24 82 6E 2B <.4....n..n}$.n+
Nov 29 07:39:23 moon charon: 08[TNC] 528: 02 03 01 00 01 A3 82 02 58 30 82 02 54 30 81 93 ........X0..T0..
Nov 29 07:39:23 moon charon: 08[TNC] 544: 06 03 55 1D 09 04 81 8B 30 81 88 30 3A 06 03 55 ..U.....0..0:..U
Nov 29 07:39:23 moon charon: 08[TNC] 560: 04 34 31 33 30 0B 30 09 06 05 2B 0E 03 02 1A 05 .4130.0...+.....
Nov 29 07:39:23 moon charon: 08[TNC] 576: 00 30 24 30 22 06 09 2A 86 48 86 F7 0D 01 01 07 .0$0"..*.H......
Nov 29 07:39:23 moon charon: 08[TNC] 592: 30 15 A2 13 30 11 06 09 2A 86 48 86 F7 0D 01 01 0...0...*.H.....
Nov 29 07:39:23 moon charon: 08[TNC] 608: 09 04 04 54 43 50 41 30 16 06 05 67 81 05 02 10 ...TCPA0...g....
Nov 29 07:39:23 moon charon: 08[TNC] 624: 31 0D 30 0B 0C 03 31 2E 32 02 01 02 02 01 00 30 1.0...1.2......0
Nov 29 07:39:23 moon charon: 08[TNC] 640: 32 06 05 67 81 05 02 12 31 29 30 27 01 01 FF A0 2..g....1)0'....
Nov 29 07:39:23 moon charon: 08[TNC] 656: 03 0A 01 01 A1 03 0A 01 00 A2 03 0A 01 00 A3 10 ................
Nov 29 07:39:23 moon charon: 08[TNC] 672: 30 0E 16 03 33 2E 30 0A 01 04 0A 01 00 01 01 FF 0...3.0.........
Nov 29 07:39:23 moon charon: 08[TNC] 688: 01 01 FF 30 62 06 03 55 1D 11 01 01 FF 04 58 30 ...0b..U......X0
Nov 29 07:39:23 moon charon: 08[TNC] 704: 56 A4 47 30 45 31 16 30 14 06 05 67 81 05 02 01 V.G0E1.0...g....
Nov 29 07:39:23 moon charon: 08[TNC] 720: 0C 0B 69 64 3A 34 39 34 36 35 38 30 30 31 17 30 ..id:494658001.0
Nov 29 07:39:23 moon charon: 08[TNC] 736: 15 06 05 67 81 05 02 02 0C 0C 53 4C 42 39 36 33 ...g......SLB963
Nov 29 07:39:23 moon charon: 08[TNC] 752: 35 54 54 31 2E 32 31 12 30 10 06 05 67 81 05 02 5TT1.21.0...g...
Nov 29 07:39:23 moon charon: 08[TNC] 768: 03 0C 07 69 64 3A 30 31 30 32 A0 0B 06 05 67 81 ...id:0102....g.
Nov 29 07:39:23 moon charon: 08[TNC] 784: 05 02 0F A0 02 0C 00 30 0C 06 03 55 1D 13 01 01 .......0...U....
Nov 29 07:39:23 moon charon: 08[TNC] 800: FF 04 02 30 00 30 82 01 27 06 03 55 1D 20 01 01 ...0.0..'..U. ..
Nov 29 07:39:23 moon charon: 08[TNC] 816: FF 04 82 01 1B 30 82 01 17 30 67 06 0A 2B 06 01 .....0...0g..+..
Nov 29 07:39:23 moon charon: 08[TNC] 832: 04 01 81 E3 42 01 11 30 59 30 29 06 08 2B 06 01 ....B..0Y0)..+..
Nov 29 07:39:23 moon charon: 08[TNC] 848: 05 05 07 02 01 16 1D 68 74 74 70 3A 2F 2F 77 77 .......http://ww
Nov 29 07:39:23 moon charon: 08[TNC] 864: 77 2E 70 72 69 76 61 63 79 63 61 2E 63 6F 6D 2F w.privacyca.com/
Nov 29 07:39:23 moon charon: 08[TNC] 880: 63 70 73 2F 30 2C 06 08 2B 06 01 05 05 07 02 02 cps/0,..+.......
Nov 29 07:39:23 moon charon: 08[TNC] 896: 30 20 0C 1E 54 43 50 41 20 54 72 75 73 74 65 64 0 ..TCPA Trusted
Nov 29 07:39:23 moon charon: 08[TNC] 912: 20 50 6C 61 74 66 6F 72 6D 20 49 64 65 6E 74 69 Platform Identi
Nov 29 07:39:23 moon charon: 08[TNC] 928: 74 79 30 81 AB 06 0B 60 86 48 01 86 F8 45 01 07 ty0....`.H...E..
Nov 29 07:39:23 moon charon: 08[TNC] 944: 2F 01 30 81 9B 30 39 06 08 2B 06 01 05 05 07 02 /.0..09..+......
Nov 29 07:39:23 moon charon: 08[TNC] 960: 01 16 2D 68 74 74 70 3A 2F 2F 77 77 77 2E 76 65 ..-http://www.ve
Nov 29 07:39:23 moon charon: 08[TNC] 976: 72 69 73 69 67 6E 2E 63 6F 6D 2F 72 65 70 6F 73 risign.com/repos
Nov 29 07:39:23 moon charon: 08[TNC] 992: 69 74 6F 72 79 2F 69 6E 64 65 78 2E 68 74 6D 6C itory/index.html
Nov 29 07:39:23 moon charon: 08[TNC] 1008: 30 5E 06 08 2B 06 01 05 05 07 02 02 30 52 1E 50 0^..+.......0R.P
Nov 29 07:39:23 moon charon: 08[TNC] 1024: 00 54 00 43 00 50 00 41 00 20 00 54 00 72 00 75 .T.C.P.A. .T.r.u
Nov 29 07:39:23 moon charon: 08[TNC] 1040: 00 73 00 74 00 65 00 64 00 20 00 50 00 6C 00 61 .s.t.e.d. .P.l.a
Nov 29 07:39:23 moon charon: 08[TNC] 1056: 00 74 00 66 00 6F 00 72 00 6D 00 20 00 4D 00 6F .t.f.o.r.m. .M.o
Nov 29 07:39:23 moon charon: 08[TNC] 1072: 00 64 00 75 00 6C 00 65 00 20 00 45 00 6E 00 64 .d.u.l.e. .E.n.d
Nov 29 07:39:23 moon charon: 08[TNC] 1088: 00 6F 00 72 00 73 00 65 00 6D 00 65 00 6E 00 74 .o.r.s.e.m.e.n.t
Nov 29 07:39:23 moon charon: 08[TNC] 1104: 30 1F 06 03 55 1D 23 04 18 30 16 80 14 66 FF 3C 0...U.#..0...f.<
Nov 29 07:39:23 moon charon: 08[TNC] 1120: C0 41 02 0A 60 27 4C BE 29 81 F0 58 DC B2 A3 3E .A..`'L.)..X...>
Nov 29 07:39:23 moon charon: 08[TNC] 1136: A2 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 .0...*.H........
Nov 29 07:39:23 moon charon: 08[TNC] 1152: 03 82 01 01 00 78 17 95 B0 D1 B5 99 AE 90 DF 4A .....x.........J
Nov 29 07:39:23 moon charon: 08[TNC] 1168: AA 02 38 60 9A 05 7A 53 08 00 E9 4B F8 0F 01 A7 ..8`..zS...K....
Nov 29 07:39:23 moon charon: 08[TNC] 1184: 26 B7 54 B0 [ Incomplete diff, document too large... ]