TNC Server with PTS-IMV » History » Version 56
Version 55 (Andreas Steffen, 21.02.2012 15:08) → Version 56/57 (Andreas Steffen, 21.02.2012 15:10)
h1. TNC Server with PTS-IMV
This HOWTO explains in a step-for-step fashion how a strongSwan IPsec gateway with integrated TNC server functionality and an attached Platform Trust Service Integrity Measurement Verifier (PTS-IMV) can verify remote attestation measurement data provided by a TNC client via the IKEv2 EAP-TTLS protocol.
{{>toc}}
h2. Installation and Configuration
h3. Installing the strongSwan Software
The following steps describe the installation of the strongSwan software
<pre>
wget http://download.strongswan.org/strongswan-4.6.2.tar.bz2
tar xjf strongswan-4.6.2.tar.bz2
cd strongswan-4.6.2
./configure --prefix=/usr --sysconfdir=/etc --disable-pluto --enable-openssl --enable-curl
--enable-eap-identity --enable-eap-md5 --enable-eap-ttls --enable-eap-tnc
--enable-tnccs-20 --enable-tnc-imv --enable-imv-attestation
make
[sudo] make install
</pre>
The strongSwan *imv-attestation.so* dynamic PTS-IMV library depends on the "TrouSerS":http://sourceforge.net/projects/trousers/ libtspi library. For compilation additionally the /usr/include/trousers/ header files are required.
h3. Configuring the strongSwan Software
The /etc/ipsec.conf file defines an IPsec remote access policy either allowing access to the production network (rw-allow) or to a remediation network (rw-isolate):
<pre>
# ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="tnc 3, imv 3, pts 3"
conn rw-allow
rightgroups=allow
leftsubnet=10.1.0.0/28
also=rw-eap
auto=add
conn rw-isolate
rightgroups=isolate
leftsubnet=10.1.0.16/28
also=rw-eap
auto=add
conn rw-eap
left=192.168.0.1
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftauth=eap-ttls
rightauth=eap-ttls
rightid=*@strongswan.org
rightsendcert=never
right=%any
</pre>
The IKEv2 server *moon* is going to use public key based authentication with the location of the private key defined in the /etc/ipsec.secrets file:
<pre>
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA moonKey.pem
carol@strongswan.org : EAP "Ar3etTnp"
</pre>
The following IKEv2 charon and Attestation IMV options are defined in the /etc/strongswan.conf file. Among the options there is an SQLite URI pointing to the PTS measurement database and the path to the directory where the Privacy CA certificates are stored:
<pre>
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = curl sha1 pem pkcs1 pkcs8 gmp random pubkey x509 openssl revocation hmac kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 sqlite tnc-imv stroke
plugins {
eap-ttls {
phase2_method = md5
phase2_piggyback = yes
phase2_tnc = yes
}
eap-tnc {
protocol = tnccs-2.0
}
}
}
libimcv {
plugins {
imv-attestation {
database = sqlite:///etc/pts/config.db
cadir = /etc/pts/cacerts
hash_algorithm = sha1
}
}
}
attest {
database = sqlite:///etc/pts/config.db
}
</pre>
h3. Initializing the PTS Measurement Database
The SQLite database is initialized using the *tables.sql* and *data.sql* files from the strongSwan src/libpts/plugins/imv_attestation source directory:
<pre>
cat tables.sql data.sql | sqlite3 /etc/pts/config.db
</pre>
The following query lists all supported operating systems.
<pre>
moon# ipsec attest --products
3: CentOS release 5.6 (Final) x86_64
6: Gentoo Base System release 1.12.11.1 i686
5: Ubuntu 10.10 i686
4: Ubuntu 10.10 x86_64
1: Ubuntu 11.04 i686
2: Ubuntu 11.04 x86_64
7: Ubuntu 11.10 i686
7 products found
</pre>
TNC client *carol* runs on 'Ubuntu 11.04 i686', i.e. pid=1 so that the following PTS file measurements will be taken
<pre>
moon# ipsec attest --files --pid 1
22: | T| /etc/tnc_config
1: |M | /lib/i386-linux-gnu/libdl.so.2
5: |M | /lib/libxtables.so.5
7: |M | d /lib/xtables/
17: |M | /sbin/ip6tables
4: |M | /sbin/iptables
6 files found for product 'Ubuntu 11.04 i686'
</pre>
The next query lists the PTS component functional names defined in the database which currently are all from the ITA-HSR namespace.
<pre>
moon# ipsec attest --components
1: 0x00902a/0x00000001-0x21 ITA-HSR/Trusted GRUB Boot Loader [K.] Trusted Platform
2: 0x00902a/0x00000002-0x21 ITA-HSR/Trusted Boot [K.] Trusted Platform
3: 0x00902a/0x00000003-0x21 ITA-HSR/Linux IMA [K.] Trusted Platform
3 components found
</pre>
In order to authorize the PTS functional component measurements, the fingerprint of TNC client *carol*'s AIK certificate AIK_Cert.der must be entered into the database and must be linked to the component measurements to be executed:
<pre>
moon# ipsec attest --add --owner "Carol, pin1212a00 (Fujitsu Siemens Celsius W510)" --aik AIK_Cert.der --cid 3
key '78:6a:c9:86:11:42:72:af:a1:6b:72:3d:36:5a:81:57:88:7b:47:f3' inserted into database
key/component pair (2/3) inserted into database
moon# ipsec attest --add --kid 2 --cid 2
key/component pair (2/2) inserted into database
</pre>
The entered data can be checked with the commands
<pre>
moon# ipsec attest --keys
2: 78:6a:c9:86:11:42:72:af:a1:6b:72:3d:36:5a:81:57:88:7b:47:f3 'Carol, pin1212a00 (Fujitsu Siemens Celsius W510)'
1: b7:72:a6:73:07:76:b9:f0:28:e5:ad:fc:cd:40:b5:5c:32:0a:13:b6 'Andreas, merthyr (Fujitsu Siemens Lifebook S6420)'
2 keys found
moon ~ # ipsec attest --components --kid 2
2: 0x00902a/0x00000002-0x21 ITA-HSR/Trusted Boot [K.] Trusted Platform
3: 0x00902a/0x00000003-0x21 ITA-HSR/Linux IMA [K.] Trusted Platform
2 components found for key 78:6a:c9:86:11:42:72:af:a1:6b:72:3d:36:5a:81:57:88:7b:47:f3
</pre>
h2. IKEv2 Negotiation
h3. Startup and Initialization
The command
<pre>
ipsec start
</pre>
starts the TNC-enabled IPsec gateway:
<pre>
Feb 10 09:04:59 moon charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.6.2)
Feb 10 09:04:59 moon charon: 00[KNL] listening on interfaces:
Feb 10 09:04:59 moon charon: 00[KNL] eth0
Feb 10 09:04:59 moon charon: 00[KNL] 192.168.0.1
Feb 10 09:04:59 moon charon: 00[KNL] fec0::1
Feb 10 09:04:59 moon charon: 00[KNL] fe80::fcfd:c0ff:fea8:1
Feb 10 09:04:59 moon charon: 00[KNL] eth1
Feb 10 09:04:59 moon charon: 00[KNL] 10.1.0.1
Feb 10 09:04:59 moon charon: 00[KNL] fec1::1
Feb 10 09:04:59 moon charon: 00[KNL] fe80::fcfd:aff:fe01:1
</pre>
The file /etc/tnc_config
<pre>
# IMV configuration file for strongSwan client
IMV "Attestation" /usr/lib/ipsec/imcvs/imv-attestation.so
</pre>
defines which IMVs are loaded by the TNC server. Also the Privacy CA certificates which are required to establish trust in the AIK certificates are loaded:
<pre>
Feb 10 09:04:59 moon charon: 00[TNC] TNC recommendation policy is 'default'
Feb 10 09:04:59 moon charon: 00[TNC] loading IMVs from '/etc/tnc_config'
Feb 10 09:04:59 moon charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA1[sha1] available
Feb 10 09:04:59 moon charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA256[openssl] available
Feb 10 09:04:59 moon charon: 00[PTS] optional PTS measurement algorithm HASH_SHA384[openssl] available
Feb 10 09:04:59 moon charon: 00[PTS] optional PTS DH group MODP_2048[gmp] available
Feb 10 09:04:59 moon charon: 00[PTS] optional PTS DH group MODP_1536[gmp] available
Feb 10 09:04:59 moon charon: 00[PTS] optional PTS DH group MODP_1024[gmp] available
Feb 10 09:04:59 moon charon: 00[PTS] mandatory PTS DH group ECP_256[openssl] available
Feb 10 09:04:59 moon charon: 00[PTS] optional PTS DH group ECP_384[openssl] available
Feb 10 09:04:59 moon charon: 00[TNC] added IETF attributes
Feb 10 09:04:59 moon charon: 00[TNC] added ITA-HSR attributes
Feb 10 09:04:59 moon charon: 00[LIB] libimcv initialized
Feb 10 09:04:59 moon charon: 00[IMV] IMV 1 "Attestation" initialized
Feb 10 09:04:59 moon charon: 00[TNC] added TCG attributes
Feb 10 09:04:59 moon charon: 00[PTS] added TCG functional component namespace
Feb 10 09:04:59 moon charon: 00[PTS] added ITA-HSR functional component namespace
Feb 10 09:04:59 moon charon: 00[PTS] added ITA-HSR functional component 'Trusted GRUB Boot Loader'
Feb 10 09:04:59 moon charon: 00[PTS] added ITA-HSR functional component 'Trusted Boot'
Feb 10 09:04:59 moon charon: 00[PTS] added ITA-HSR functional component 'Linux IMA'
Feb 10 09:04:59 moon charon: 00[LIB] libpts initialized
Feb 10 09:04:59 moon charon: 00[PTS] loading PTS ca certificates from '/etc/pts/cacerts'
Feb 10 09:04:59 moon charon: 00[PTS] loaded ca certificate "O=privacyca.com, CN=Privacy CA EK+Platform-Cert-Checked AIK Certificate" from '/etc/pts/cacerts/privacy_ca_level_2_cert.pem'
Feb 10 09:04:59 moon charon: 00[PTS] loaded ca certificate "O=privacyca.com, CN=Privacy CA Insecure/Unchecked AIK Certificate" from '/etc/pts/cacerts/privacy_ca_level_0_cert.pem'
Feb 10 09:04:59 moon charon: 00[PTS] loaded ca certificate "O=privacyca.com, CN=Privacy CA Root Certificate" from '/etc/pts/cacerts/privacy_ca_root_cert.pem'
Feb 10 09:04:59 moon charon: 00[PTS] loaded ca certificate "O=privacyca.com, CN=Privacy CA EK-Cert-Checked AIK Certificate" from '/etc/pts/cacerts/privacy_ca_level_1_cert.pem'
Feb 10 09:04:59 moon charon: 00[IMV] IMV 1 "Attestation" provided with bind function
Feb 10 09:04:59 moon charon: 00[TNC] IMV 1 supports 1 message type: 'TCG/PTS' 0x005597/0x00000001
Feb 10 09:04:59 moon charon: 00[TNC] IMV 1 "Attestation" loaded from '/usr/lib/ipsec/imcvs/imv-attestation.so'
</pre>
Next the IKEv2 credentials, all necessary plugins and the IPsec connection definitions are loaded
<pre>
Feb 10 09:04:59 moon charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Feb 10 09:04:59 moon charon: 00[CFG] loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem'
Feb 10 09:04:59 moon charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Feb 10 09:04:59 moon charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Feb 10 09:04:59 moon charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Feb 10 09:04:59 moon charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Feb 10 09:04:59 moon charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Feb 10 09:04:59 moon charon: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/moonKey.pem'
Feb 10 09:04:59 moon charon: 00[CFG] loaded EAP secret for carol@strongswan.org
Feb 10 09:04:59 moon charon: 00[DMN] loaded plugins: curl sha1 pem pkcs1 pkcs8 gmp random pubkey x509 openssl revocation hmac kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 sqlite tnc-imv stroke
Feb 10 09:04:59 moon charon: 00[JOB] spawning 16 worker threads
Feb 10 09:04:59 moon charon: 14[CFG] received stroke: add connection 'rw-allow'
Feb 10 09:04:59 moon charon: 14[CFG] loaded certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" from 'moonCert.pem'
Feb 10 09:04:59 moon charon: 14[CFG] added configuration 'rw-allow'
Feb 10 09:04:59 moon charon: 15[CFG] received stroke: add connection 'rw-isolate'
Feb 10 09:04:59 moon charon: 15[CFG] loaded certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" from 'moonCert.pem'
Feb 10 09:04:59 moon charon: 15[CFG] added configuration 'rw-isolate'
</pre>
h3. IKEv2 Exchanges
The IPsec gateway *moon* is passively waiting for IPsec clients to initiate an IKEv2 negotiation starting with an IKE_SA_INIT exchange:
<pre>
Feb 10 09:05:24 moon charon: 05[NET] received packet: from 192.168.0.254[500] to 192.168.0.1[500]
Feb 10 09:05:24 moon charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Feb 10 09:05:24 moon charon: 05[IKE] 192.168.0.254 is initiating an IKE_SA
Feb 10 09:05:24 moon charon: 05[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Feb 10 09:05:24 moon charon: 05[NET] sending packet: from 192.168.0.1[500] to 192.168.0.254[500]
</pre>
followed by the IKE_AUTH exchange where the IKEv2 gateway proposes a mutual IKEv2 EAP-TTLS only authentication:
<pre>
Feb 10 09:05:24 moon charon: 04[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Feb 10 09:05:24 moon charon: 04[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Feb 10 09:05:24 moon charon: 04[CFG] looking for peer configs matching 192.168.0.1[moon.strongswan.org]...192.168.0.254[carol@strongswan.org]
Feb 10 09:05:24 moon charon: 04[CFG] selected peer config 'rw-allow'
Feb 10 09:05:24 moon charon: 04[IKE] initiating EAP_TTLS method (id 0x16)
Feb 10 09:05:24 moon charon: 04[IKE] peer supports MOBIKE
Feb 10 09:05:24 moon charon: 04[ENC] generating IKE_AUTH response 1 [ IDr EAP/REQ/TTLS ]
Feb 10 09:05:24 moon charon: 04[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
</pre>
h3. IKEv2 EAP-TTLS Tunnel
The IKEv2 EAP-TTLS tunnel is set up with certificate-based server authentication
<pre>
Feb 10 09:05:24 moon charon: 03[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Feb 10 09:05:24 moon charon: 03[ENC] parsed IKE_AUTH request 2 [ EAP/RES/TTLS ]
Feb 10 09:05:24 moon charon: 03[TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Feb 10 09:05:24 moon charon: 03[TLS] sending TLS server certificate 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org'
Feb 10 09:05:24 moon charon: 03[ENC] generating IKE_AUTH response 2 [ EAP/REQ/TTLS ]
Feb 10 09:05:24 moon charon: 03[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Feb 10 09:05:24 moon charon: 02[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Feb 10 09:05:24 moon charon: 02[ENC] parsed IKE_AUTH request 3 [ EAP/RES/TTLS ]
Feb 10 09:05:24 moon charon: 02[ENC] generating IKE_AUTH response 3 [ EAP/REQ/TTLS ]
Feb 10 09:05:24 moon charon: 02[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Feb 10 09:05:24 moon charon: 01[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Feb 10 09:05:24 moon charon: 01[ENC] parsed IKE_AUTH request 4 [ EAP/RES/TTLS ]
</pre>
h3. Tunneled EAP-Identity
Via the IKEv2 EAP-TTLS tunnel the server requests the EAP client identity
<pre>
Feb 10 09:05:24 moon charon: 01[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/ID]
Feb 10 09:05:24 moon charon: 01[ENC] generating IKE_AUTH response 4 [ EAP/REQ/TTLS ]
Feb 10 09:05:24 moon charon: 01[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Feb 10 09:05:24 moon charon: 14[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Feb 10 09:05:24 moon charon: 14[ENC] parsed IKE_AUTH request 5 [ EAP/RES/TTLS ]
Feb 10 09:05:24 moon charon: 14[IKE] received tunneled EAP-TTLS AVP [EAP/RES/ID]
Feb 10 09:05:24 moon charon: 14[IKE] received EAP identity 'carol@strongswan.org'
</pre>
h3. Tunneled EAP-MD5 Client Authentication
Next follows an EAP-MD5 client authentication
<pre>
Feb 10 09:05:24 moon charon: 14[IKE] phase2 method EAP_MD5 selected
Feb 10 09:05:24 moon charon: 14[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/MD5]
Feb 10 09:05:24 moon charon: 14[ENC] generating IKE_AUTH response 5 [ EAP/REQ/TTLS ]
Feb 10 09:05:24 moon charon: 14[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Feb 10 09:05:24 moon charon: 15[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Feb 10 09:05:24 moon charon: 15[ENC] parsed IKE_AUTH request 6 [ EAP/RES/TTLS ]
Feb 10 09:05:24 moon charon: 15[IKE] received tunneled EAP-TTLS AVP [EAP/RES/MD5]
Feb 10 09:05:24 moon charon: 15[IKE] EAP_TTLS phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful
</pre>
h3. Tunneled EAP-TNC Transport
Now the EAP-TNC transport protocol connecting the TNC client with the TNC server is started:
<pre>
Feb 10 09:05:24 moon charon: 15[IKE] phase2 method EAP_TNC selected
Feb 10 09:05:24 moon charon: 15[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/TNC]
Feb 10 09:05:24 moon charon: 15[ENC] generating IKE_AUTH response 6 [ EAP/REQ/TTLS ]
Feb 10 09:05:24 moon charon: 15[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
</pre>
h2. PB-TNC/IF-TNCCS 2.0 Connection
A first PB-TNC CDATA (IF-TNCCS 2.0 ClientData) batch from the TNC client is received
<pre>
Feb 10 09:05:24 moon charon: 16[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Feb 10 09:05:24 moon charon: 16[ENC] parsed IKE_AUTH request 7 [ EAP/RES/TTLS ]
Feb 10 09:05:24 moon charon: 16[IKE] received tunneled EAP-TTLS AVP [EAP/RES/TNC]
Feb 10 09:05:24 moon charon: 16[TNC] assigned TNCCS Connection ID 1
Feb 10 09:05:24 moon charon: 16[IMV] IMV 1 "Attestation" created a state for Connection ID 1: IF-TNCCS 2.0 with +long +excl -soh over IF-T for Tunneled EAP 1.1
Feb 10 09:05:24 moon charon: 16[IMV] IMV 1 "Attestation" changed state of Connection ID 1 to 'Handshake'
Feb 10 09:05:24 moon charon: 16[TNC] received TNCCS batch (105 bytes) for Connection ID 1
Feb 10 09:05:24 moon charon: 16[TNC] => 105 bytes @ 0x807dd82
Feb 10 09:05:24 moon charon: 16[TNC] 0: 02 00 00 01 00 00 00 69 00 00 00 00 00 00 00 06 .......i........
Feb 10 09:05:24 moon charon: 16[TNC] 16: 00 00 00 1F 41 63 63 65 70 74 2D 4C 61 6E 67 75 ....Accept-Langu
Feb 10 09:05:24 moon charon: 16[TNC] 32: 61 67 65 3A 20 65 6E 80 00 00 00 00 00 00 01 00 age: en.........
Feb 10 09:05:24 moon charon: 16[TNC] 48: 00 00 42 00 00 55 97 00 00 00 01 00 01 FF FF 01 ..B..U..........
Feb 10 09:05:24 moon charon: 16[TNC] 64: 00 00 00 35 C9 DC 7B 00 00 00 00 00 00 00 02 00 ...5..{.........
Feb 10 09:05:24 moon charon: 16[TNC] 80: 00 00 22 00 00 00 00 00 55 62 75 6E 74 75 20 31 ..".....Ubuntu 1
Feb 10 09:05:24 moon charon: 16[TNC] 96: 31 2E 30 34 20 69 36 38 36 1.04 i686
Feb 10 09:05:24 moon charon: 16[TNC] PB-TNC state transition from 'Init' to 'Server Working'
Feb 10 09:05:24 moon charon: 16[TNC] processing PB-TNC CDATA batch
</pre>
containing a 'PB-Language-Preference' and a 'PB-PA' message
<pre>
Feb 10 09:05:24 moon charon: 16[TNC] processing PB-Language-Preference message (31 bytes)
Feb 10 09:05:24 moon charon: 16[TNC] processing PB-PA message (66 bytes)
</pre>
This causes a new TNCCS connection to be instantiated on the TNC server. Its IF-TNCCS 2.0 state machine immediately transitions from the Init to the ServerWorking state.
!IF-TNCCS-20-State-Diagram.png!
The language preference is set to English (en) and the PB-PA message is forwarded to the PTS-IMV which subscribed to this PA message type:
<pre>
Feb 10 09:05:24 moon charon: 16[TNC] setting language preference to 'en'
Feb 10 09:05:24 moon charon: 16[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001
</pre>
The PA-TNC message contains an 'IETF/Product Information' attribute which carries information about the operating system the PTS-IMC is running on:
<pre>
Feb 10 09:05:24 moon charon: 16[IMV] IMV 1 "Attestation" received message for Connection ID 1 from IMC 1
Feb 10 09:05:24 moon charon: 16[TNC] processing PA-TNC message with ID 0x35c9dc7b
Feb 10 09:05:24 moon charon: 16[TNC] processing PA-TNC attribute type 'IETF/Product Information' 0x000000/0x00000002
Feb 10 09:05:24 moon charon: 16[TNC] => 22 bytes @ 0x808021c
Feb 10 09:05:24 moon charon: 16[TNC] 0: 00 00 00 00 00 55 62 75 6E 74 75 20 31 31 2E 30 .....Ubuntu 11.0
Feb 10 09:05:24 moon charon: 16[TNC] 16: 34 20 69 36 38 36 4 i686
</pre>
h3. PTS Capability Discovery
The PTS-IMV creates a PA-TNC message containing a 'Request PTS Protocol Capabilities' and a 'PTS Measurement Algorithm Request' attribute from the TCG namespace. SHA-1 is the only PTS measurement algorithm proposed by the PTS-IMV.
<pre>
Feb 10 09:05:24 moon charon: 16[TNC] creating PA-TNC message with ID 0x8b088dab
Feb 10 09:05:24 moon charon: 16[TNC] creating PA-TNC attribute type 'TCG/Request PTS Protocol Capabilities' 0x005597/0x01000000
Feb 10 09:05:24 moon charon: 16[TNC] => 4 bytes @ 0x8080198
Feb 10 09:05:24 moon charon: 16[TNC] 0: 00 00 00 0E ....
Feb 10 09:05:24 moon charon: 16[TNC] creating PA-TNC attribute type 'TCG/PTS Measurement Algorithm Request' 0x005597/0x06000000
Feb 10 09:05:24 moon charon: 16[TNC] => 4 bytes @ 0x8080228
Feb 10 09:05:24 moon charon: 16[TNC] 0: 00 00 80 00 ....
</pre>
The PB-PA message is sent in a PB-TNC SDATA (IF-TNCCS 2.0 ServerData) batch to the TNC client:
<pre>
Feb 10 09:05:24 moon charon: 16[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001
Feb 10 09:05:24 moon charon: 16[TNC] creating PB-TNC SDATA batch
Feb 10 09:05:24 moon charon: 16[TNC] adding PB-PA message
Feb 10 09:05:24 moon charon: 16[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
Feb 10 09:05:24 moon charon: 16[TNC] sending PB-TNC SDATA batch (72 bytes) for Connection ID 1
Feb 10 09:05:24 moon charon: 16[TNC] => 72 bytes @ 0x807d518
Feb 10 09:05:24 moon charon: 16[TNC] 0: 02 80 00 02 00 00 00 48 80 00 00 00 00 00 00 01 .......H........
Feb 10 09:05:24 moon charon: 16[TNC] 16: 00 00 00 40 00 00 55 97 00 00 00 01 FF FF 00 01 ...@..U.........
Feb 10 09:05:24 moon charon: 16[TNC] 32: 01 00 00 00 8B 08 8D AB 80 00 55 97 01 00 00 00 ..........U.....
Feb 10 09:05:24 moon charon: 16[TNC] 48: 00 00 00 10 00 00 00 0E 80 00 55 97 06 00 00 00 ..........U.....
Feb 10 09:05:24 moon charon: 16[TNC] 64: 00 00 00 10 00 00 80 00 ........
Feb 10 09:05:24 moon charon: 16[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/TNC]
Feb 10 09:05:24 moon charon: 16[ENC] generating IKE_AUTH response 7 [ EAP/REQ/TTLS ]
Feb 10 09:05:24 moon charon: 16[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
</pre>
As a response a PB-TNC CDATA batch is received from the TNC client
<pre>
Feb 10 09:05:24 moon charon: 06[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Feb 10 09:05:24 moon charon: 06[ENC] parsed IKE_AUTH request 8 [ EAP/RES/TTLS ]
Feb 10 09:05:24 moon charon: 06[IKE] received tunneled EAP-TTLS AVP [EAP/RES/TNC]
Feb 10 09:05:24 moon charon: 06[TNC] received TNCCS batch (72 bytes) for Connection ID 1
Feb 10 09:05:24 moon charon: 06[TNC] => 72 bytes @ 0x807ddd2
Feb 10 09:05:24 moon charon: 06[TNC] 0: 02 00 00 01 00 00 00 48 80 00 00 00 00 00 00 01 .......H........
Feb 10 09:05:24 moon charon: 06[TNC] 16: 00 00 00 40 00 00 55 97 00 00 00 01 00 01 FF FF ...@..U.........
Feb 10 09:05:24 moon charon: 06[TNC] 32: 01 00 00 00 AC E9 1F 02 00 00 55 97 02 00 00 00 ..........U.....
Feb 10 09:05:24 moon charon: 06[TNC] 48: 00 00 00 10 00 00 00 0E 00 00 55 97 07 00 00 00 ..........U.....
Feb 10 09:05:24 moon charon: 06[TNC] 64: 00 00 00 10 00 00 80 00 ........
Feb 10 09:05:24 moon charon: 06[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
Feb 10 09:05:24 moon charon: 06[TNC] processing PB-TNC CDATA batch
</pre>
containing a PB-PA message with PA message type TCG/PTS to which the PTS-IMV is subscribed:
<pre>
Feb 10 09:05:24 moon charon: 06[TNC] processing PB-PA message (64 bytes)
Feb 10 09:05:24 moon charon: 06[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001
</pre>
The PA-TNC message contains a 'PTS Protocol Capabilities' and a 'PTS Measurement Algorithm' attribute from the TCG namespace:
<pre>
Feb 10 09:05:24 moon charon: 06[IMV] IMV 1 "Attestation" received message for Connection ID 1 from IMC 1
Feb 10 09:05:24 moon charon: 06[TNC] processing PA-TNC message with ID 0xace91f02
Feb 10 09:05:24 moon charon: 06[TNC] processing PA-TNC attribute type 'TCG/PTS Protocol Capabilities' 0x005597/0x02000000
Feb 10 09:05:24 moon charon: 06[TNC] => 4 bytes @ 0x80808dc
Feb 10 09:05:24 moon charon: 06[TNC] 0: 00 00 00 0E ....
Feb 10 09:05:24 moon charon: 06[TNC] processing PA-TNC attribute type 'TCG/PTS Measurement Algorithm' 0x005597/0x07000000
Feb 10 09:05:24 moon charon: 06[TNC] => 4 bytes @ 0x80808ec
Feb 10 09:05:24 moon charon: 06[TNC] 0: 00 00 80 00 ....
</pre>
The PTS-IMC supports the Verification (V), DH Nonce Negotiation (D) and Trusted Platform Evidence (T) PTS protocol capabilities all of which the PTS-IMV proposed in the capabilities request. Also SHA-1 is confirmed by the PTS-IMC to be used as PTS measurement algorithm.
<pre>
Feb 10 09:05:24 moon charon: 06[PTS] supported PTS protocol capabilities: .VDT.
Feb 10 09:05:24 moon charon: 06[PTS] selected PTS measurement algorithm is HASH_SHA1
</pre>
h3. DH Nonce Parameters
The PTS-IMV creates a PA-TNC message containing the 'DH Nonce Parameters Request' from the TCG namespace which offers the set of IKE DH groups {2, 5, 14, 19}:
<pre>
Feb 10 09:05:24 moon charon: 06[TNC] creating PA-TNC message with ID 0xd5d8b7f7
Feb 10 09:05:24 moon charon: 06[TNC] creating PA-TNC attribute type 'TCG/DH Nonce Parameters Request' 0x005597/0x03000000
Feb 10 09:05:24 moon charon: 06[TNC] => 4 bytes @ 0x8081760
Feb 10 09:05:24 moon charon: 06[TNC] 0: 00 00 F0 00 ....
</pre>
The corresponding PB-PA message is embedded into a PB-TNC SDATA batch and sent to the TNC client
<pre>
Feb 10 09:05:24 moon charon: 06[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001
Feb 10 09:05:24 moon charon: 06[TNC] creating PB-TNC SDATA batch
Feb 10 09:05:24 moon charon: 06[TNC] adding PB-PA message
Feb 10 09:05:24 moon charon: 06[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
Feb 10 09:05:24 moon charon: 06[TNC] sending PB-TNC SDATA batch (56 bytes) for Connection ID 1
Feb 10 09:05:24 moon charon: 06[TNC] => 56 bytes @ 0x807da30
Feb 10 09:05:24 moon charon: 06[TNC] 0: 02 80 00 02 00 00 00 38 80 00 00 00 00 00 00 01 .......8........
Feb 10 09:05:24 moon charon: 06[TNC] 16: 00 00 00 30 00 00 55 97 00 00 00 01 FF FF 00 01 ...0..U.........
Feb 10 09:05:24 moon charon: 06[TNC] 32: 01 00 00 00 D5 D8 B7 F7 80 00 55 97 03 00 00 00 ..........U.....
Feb 10 09:05:24 moon charon: 06[TNC] 48: 00 00 00 10 00 00 F0 00 ........
Feb 10 09:05:24 moon charon: 06[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/TNC]
Feb 10 09:05:24 moon charon: 06[ENC] generating IKE_AUTH response 8 [ EAP/REQ/TTLS ]
Feb 10 09:05:24 moon charon: 06[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
</pre>
In response a PB-TNC CDATA batch is received from the TNC client
<pre>
Feb 10 09:05:24 moon charon: 05[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Feb 10 09:05:24 moon charon: 05[ENC] parsed IKE_AUTH request 9 [ EAP/RES/TTLS ]
Feb 10 09:05:24 moon charon: 05[IKE] received tunneled EAP-TTLS AVP [EAP/RES/TNC]
Feb 10 09:05:24 moon charon: 05[TNC] received TNCCS batch (144 bytes) for Connection ID 1
Feb 10 09:05:24 moon charon: 05[TNC] => 144 bytes @ 0x807c79a
Feb 10 09:05:24 moon charon: 05[TNC] 0: 02 00 00 01 00 00 00 90 80 00 00 00 00 00 00 01 ................
Feb 10 09:05:24 moon charon: 05[TNC] 16: 00 00 00 88 00 00 55 97 00 00 00 01 00 01 FF FF ......U.........
Feb 10 09:05:24 moon charon: 05[TNC] 32: 01 00 00 00 4A 9B 2C 31 00 00 55 97 04 00 00 00 ....J.,1..U.....
Feb 10 09:05:24 moon charon: 05[TNC] 48: 00 00 00 68 00 00 00 14 10 00 E0 00 1D 14 23 06 ...h..........#.
Feb 10 09:05:24 moon charon: 05[TNC] 64: 97 7D E7 E3 AF AE B6 57 FB A3 58 DA 59 6A 4C D3 .}.....W..X.YjL.
Feb 10 09:05:24 moon charon: 05[TNC] 80: 77 49 6B 4B 36 35 DF BB 27 3F 62 E7 EA 5B 6E 7C wIkK65..'?b..[n|
Feb 10 09:05:24 moon charon: 05[TNC] 96: 5E 55 C4 04 04 89 B4 98 66 31 6A A2 A2 4E 5E AC ^U......f1j..N^.
Feb 10 09:05:24 moon charon: 05[TNC] 112: DE 57 B7 3B 97 72 08 A6 90 7C 3C FB FD B3 45 05 .W.;.r...|<...E.
Feb 10 09:05:24 moon charon: 05[TNC] 128: C5 4D 21 10 0E 07 CE 94 B0 61 14 9F C1 22 10 93 .M!......a..."..
Feb 10 09:05:24 moon charon: 05[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
Feb 10 09:05:24 moon charon: 05[TNC] processing PB-TNC CDATA batch
</pre>
containing a PB-PA message with PA message type TCG/PTS to which the PTS-IMV is subscribed:
<pre>
Feb 10 09:05:24 moon charon: 05[TNC] processing PB-PA message (136 bytes)
Feb 10 09:05:24 moon charon: 05[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001
</pre>
The PA-TNC message contains a 'DH Nonce Parameters Response' from the TGC namespace
<pre>
Feb 10 09:05:24 moon charon: 05[IMV] IMV 1 "Attestation" received message for Connection ID 1 from IMC 1
Feb 10 09:05:24 moon charon: 05[TNC] processing PA-TNC message with ID 0x4a9b2c31
Feb 10 09:05:24 moon charon: 05[TNC] processing PA-TNC attribute type 'TCG/DH Nonce Parameters Response' 0x005597/0x04000000
Feb 10 09:05:24 moon charon: 05[TNC] => 92 bytes @ 0x807d614
Feb 10 09:05:24 moon charon: 05[TNC] 0: 00 00 00 14 10 00 E0 00 1D 14 23 06 97 7D E7 E3 ..........#..}..
Feb 10 09:05:24 moon charon: 05[TNC] 16: AF AE B6 57 FB A3 58 DA 59 6A 4C D3 77 49 6B 4B ...W..X.YjL.wIkK
Feb 10 09:05:24 moon charon: 05[TNC] 32: 36 35 DF BB 27 3F 62 E7 EA 5B 6E 7C 5E 55 C4 04 65..'?b..[n|^U..
Feb 10 09:05:24 moon charon: 05[TNC] 48: 04 89 B4 98 66 31 6A A2 A2 4E 5E AC DE 57 B7 3B ....f1j..N^..W.;
Feb 10 09:05:24 moon charon: 05[TNC] 64: 97 72 08 A6 90 7C 3C FB FD B3 45 05 C5 4D 21 10 .r...|<...E..M!.
Feb 10 09:05:24 moon charon: 05[TNC] 80: 0E 07 CE 94 B0 61 14 9F C1 22 10 93 .....a..."..
</pre>
The PTS-IMC selected ECP_256 (IKE DH group 14) as the PTS DH group and returns a 20 byte DH responder nonce and the 32 byte ECP_256 DH responder public value from which together with the PTS-IMV's private DH value the shared DH secret can be derived:
<pre>
Feb 10 09:05:24 moon charon: 05[PTS] selected DH hash algorithm is HASH_SHA1
Feb 10 09:05:24 moon charon: 05[PTS] selected PTS DH group is ECP_256
Feb 10 09:05:24 moon charon: 05[PTS] nonce length is 20
Feb 10 09:05:24 moon charon: 05[PTS] initiator nonce: => 20 bytes @ 0x8080198
Feb 10 09:05:24 moon charon: 05[PTS] 0: A6 CA 36 F6 A1 CC 25 1A EF 13 9C AC 84 1F F6 9B ..6...%.........
Feb 10 09:05:24 moon charon: 05[PTS] 16: F1 31 95 A3 .1..
Feb 10 09:05:24 moon charon: 05[PTS] responder nonce: => 20 bytes @ 0x807d740
Feb 10 09:05:24 moon charon: 05[PTS] 0: 1D 14 23 06 97 7D E7 E3 AF AE B6 57 FB A3 58 DA ..#..}.....W..X.
Feb 10 09:05:24 moon charon: 05[PTS] 16: 59 6A 4C D3 YjL.
Feb 10 09:05:24 moon charon: 05[PTS] shared DH secret: => 32 bytes @ 0x8081f60
Feb 10 09:05:24 moon charon: 05[PTS] 0: F1 6A 3B 1C 72 03 B0 18 EA 3C B6 74 D6 AD 33 E9 .j;.r....<.t..3.
Feb 10 09:05:24 moon charon: 05[PTS] 16: 23 0B 3C 1C A9 5C 77 12 FE FF FF 67 E5 7F CB 04 #.<..\w....g....
Feb 10 09:05:24 moon charon: 05[PTS] secret assessment value: => 20 bytes @ 0x8081fd8
Feb 10 09:05:24 moon charon: 05[PTS] 0: 5F A0 83 5D 35 DF 3C 94 28 8B 79 6F AB 35 86 6C _..]5.<.(.yo.5.l
Feb 10 09:05:24 moon charon: 05[PTS] 16: E2 23 4C CF .#L.
</pre>
h3. DH Nonce Finish and TPM Version/AIK Info
The PTS-IMV sends its 32 byte ECP_256 DH initiator public value and its 20 byte initiator nonce in the 'DH Nonce Finish' attribute. Additionally the 'Get TPM Version Information' and a 'Get Attestation Identity Key' attributes are include in the PA-TNC message:
<pre>
Feb 10 09:05:24 moon charon: 05[TNC] creating PA-TNC message with ID 0xc75a895f
Feb 10 09:05:24 moon charon: 05[TNC] creating PA-TNC attribute type 'TCG/DH Nonce Finish' 0x005597/0x05000000
Feb 10 09:05:24 moon charon: 05[TNC] => 88 bytes @ 0x80821e0
Feb 10 09:05:24 moon charon: 05[TNC] 0: 00 14 80 00 19 14 23 2B 46 C9 C4 56 B5 F6 9C 18 ......#+F..V....
Feb 10 09:05:24 moon charon: 05[TNC] 16: 58 A2 78 B0 E4 A7 4A C7 20 21 32 CD B2 60 7F DB X.x...J. !2..`..
Feb 10 09:05:24 moon charon: 05[TNC] 32: 0F 7B 35 53 AE FA 23 C0 65 A5 48 35 FE DF DF B9 .{5S..#.e.H5....
Feb 10 09:05:24 moon charon: 05[TNC] 48: 72 C4 DD 16 8B 55 E9 84 AE 45 E0 07 05 AF D6 60 r....U...E.....`
Feb 10 09:05:24 moon charon: 05[TNC] 64: 32 95 58 81 A6 CA 36 F6 A1 CC 25 1A EF 13 9C AC 2.X...6...%.....
Feb 10 09:05:24 moon charon: 05[TNC] 80: 84 1F F6 9B F1 31 95 A3 .....1..
Feb 10 09:05:24 moon charon: 05[TNC] creating PA-TNC attribute type 'TCG/Get TPM Version Information' 0x005597/0x08000000
Feb 10 09:05:24 moon charon: 05[TNC] => 4 bytes @ 0x80808e8
Feb 10 09:05:24 moon charon: 05[TNC] 0: 00 00 00 00 ....
Feb 10 09:05:24 moon charon: 05[TNC] creating PA-TNC attribute type 'TCG/Get Attestation Identity Key' 0x005597/0x0d000000
Feb 10 09:05:24 moon charon: 05[TNC] => 4 bytes @ 0x807c830
Feb 10 09:05:24 moon charon: 05[TNC] 0: 00 00 00 00 ....
</pre>
The PA-TNC message transfered via the IF-IMV SendMessage function call is inserted as a PB-PA message in an outbound PB-TNC SDATA batch:
<pre>
Feb 10 09:05:24 moon charon: 05[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001
Feb 10 09:05:24 moon charon: 05[TNC] creating PB-TNC SDATA batch
Feb 10 09:05:24 moon charon: 05[TNC] adding PB-PA message
Feb 10 09:05:24 moon charon: 05[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
Feb 10 09:05:24 moon charon: 05[TNC] sending PB-TNC SDATA batch (172 bytes) for Connection ID 1
Feb 10 09:05:24 moon charon: 05[TNC] => 172 bytes @ 0x807d518
Feb 10 09:05:24 moon charon: 05[TNC] 0: 02 80 00 02 00 00 00 AC 80 00 00 00 00 00 00 01 ................
Feb 10 09:05:24 moon charon: 05[TNC] 16: 00 00 00 A4 00 00 55 97 00 00 00 01 FF FF 00 01 ......U.........
Feb 10 09:05:24 moon charon: 05[TNC] 32: 01 00 00 00 C7 5A 89 5F 80 00 55 97 05 00 00 00 .....Z._..U.....
Feb 10 09:05:24 moon charon: 05[TNC] 48: 00 00 00 64 00 14 80 00 19 14 23 2B 46 C9 C4 56 ...d......#+F..V
Feb 10 09:05:24 moon charon: 05[TNC] 64: B5 F6 9C 18 58 A2 78 B0 E4 A7 4A C7 20 21 32 CD ....X.x...J. !2.
Feb 10 09:05:24 moon charon: 05[TNC] 80: B2 60 7F DB 0F 7B 35 53 AE FA 23 C0 65 A5 48 35 .`...{5S..#.e.H5
Feb 10 09:05:24 moon charon: 05[TNC] 96: FE DF DF B9 72 C4 DD 16 8B 55 E9 84 AE 45 E0 07 ....r....U...E..
Feb 10 09:05:24 moon charon: 05[TNC] 112: 05 AF D6 60 32 95 58 81 A6 CA 36 F6 A1 CC 25 1A ...`2.X...6...%.
Feb 10 09:05:24 moon charon: 05[TNC] 128: EF 13 9C AC 84 1F F6 9B F1 31 95 A3 80 00 55 97 .........1....U.
Feb 10 09:05:24 moon charon: 05[TNC] 144: 08 00 00 00 00 00 00 10 00 00 00 00 80 00 55 97 ..............U.
Feb 10 09:05:24 moon charon: 05[TNC] 160: 0D 00 00 00 00 00 00 10 00 00 00 00 ............
Feb 10 09:05:24 moon charon: 05[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/TNC]
Feb 10 09:05:24 moon charon: 05[ENC] generating IKE_AUTH response 9 [ EAP/REQ/TTLS ]
Feb 10 09:05:24 moon charon: 05[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
</pre>
In response a PB-TNC CDATA batch is received
<pre>
Feb 10 09:05:24 moon charon: 04[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Feb 10 09:05:24 moon charon: 04[ENC] parsed IKE_AUTH request 10 [ EAP/RES/TTLS ]
Feb 10 09:05:24 moon charon: 04[ENC] generating IKE_AUTH response 10 [ EAP/REQ/TTLS ]
Feb 10 09:05:24 moon charon: 04[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Feb 10 09:05:24 moon charon: 03[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Feb 10 09:05:24 moon charon: 03[ENC] parsed IKE_AUTH request 11 [ EAP/RES/TTLS ]
Feb 10 09:05:24 moon charon: 03[IKE] received tunneled EAP-TTLS AVP [EAP/RES/TNC]
Feb 10 09:05:24 moon charon: 03[TNC] received TNCCS batch (1251 bytes) for Connection ID 1
Feb 10 09:05:24 moon charon: 03[TNC] => 1251 bytes @ 0x80837c2
Feb 10 09:05:24 moon charon: 03[TNC] 0: 02 00 00 01 00 00 04 E3 80 00 00 00 00 00 00 01 ................
Feb 10 09:05:24 moon charon: 03[TNC] 16: 00 00 04 DB 00 00 55 97 00 00 00 01 00 01 FF FF ......U.........
Feb 10 09:05:24 moon charon: 03[TNC] 32: 01 00 00 00 9E B3 B6 85 00 00 55 97 09 00 00 00 ..........U.....
Feb 10 09:05:24 moon charon: 03[TNC] 48: 00 00 00 20 00 30 01 02 03 11 00 02 02 49 46 58 ... .0.......IFX
Feb 10 09:05:24 moon charon: 03[TNC] 64: 00 00 05 03 11 00 08 00 00 00 55 97 0E 00 00 00 ..........U.....
Feb 10 09:05:24 moon charon: 03[TNC] 80: 00 00 04 9B 00 30 82 04 8A 30 82 03 72 A0 03 02 .....0...0..r...
Feb 10 09:05:24 moon charon: 03[TNC] 96: 01 02 02 10 33 55 8F BC AE 0F D9 47 78 74 D6 E5 ....3U.....Gxt..
Feb 10 09:05:24 moon charon: 03[TNC] 112: C9 1B 24 28 30 0D 06 09 2A 86 48 86 F7 0D 01 01 ..$(0...*.H.....
Feb 10 09:05:24 moon charon: 03[TNC] 128: 05 05 00 30 50 31 16 30 14 06 03 55 04 0A 13 0D ...0P1.0...U....
Feb 10 09:05:24 moon charon: 03[TNC] 144: 70 72 69 76 61 63 79 63 61 2E 63 6F 6D 31 36 30 privacyca.com160
Feb 10 09:05:24 moon charon: 03[TNC] 160: 34 06 03 55 04 03 13 2D 50 72 69 76 61 63 79 20 4..U...-Privacy
Feb 10 09:05:24 moon charon: 03[TNC] 176: 43 41 20 49 6E 73 65 63 75 72 65 2F 55 6E 63 68 CA Insecure/Unch
Feb 10 09:05:24 moon charon: 03[TNC] 192: 65 63 6B 65 64 20 41 49 4B 20 43 65 72 74 69 66 ecked AIK Certif
Feb 10 09:05:24 moon charon: 03[TNC] 208: 69 63 61 74 65 30 1E 17 0D 31 32 30 32 30 38 31 icate0...1202081
Feb 10 09:05:24 moon charon: 03[TNC] 224: 30 34 31 32 30 5A 17 0D 31 33 30 32 30 38 31 30 04120Z..13020810
Feb 10 09:05:24 moon charon: 03[TNC] 240: 34 31 32 30 5A 30 00 30 82 01 22 30 0D 06 09 2A 4120Z0.0.."0...*
----------------- truncated batch ------------------
Feb 10 09:05:24 moon charon: 03[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
Feb 10 09:05:24 moon charon: 03[TNC] processing PB-TNC CDATA batch
</pre>
containing a PB-PA message with PA message type TCG/PTS to which the PTS-IMV is subscribed:
<pre>
Feb 10 09:05:24 moon charon: 03[TNC] processing PB-PA message (1243 bytes)
Feb 10 09:05:24 moon charon: 03[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001
</pre>
The PA-TNC message contains the 'TPM Version Information' and 'Attestation Identity Key' attributes:
<pre>
Feb 10 09:05:24 moon charon: 03[IMV] IMV 1 "Attestation" received message for Connection ID 1 from IMC 1
Feb 10 09:05:24 moon charon: 03[TNC] processing PA-TNC message with ID 0x9eb3b685
Feb 10 09:05:24 moon charon: 03[TNC] processing PA-TNC attribute type 'TCG/TPM Version Information' 0x005597/0x09000000
Feb 10 09:05:24 moon charon: 03[TNC] => 20 bytes @ 0x8084ed4
Feb 10 09:05:24 moon charon: 03[TNC] 0: 00 30 01 02 03 11 00 02 02 49 46 58 00 00 05 03 .0.......IFX....
Feb 10 09:05:24 moon charon: 03[TNC] 16: 11 00 08 00 ....
Feb 10 09:05:24 moon charon: 03[TNC] processing PA-TNC attribute type 'TCG/Attestation Identity Key' 0x005597/0x0e000000
Feb 10 09:05:24 moon charon: 03[TNC] => 1167 bytes @ 0x8084ef4
Feb 10 09:05:24 moon charon: 03[TNC] 0: 00 30 82 04 8A 30 82 03 72 A0 03 02 01 02 02 10 .0...0..r.......
Feb 10 09:05:24 moon charon: 03[TNC] 16: 33 55 8F BC AE 0F D9 47 78 74 D6 E5 C9 1B 24 28 3U.....Gxt....$(
Feb 10 09:05:24 moon charon: 03[TNC] 32: 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 30 0...*.H........0
Feb 10 09:05:24 moon charon: 03[TNC] 48: 50 31 16 30 14 06 03 55 04 0A 13 0D 70 72 69 76 P1.0...U....priv
Feb 10 09:05:24 moon charon: 03[TNC] 64: 61 63 79 63 61 2E 63 6F 6D 31 36 30 34 06 03 55 acyca.com1604..U
Feb 10 09:05:24 moon charon: 03[TNC] 80: 04 03 13 2D 50 72 69 76 61 63 79 20 43 41 20 49 ...-Privacy CA I
Feb 10 09:05:24 moon charon: 03[TNC] 96: 6E 73 65 63 75 72 65 2F 55 6E 63 68 65 63 6B 65 nsecure/Unchecke
Feb 10 09:05:24 moon charon: 03[TNC] 112: 64 20 41 49 4B 20 43 65 72 74 69 66 69 63 61 74 d AIK Certificat
Feb 10 09:05:24 moon charon: 03[TNC] 128: 65 30 1E 17 0D 31 32 30 32 30 38 31 30 34 31 32 e0...12020810412
Feb 10 09:05:24 moon charon: 03[TNC] 144: 30 5A 17 0D 31 33 30 32 30 38 31 30 34 31 32 30 0Z..130208104120
Feb 10 09:05:24 moon charon: 03[TNC] 160: 5A 30 00 30 82 01 22 30 0D 06 09 2A 86 48 86 F7 Z0.0.."0...*.H..
Feb 10 09:05:24 moon charon: 03[TNC] 176: 0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A 02 ...........0....
Feb 10 09:05:24 moon charon: 03[TNC] 192: 82 01 01 00 81 E3 38 7C 4D 46 70 CB D5 33 62 38 ......8|MFp..3b8
Feb 10 09:05:24 moon charon: 03[TNC] 208: 50 AD 98 D1 28 56 D3 6E 71 CF AA E3 C8 31 BD F6 P...(V.nq....1..
Feb 10 09:05:24 moon charon: 03[TNC] 224: FE 53 6A ED C8 54 0E 7C FB 00 98 80 D6 7D C7 57 .Sj..T.|.....}.W
Feb 10 09:05:24 moon charon: 03[TNC] 240: D4 EC 24 93 59 48 1F DA 67 30 87 4F D3 59 B2 CA ..$.YH..g0.O.Y..
Feb 10 09:05:24 moon charon: 03[TNC] 256: A8 9D CE C9 27 9A 03 57 C0 FE 1F AB EE E5 C2 A8 ....'..W........
Feb 10 09:05:24 moon charon: 03[TNC] 272: C6 D5 DC C7 1E 81 74 4D 3D B5 98 6D 57 22 74 02 ......tM=..mW"t.
Feb 10 09:05:24 moon charon: 03[TNC] 288: F1 41 7C E3 68 C1 1C 1C 2F 57 54 CA 4A FB D6 3D .A|.h.../WT.J..=
Feb 10 09:05:24 moon charon: 03[TNC] 304: 33 37 A9 BC FF 6F 50 13 CC C2 D3 83 F1 4B 01 FD 37...oP......K..
Feb 10 09:05:24 moon charon: 03[TNC] 320: 66 A6 EE 7A D3 E0 E2 C0 51 55 A2 8A AB F4 85 09 f..z....QU......
Feb 10 09:05:24 moon charon: 03[TNC] 336: 74 24 64 03 DD 65 1C 26 2F 35 08 BF 57 D9 28 DA t$d..e.&/5..W.(.
Feb 10 09:05:24 moon charon: 03[TNC] 352: D3 D7 5B ED C8 C6 6C 43 7E DE D3 93 F4 D5 D7 36 ..[...lC~......6
Feb 10 09:05:24 moon charon: 03[TNC] 368: 1E 31 9A A8 42 10 7A F5 94 93 9C 8F BD 6D BC 66 .1..B.z......m.f
Feb 10 09:05:24 moon charon: 03[TNC] 384: 1D 30 A5 B3 B3 44 4D DA 6D 35 64 A6 08 EB D2 A6 .0...DM.m5d.....
Feb 10 09:05:24 moon charon: 03[TNC] 400: 99 18 56 01 28 3B 26 94 FD 6F 7F AD 45 68 3C 8A ..V.(;&..o..Eh<.
Feb 10 09:05:24 moon charon: 03[TNC] 416: 7D 38 8C DB D8 5F 76 16 F5 5E 8A 4B C2 2B 19 8A }8..._v..^.K.+..
Feb 10 09:05:24 moon charon: 03[TNC] 432: 27 D9 80 3C C8 13 01 11 70 CC D6 EF 57 F3 EF 37 '..<....p...W..7
Feb 10 09:05:24 moon charon: 03[TNC] 448: A2 E6 B5 49 02 03 01 00 01 A3 82 01 AE 30 82 01 ...I.........0..
Feb 10 09:05:24 moon charon: 03[TNC] 464: AA 30 37 06 03 55 1D 09 04 30 30 2E 30 16 06 05 .07..U...00.0...
Feb 10 09:05:24 moon charon: 03[TNC] 480: 67 81 05 02 10 31 0D 30 0B 0C 03 31 2E 31 02 01 g....1.0...1.1..
Feb 10 09:05:24 moon charon: 03[TNC] 496: 02 02 01 01 30 14 06 05 67 81 05 02 12 31 0B 30 ....0...g....1.0
Feb 10 09:05:24 moon charon: 03[TNC] 512: 09 80 01 00 81 01 00 82 01 02 30 5D 06 03 55 1D ..........0]..U.
Feb 10 09:05:24 moon charon: 03[TNC] 528: 11 01 01 FF 04 53 30 51 A4 42 30 40 31 16 30 14 .....S0Q.B0@1.0.
Feb 10 09:05:24 moon charon: 03[TNC] 544: 06 05 67 81 05 02 01 0C 0B 69 64 3A 30 30 30 30 ..g......id:0000
Feb 10 09:05:24 moon charon: 03[TNC] 560: 30 30 30 30 31 12 30 10 06 05 67 81 05 02 02 0C 00001.0...g.....
Feb 10 09:05:24 moon charon: 03[TNC] 576: 07 55 6E 6B 6E 6F 77 6E 31 12 30 10 06 05 67 81 .Unknown1.0...g.
Feb 10 09:05:24 moon charon: 03[TNC] 592: 05 02 03 0C 07 69 64 3A 30 30 30 30 A0 0B 06 05 .....id:0000....
Feb 10 09:05:24 moon charon: 03[TNC] 608: 67 81 05 02 0F A0 02 0C 00 30 0C 06 03 55 1D 13 g........0...U..
Feb 10 09:05:24 moon charon: 03[TNC] 624: 01 01 FF 04 02 30 00 30 81 E0 06 03 55 1D 20 01 .....0.0....U. .
Feb 10 09:05:24 moon charon: 03[TNC] 640: 01 FF 04 81 D5 30 81 D2 30 67 06 0A 2B 06 01 04 .....0..0g..+...
Feb 10 09:05:24 moon charon: 03[TNC] 656: 01 81 E3 42 01 10 30 59 30 29 06 08 2B 06 01 05 ...B..0Y0)..+...
Feb 10 09:05:24 moon charon: 03[TNC] 672: 05 07 02 01 16 1D 68 74 74 70 3A 2F 2F 77 77 77 ......http://www
Feb 10 09:05:24 moon charon: 03[TNC] 688: 2E 70 72 69 76 61 63 79 63 61 2E 63 6F 6D 2F 63 .privacyca.com/c
Feb 10 09:05:24 moon charon: 03[TNC] 704: 70 73 2F 30 2C 06 08 2B 06 01 05 05 07 02 02 30 ps/0,..+.......0
Feb 10 09:05:24 moon charon: 03[TNC] 720: 20 0C 1E 54 43 50 41 20 54 72 75 73 74 65 64 20 ..TCPA Trusted
Feb 10 09:05:24 moon charon: 03[TNC] 736: [ Incomplete diff, document too large... ]
This HOWTO explains in a step-for-step fashion how a strongSwan IPsec gateway with integrated TNC server functionality and an attached Platform Trust Service Integrity Measurement Verifier (PTS-IMV) can verify remote attestation measurement data provided by a TNC client via the IKEv2 EAP-TTLS protocol.
{{>toc}}
h2. Installation and Configuration
h3. Installing the strongSwan Software
The following steps describe the installation of the strongSwan software
<pre>
wget http://download.strongswan.org/strongswan-4.6.2.tar.bz2
tar xjf strongswan-4.6.2.tar.bz2
cd strongswan-4.6.2
./configure --prefix=/usr --sysconfdir=/etc --disable-pluto --enable-openssl --enable-curl
--enable-eap-identity --enable-eap-md5 --enable-eap-ttls --enable-eap-tnc
--enable-tnccs-20 --enable-tnc-imv --enable-imv-attestation
make
[sudo] make install
</pre>
The strongSwan *imv-attestation.so* dynamic PTS-IMV library depends on the "TrouSerS":http://sourceforge.net/projects/trousers/ libtspi library. For compilation additionally the /usr/include/trousers/ header files are required.
h3. Configuring the strongSwan Software
The /etc/ipsec.conf file defines an IPsec remote access policy either allowing access to the production network (rw-allow) or to a remediation network (rw-isolate):
<pre>
# ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="tnc 3, imv 3, pts 3"
conn rw-allow
rightgroups=allow
leftsubnet=10.1.0.0/28
also=rw-eap
auto=add
conn rw-isolate
rightgroups=isolate
leftsubnet=10.1.0.16/28
also=rw-eap
auto=add
conn rw-eap
left=192.168.0.1
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftauth=eap-ttls
rightauth=eap-ttls
rightid=*@strongswan.org
rightsendcert=never
right=%any
</pre>
The IKEv2 server *moon* is going to use public key based authentication with the location of the private key defined in the /etc/ipsec.secrets file:
<pre>
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA moonKey.pem
carol@strongswan.org : EAP "Ar3etTnp"
</pre>
The following IKEv2 charon and Attestation IMV options are defined in the /etc/strongswan.conf file. Among the options there is an SQLite URI pointing to the PTS measurement database and the path to the directory where the Privacy CA certificates are stored:
<pre>
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = curl sha1 pem pkcs1 pkcs8 gmp random pubkey x509 openssl revocation hmac kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 sqlite tnc-imv stroke
plugins {
eap-ttls {
phase2_method = md5
phase2_piggyback = yes
phase2_tnc = yes
}
eap-tnc {
protocol = tnccs-2.0
}
}
}
libimcv {
plugins {
imv-attestation {
database = sqlite:///etc/pts/config.db
cadir = /etc/pts/cacerts
hash_algorithm = sha1
}
}
}
attest {
database = sqlite:///etc/pts/config.db
}
</pre>
h3. Initializing the PTS Measurement Database
The SQLite database is initialized using the *tables.sql* and *data.sql* files from the strongSwan src/libpts/plugins/imv_attestation source directory:
<pre>
cat tables.sql data.sql | sqlite3 /etc/pts/config.db
</pre>
The following query lists all supported operating systems.
<pre>
moon# ipsec attest --products
3: CentOS release 5.6 (Final) x86_64
6: Gentoo Base System release 1.12.11.1 i686
5: Ubuntu 10.10 i686
4: Ubuntu 10.10 x86_64
1: Ubuntu 11.04 i686
2: Ubuntu 11.04 x86_64
7: Ubuntu 11.10 i686
7 products found
</pre>
TNC client *carol* runs on 'Ubuntu 11.04 i686', i.e. pid=1 so that the following PTS file measurements will be taken
<pre>
moon# ipsec attest --files --pid 1
22: | T| /etc/tnc_config
1: |M | /lib/i386-linux-gnu/libdl.so.2
5: |M | /lib/libxtables.so.5
7: |M | d /lib/xtables/
17: |M | /sbin/ip6tables
4: |M | /sbin/iptables
6 files found for product 'Ubuntu 11.04 i686'
</pre>
The next query lists the PTS component functional names defined in the database which currently are all from the ITA-HSR namespace.
<pre>
moon# ipsec attest --components
1: 0x00902a/0x00000001-0x21 ITA-HSR/Trusted GRUB Boot Loader [K.] Trusted Platform
2: 0x00902a/0x00000002-0x21 ITA-HSR/Trusted Boot [K.] Trusted Platform
3: 0x00902a/0x00000003-0x21 ITA-HSR/Linux IMA [K.] Trusted Platform
3 components found
</pre>
In order to authorize the PTS functional component measurements, the fingerprint of TNC client *carol*'s AIK certificate AIK_Cert.der must be entered into the database and must be linked to the component measurements to be executed:
<pre>
moon# ipsec attest --add --owner "Carol, pin1212a00 (Fujitsu Siemens Celsius W510)" --aik AIK_Cert.der --cid 3
key '78:6a:c9:86:11:42:72:af:a1:6b:72:3d:36:5a:81:57:88:7b:47:f3' inserted into database
key/component pair (2/3) inserted into database
moon# ipsec attest --add --kid 2 --cid 2
key/component pair (2/2) inserted into database
</pre>
The entered data can be checked with the commands
<pre>
moon# ipsec attest --keys
2: 78:6a:c9:86:11:42:72:af:a1:6b:72:3d:36:5a:81:57:88:7b:47:f3 'Carol, pin1212a00 (Fujitsu Siemens Celsius W510)'
1: b7:72:a6:73:07:76:b9:f0:28:e5:ad:fc:cd:40:b5:5c:32:0a:13:b6 'Andreas, merthyr (Fujitsu Siemens Lifebook S6420)'
2 keys found
moon ~ # ipsec attest --components --kid 2
2: 0x00902a/0x00000002-0x21 ITA-HSR/Trusted Boot [K.] Trusted Platform
3: 0x00902a/0x00000003-0x21 ITA-HSR/Linux IMA [K.] Trusted Platform
2 components found for key 78:6a:c9:86:11:42:72:af:a1:6b:72:3d:36:5a:81:57:88:7b:47:f3
</pre>
h2. IKEv2 Negotiation
h3. Startup and Initialization
The command
<pre>
ipsec start
</pre>
starts the TNC-enabled IPsec gateway:
<pre>
Feb 10 09:04:59 moon charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.6.2)
Feb 10 09:04:59 moon charon: 00[KNL] listening on interfaces:
Feb 10 09:04:59 moon charon: 00[KNL] eth0
Feb 10 09:04:59 moon charon: 00[KNL] 192.168.0.1
Feb 10 09:04:59 moon charon: 00[KNL] fec0::1
Feb 10 09:04:59 moon charon: 00[KNL] fe80::fcfd:c0ff:fea8:1
Feb 10 09:04:59 moon charon: 00[KNL] eth1
Feb 10 09:04:59 moon charon: 00[KNL] 10.1.0.1
Feb 10 09:04:59 moon charon: 00[KNL] fec1::1
Feb 10 09:04:59 moon charon: 00[KNL] fe80::fcfd:aff:fe01:1
</pre>
The file /etc/tnc_config
<pre>
# IMV configuration file for strongSwan client
IMV "Attestation" /usr/lib/ipsec/imcvs/imv-attestation.so
</pre>
defines which IMVs are loaded by the TNC server. Also the Privacy CA certificates which are required to establish trust in the AIK certificates are loaded:
<pre>
Feb 10 09:04:59 moon charon: 00[TNC] TNC recommendation policy is 'default'
Feb 10 09:04:59 moon charon: 00[TNC] loading IMVs from '/etc/tnc_config'
Feb 10 09:04:59 moon charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA1[sha1] available
Feb 10 09:04:59 moon charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA256[openssl] available
Feb 10 09:04:59 moon charon: 00[PTS] optional PTS measurement algorithm HASH_SHA384[openssl] available
Feb 10 09:04:59 moon charon: 00[PTS] optional PTS DH group MODP_2048[gmp] available
Feb 10 09:04:59 moon charon: 00[PTS] optional PTS DH group MODP_1536[gmp] available
Feb 10 09:04:59 moon charon: 00[PTS] optional PTS DH group MODP_1024[gmp] available
Feb 10 09:04:59 moon charon: 00[PTS] mandatory PTS DH group ECP_256[openssl] available
Feb 10 09:04:59 moon charon: 00[PTS] optional PTS DH group ECP_384[openssl] available
Feb 10 09:04:59 moon charon: 00[TNC] added IETF attributes
Feb 10 09:04:59 moon charon: 00[TNC] added ITA-HSR attributes
Feb 10 09:04:59 moon charon: 00[LIB] libimcv initialized
Feb 10 09:04:59 moon charon: 00[IMV] IMV 1 "Attestation" initialized
Feb 10 09:04:59 moon charon: 00[TNC] added TCG attributes
Feb 10 09:04:59 moon charon: 00[PTS] added TCG functional component namespace
Feb 10 09:04:59 moon charon: 00[PTS] added ITA-HSR functional component namespace
Feb 10 09:04:59 moon charon: 00[PTS] added ITA-HSR functional component 'Trusted GRUB Boot Loader'
Feb 10 09:04:59 moon charon: 00[PTS] added ITA-HSR functional component 'Trusted Boot'
Feb 10 09:04:59 moon charon: 00[PTS] added ITA-HSR functional component 'Linux IMA'
Feb 10 09:04:59 moon charon: 00[LIB] libpts initialized
Feb 10 09:04:59 moon charon: 00[PTS] loading PTS ca certificates from '/etc/pts/cacerts'
Feb 10 09:04:59 moon charon: 00[PTS] loaded ca certificate "O=privacyca.com, CN=Privacy CA EK+Platform-Cert-Checked AIK Certificate" from '/etc/pts/cacerts/privacy_ca_level_2_cert.pem'
Feb 10 09:04:59 moon charon: 00[PTS] loaded ca certificate "O=privacyca.com, CN=Privacy CA Insecure/Unchecked AIK Certificate" from '/etc/pts/cacerts/privacy_ca_level_0_cert.pem'
Feb 10 09:04:59 moon charon: 00[PTS] loaded ca certificate "O=privacyca.com, CN=Privacy CA Root Certificate" from '/etc/pts/cacerts/privacy_ca_root_cert.pem'
Feb 10 09:04:59 moon charon: 00[PTS] loaded ca certificate "O=privacyca.com, CN=Privacy CA EK-Cert-Checked AIK Certificate" from '/etc/pts/cacerts/privacy_ca_level_1_cert.pem'
Feb 10 09:04:59 moon charon: 00[IMV] IMV 1 "Attestation" provided with bind function
Feb 10 09:04:59 moon charon: 00[TNC] IMV 1 supports 1 message type: 'TCG/PTS' 0x005597/0x00000001
Feb 10 09:04:59 moon charon: 00[TNC] IMV 1 "Attestation" loaded from '/usr/lib/ipsec/imcvs/imv-attestation.so'
</pre>
Next the IKEv2 credentials, all necessary plugins and the IPsec connection definitions are loaded
<pre>
Feb 10 09:04:59 moon charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Feb 10 09:04:59 moon charon: 00[CFG] loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem'
Feb 10 09:04:59 moon charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Feb 10 09:04:59 moon charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Feb 10 09:04:59 moon charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Feb 10 09:04:59 moon charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Feb 10 09:04:59 moon charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Feb 10 09:04:59 moon charon: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/moonKey.pem'
Feb 10 09:04:59 moon charon: 00[CFG] loaded EAP secret for carol@strongswan.org
Feb 10 09:04:59 moon charon: 00[DMN] loaded plugins: curl sha1 pem pkcs1 pkcs8 gmp random pubkey x509 openssl revocation hmac kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 sqlite tnc-imv stroke
Feb 10 09:04:59 moon charon: 00[JOB] spawning 16 worker threads
Feb 10 09:04:59 moon charon: 14[CFG] received stroke: add connection 'rw-allow'
Feb 10 09:04:59 moon charon: 14[CFG] loaded certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" from 'moonCert.pem'
Feb 10 09:04:59 moon charon: 14[CFG] added configuration 'rw-allow'
Feb 10 09:04:59 moon charon: 15[CFG] received stroke: add connection 'rw-isolate'
Feb 10 09:04:59 moon charon: 15[CFG] loaded certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" from 'moonCert.pem'
Feb 10 09:04:59 moon charon: 15[CFG] added configuration 'rw-isolate'
</pre>
h3. IKEv2 Exchanges
The IPsec gateway *moon* is passively waiting for IPsec clients to initiate an IKEv2 negotiation starting with an IKE_SA_INIT exchange:
<pre>
Feb 10 09:05:24 moon charon: 05[NET] received packet: from 192.168.0.254[500] to 192.168.0.1[500]
Feb 10 09:05:24 moon charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Feb 10 09:05:24 moon charon: 05[IKE] 192.168.0.254 is initiating an IKE_SA
Feb 10 09:05:24 moon charon: 05[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Feb 10 09:05:24 moon charon: 05[NET] sending packet: from 192.168.0.1[500] to 192.168.0.254[500]
</pre>
followed by the IKE_AUTH exchange where the IKEv2 gateway proposes a mutual IKEv2 EAP-TTLS only authentication:
<pre>
Feb 10 09:05:24 moon charon: 04[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Feb 10 09:05:24 moon charon: 04[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Feb 10 09:05:24 moon charon: 04[CFG] looking for peer configs matching 192.168.0.1[moon.strongswan.org]...192.168.0.254[carol@strongswan.org]
Feb 10 09:05:24 moon charon: 04[CFG] selected peer config 'rw-allow'
Feb 10 09:05:24 moon charon: 04[IKE] initiating EAP_TTLS method (id 0x16)
Feb 10 09:05:24 moon charon: 04[IKE] peer supports MOBIKE
Feb 10 09:05:24 moon charon: 04[ENC] generating IKE_AUTH response 1 [ IDr EAP/REQ/TTLS ]
Feb 10 09:05:24 moon charon: 04[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
</pre>
h3. IKEv2 EAP-TTLS Tunnel
The IKEv2 EAP-TTLS tunnel is set up with certificate-based server authentication
<pre>
Feb 10 09:05:24 moon charon: 03[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Feb 10 09:05:24 moon charon: 03[ENC] parsed IKE_AUTH request 2 [ EAP/RES/TTLS ]
Feb 10 09:05:24 moon charon: 03[TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Feb 10 09:05:24 moon charon: 03[TLS] sending TLS server certificate 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org'
Feb 10 09:05:24 moon charon: 03[ENC] generating IKE_AUTH response 2 [ EAP/REQ/TTLS ]
Feb 10 09:05:24 moon charon: 03[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Feb 10 09:05:24 moon charon: 02[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Feb 10 09:05:24 moon charon: 02[ENC] parsed IKE_AUTH request 3 [ EAP/RES/TTLS ]
Feb 10 09:05:24 moon charon: 02[ENC] generating IKE_AUTH response 3 [ EAP/REQ/TTLS ]
Feb 10 09:05:24 moon charon: 02[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Feb 10 09:05:24 moon charon: 01[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Feb 10 09:05:24 moon charon: 01[ENC] parsed IKE_AUTH request 4 [ EAP/RES/TTLS ]
</pre>
h3. Tunneled EAP-Identity
Via the IKEv2 EAP-TTLS tunnel the server requests the EAP client identity
<pre>
Feb 10 09:05:24 moon charon: 01[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/ID]
Feb 10 09:05:24 moon charon: 01[ENC] generating IKE_AUTH response 4 [ EAP/REQ/TTLS ]
Feb 10 09:05:24 moon charon: 01[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Feb 10 09:05:24 moon charon: 14[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Feb 10 09:05:24 moon charon: 14[ENC] parsed IKE_AUTH request 5 [ EAP/RES/TTLS ]
Feb 10 09:05:24 moon charon: 14[IKE] received tunneled EAP-TTLS AVP [EAP/RES/ID]
Feb 10 09:05:24 moon charon: 14[IKE] received EAP identity 'carol@strongswan.org'
</pre>
h3. Tunneled EAP-MD5 Client Authentication
Next follows an EAP-MD5 client authentication
<pre>
Feb 10 09:05:24 moon charon: 14[IKE] phase2 method EAP_MD5 selected
Feb 10 09:05:24 moon charon: 14[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/MD5]
Feb 10 09:05:24 moon charon: 14[ENC] generating IKE_AUTH response 5 [ EAP/REQ/TTLS ]
Feb 10 09:05:24 moon charon: 14[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Feb 10 09:05:24 moon charon: 15[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Feb 10 09:05:24 moon charon: 15[ENC] parsed IKE_AUTH request 6 [ EAP/RES/TTLS ]
Feb 10 09:05:24 moon charon: 15[IKE] received tunneled EAP-TTLS AVP [EAP/RES/MD5]
Feb 10 09:05:24 moon charon: 15[IKE] EAP_TTLS phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful
</pre>
h3. Tunneled EAP-TNC Transport
Now the EAP-TNC transport protocol connecting the TNC client with the TNC server is started:
<pre>
Feb 10 09:05:24 moon charon: 15[IKE] phase2 method EAP_TNC selected
Feb 10 09:05:24 moon charon: 15[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/TNC]
Feb 10 09:05:24 moon charon: 15[ENC] generating IKE_AUTH response 6 [ EAP/REQ/TTLS ]
Feb 10 09:05:24 moon charon: 15[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
</pre>
h2. PB-TNC/IF-TNCCS 2.0 Connection
A first PB-TNC CDATA (IF-TNCCS 2.0 ClientData) batch from the TNC client is received
<pre>
Feb 10 09:05:24 moon charon: 16[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Feb 10 09:05:24 moon charon: 16[ENC] parsed IKE_AUTH request 7 [ EAP/RES/TTLS ]
Feb 10 09:05:24 moon charon: 16[IKE] received tunneled EAP-TTLS AVP [EAP/RES/TNC]
Feb 10 09:05:24 moon charon: 16[TNC] assigned TNCCS Connection ID 1
Feb 10 09:05:24 moon charon: 16[IMV] IMV 1 "Attestation" created a state for Connection ID 1: IF-TNCCS 2.0 with +long +excl -soh over IF-T for Tunneled EAP 1.1
Feb 10 09:05:24 moon charon: 16[IMV] IMV 1 "Attestation" changed state of Connection ID 1 to 'Handshake'
Feb 10 09:05:24 moon charon: 16[TNC] received TNCCS batch (105 bytes) for Connection ID 1
Feb 10 09:05:24 moon charon: 16[TNC] => 105 bytes @ 0x807dd82
Feb 10 09:05:24 moon charon: 16[TNC] 0: 02 00 00 01 00 00 00 69 00 00 00 00 00 00 00 06 .......i........
Feb 10 09:05:24 moon charon: 16[TNC] 16: 00 00 00 1F 41 63 63 65 70 74 2D 4C 61 6E 67 75 ....Accept-Langu
Feb 10 09:05:24 moon charon: 16[TNC] 32: 61 67 65 3A 20 65 6E 80 00 00 00 00 00 00 01 00 age: en.........
Feb 10 09:05:24 moon charon: 16[TNC] 48: 00 00 42 00 00 55 97 00 00 00 01 00 01 FF FF 01 ..B..U..........
Feb 10 09:05:24 moon charon: 16[TNC] 64: 00 00 00 35 C9 DC 7B 00 00 00 00 00 00 00 02 00 ...5..{.........
Feb 10 09:05:24 moon charon: 16[TNC] 80: 00 00 22 00 00 00 00 00 55 62 75 6E 74 75 20 31 ..".....Ubuntu 1
Feb 10 09:05:24 moon charon: 16[TNC] 96: 31 2E 30 34 20 69 36 38 36 1.04 i686
Feb 10 09:05:24 moon charon: 16[TNC] PB-TNC state transition from 'Init' to 'Server Working'
Feb 10 09:05:24 moon charon: 16[TNC] processing PB-TNC CDATA batch
</pre>
containing a 'PB-Language-Preference' and a 'PB-PA' message
<pre>
Feb 10 09:05:24 moon charon: 16[TNC] processing PB-Language-Preference message (31 bytes)
Feb 10 09:05:24 moon charon: 16[TNC] processing PB-PA message (66 bytes)
</pre>
This causes a new TNCCS connection to be instantiated on the TNC server. Its IF-TNCCS 2.0 state machine immediately transitions from the Init to the ServerWorking state.
!IF-TNCCS-20-State-Diagram.png!
The language preference is set to English (en) and the PB-PA message is forwarded to the PTS-IMV which subscribed to this PA message type:
<pre>
Feb 10 09:05:24 moon charon: 16[TNC] setting language preference to 'en'
Feb 10 09:05:24 moon charon: 16[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001
</pre>
The PA-TNC message contains an 'IETF/Product Information' attribute which carries information about the operating system the PTS-IMC is running on:
<pre>
Feb 10 09:05:24 moon charon: 16[IMV] IMV 1 "Attestation" received message for Connection ID 1 from IMC 1
Feb 10 09:05:24 moon charon: 16[TNC] processing PA-TNC message with ID 0x35c9dc7b
Feb 10 09:05:24 moon charon: 16[TNC] processing PA-TNC attribute type 'IETF/Product Information' 0x000000/0x00000002
Feb 10 09:05:24 moon charon: 16[TNC] => 22 bytes @ 0x808021c
Feb 10 09:05:24 moon charon: 16[TNC] 0: 00 00 00 00 00 55 62 75 6E 74 75 20 31 31 2E 30 .....Ubuntu 11.0
Feb 10 09:05:24 moon charon: 16[TNC] 16: 34 20 69 36 38 36 4 i686
</pre>
h3. PTS Capability Discovery
The PTS-IMV creates a PA-TNC message containing a 'Request PTS Protocol Capabilities' and a 'PTS Measurement Algorithm Request' attribute from the TCG namespace. SHA-1 is the only PTS measurement algorithm proposed by the PTS-IMV.
<pre>
Feb 10 09:05:24 moon charon: 16[TNC] creating PA-TNC message with ID 0x8b088dab
Feb 10 09:05:24 moon charon: 16[TNC] creating PA-TNC attribute type 'TCG/Request PTS Protocol Capabilities' 0x005597/0x01000000
Feb 10 09:05:24 moon charon: 16[TNC] => 4 bytes @ 0x8080198
Feb 10 09:05:24 moon charon: 16[TNC] 0: 00 00 00 0E ....
Feb 10 09:05:24 moon charon: 16[TNC] creating PA-TNC attribute type 'TCG/PTS Measurement Algorithm Request' 0x005597/0x06000000
Feb 10 09:05:24 moon charon: 16[TNC] => 4 bytes @ 0x8080228
Feb 10 09:05:24 moon charon: 16[TNC] 0: 00 00 80 00 ....
</pre>
The PB-PA message is sent in a PB-TNC SDATA (IF-TNCCS 2.0 ServerData) batch to the TNC client:
<pre>
Feb 10 09:05:24 moon charon: 16[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001
Feb 10 09:05:24 moon charon: 16[TNC] creating PB-TNC SDATA batch
Feb 10 09:05:24 moon charon: 16[TNC] adding PB-PA message
Feb 10 09:05:24 moon charon: 16[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
Feb 10 09:05:24 moon charon: 16[TNC] sending PB-TNC SDATA batch (72 bytes) for Connection ID 1
Feb 10 09:05:24 moon charon: 16[TNC] => 72 bytes @ 0x807d518
Feb 10 09:05:24 moon charon: 16[TNC] 0: 02 80 00 02 00 00 00 48 80 00 00 00 00 00 00 01 .......H........
Feb 10 09:05:24 moon charon: 16[TNC] 16: 00 00 00 40 00 00 55 97 00 00 00 01 FF FF 00 01 ...@..U.........
Feb 10 09:05:24 moon charon: 16[TNC] 32: 01 00 00 00 8B 08 8D AB 80 00 55 97 01 00 00 00 ..........U.....
Feb 10 09:05:24 moon charon: 16[TNC] 48: 00 00 00 10 00 00 00 0E 80 00 55 97 06 00 00 00 ..........U.....
Feb 10 09:05:24 moon charon: 16[TNC] 64: 00 00 00 10 00 00 80 00 ........
Feb 10 09:05:24 moon charon: 16[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/TNC]
Feb 10 09:05:24 moon charon: 16[ENC] generating IKE_AUTH response 7 [ EAP/REQ/TTLS ]
Feb 10 09:05:24 moon charon: 16[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
</pre>
As a response a PB-TNC CDATA batch is received from the TNC client
<pre>
Feb 10 09:05:24 moon charon: 06[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Feb 10 09:05:24 moon charon: 06[ENC] parsed IKE_AUTH request 8 [ EAP/RES/TTLS ]
Feb 10 09:05:24 moon charon: 06[IKE] received tunneled EAP-TTLS AVP [EAP/RES/TNC]
Feb 10 09:05:24 moon charon: 06[TNC] received TNCCS batch (72 bytes) for Connection ID 1
Feb 10 09:05:24 moon charon: 06[TNC] => 72 bytes @ 0x807ddd2
Feb 10 09:05:24 moon charon: 06[TNC] 0: 02 00 00 01 00 00 00 48 80 00 00 00 00 00 00 01 .......H........
Feb 10 09:05:24 moon charon: 06[TNC] 16: 00 00 00 40 00 00 55 97 00 00 00 01 00 01 FF FF ...@..U.........
Feb 10 09:05:24 moon charon: 06[TNC] 32: 01 00 00 00 AC E9 1F 02 00 00 55 97 02 00 00 00 ..........U.....
Feb 10 09:05:24 moon charon: 06[TNC] 48: 00 00 00 10 00 00 00 0E 00 00 55 97 07 00 00 00 ..........U.....
Feb 10 09:05:24 moon charon: 06[TNC] 64: 00 00 00 10 00 00 80 00 ........
Feb 10 09:05:24 moon charon: 06[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
Feb 10 09:05:24 moon charon: 06[TNC] processing PB-TNC CDATA batch
</pre>
containing a PB-PA message with PA message type TCG/PTS to which the PTS-IMV is subscribed:
<pre>
Feb 10 09:05:24 moon charon: 06[TNC] processing PB-PA message (64 bytes)
Feb 10 09:05:24 moon charon: 06[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001
</pre>
The PA-TNC message contains a 'PTS Protocol Capabilities' and a 'PTS Measurement Algorithm' attribute from the TCG namespace:
<pre>
Feb 10 09:05:24 moon charon: 06[IMV] IMV 1 "Attestation" received message for Connection ID 1 from IMC 1
Feb 10 09:05:24 moon charon: 06[TNC] processing PA-TNC message with ID 0xace91f02
Feb 10 09:05:24 moon charon: 06[TNC] processing PA-TNC attribute type 'TCG/PTS Protocol Capabilities' 0x005597/0x02000000
Feb 10 09:05:24 moon charon: 06[TNC] => 4 bytes @ 0x80808dc
Feb 10 09:05:24 moon charon: 06[TNC] 0: 00 00 00 0E ....
Feb 10 09:05:24 moon charon: 06[TNC] processing PA-TNC attribute type 'TCG/PTS Measurement Algorithm' 0x005597/0x07000000
Feb 10 09:05:24 moon charon: 06[TNC] => 4 bytes @ 0x80808ec
Feb 10 09:05:24 moon charon: 06[TNC] 0: 00 00 80 00 ....
</pre>
The PTS-IMC supports the Verification (V), DH Nonce Negotiation (D) and Trusted Platform Evidence (T) PTS protocol capabilities all of which the PTS-IMV proposed in the capabilities request. Also SHA-1 is confirmed by the PTS-IMC to be used as PTS measurement algorithm.
<pre>
Feb 10 09:05:24 moon charon: 06[PTS] supported PTS protocol capabilities: .VDT.
Feb 10 09:05:24 moon charon: 06[PTS] selected PTS measurement algorithm is HASH_SHA1
</pre>
h3. DH Nonce Parameters
The PTS-IMV creates a PA-TNC message containing the 'DH Nonce Parameters Request' from the TCG namespace which offers the set of IKE DH groups {2, 5, 14, 19}:
<pre>
Feb 10 09:05:24 moon charon: 06[TNC] creating PA-TNC message with ID 0xd5d8b7f7
Feb 10 09:05:24 moon charon: 06[TNC] creating PA-TNC attribute type 'TCG/DH Nonce Parameters Request' 0x005597/0x03000000
Feb 10 09:05:24 moon charon: 06[TNC] => 4 bytes @ 0x8081760
Feb 10 09:05:24 moon charon: 06[TNC] 0: 00 00 F0 00 ....
</pre>
The corresponding PB-PA message is embedded into a PB-TNC SDATA batch and sent to the TNC client
<pre>
Feb 10 09:05:24 moon charon: 06[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001
Feb 10 09:05:24 moon charon: 06[TNC] creating PB-TNC SDATA batch
Feb 10 09:05:24 moon charon: 06[TNC] adding PB-PA message
Feb 10 09:05:24 moon charon: 06[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
Feb 10 09:05:24 moon charon: 06[TNC] sending PB-TNC SDATA batch (56 bytes) for Connection ID 1
Feb 10 09:05:24 moon charon: 06[TNC] => 56 bytes @ 0x807da30
Feb 10 09:05:24 moon charon: 06[TNC] 0: 02 80 00 02 00 00 00 38 80 00 00 00 00 00 00 01 .......8........
Feb 10 09:05:24 moon charon: 06[TNC] 16: 00 00 00 30 00 00 55 97 00 00 00 01 FF FF 00 01 ...0..U.........
Feb 10 09:05:24 moon charon: 06[TNC] 32: 01 00 00 00 D5 D8 B7 F7 80 00 55 97 03 00 00 00 ..........U.....
Feb 10 09:05:24 moon charon: 06[TNC] 48: 00 00 00 10 00 00 F0 00 ........
Feb 10 09:05:24 moon charon: 06[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/TNC]
Feb 10 09:05:24 moon charon: 06[ENC] generating IKE_AUTH response 8 [ EAP/REQ/TTLS ]
Feb 10 09:05:24 moon charon: 06[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
</pre>
In response a PB-TNC CDATA batch is received from the TNC client
<pre>
Feb 10 09:05:24 moon charon: 05[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Feb 10 09:05:24 moon charon: 05[ENC] parsed IKE_AUTH request 9 [ EAP/RES/TTLS ]
Feb 10 09:05:24 moon charon: 05[IKE] received tunneled EAP-TTLS AVP [EAP/RES/TNC]
Feb 10 09:05:24 moon charon: 05[TNC] received TNCCS batch (144 bytes) for Connection ID 1
Feb 10 09:05:24 moon charon: 05[TNC] => 144 bytes @ 0x807c79a
Feb 10 09:05:24 moon charon: 05[TNC] 0: 02 00 00 01 00 00 00 90 80 00 00 00 00 00 00 01 ................
Feb 10 09:05:24 moon charon: 05[TNC] 16: 00 00 00 88 00 00 55 97 00 00 00 01 00 01 FF FF ......U.........
Feb 10 09:05:24 moon charon: 05[TNC] 32: 01 00 00 00 4A 9B 2C 31 00 00 55 97 04 00 00 00 ....J.,1..U.....
Feb 10 09:05:24 moon charon: 05[TNC] 48: 00 00 00 68 00 00 00 14 10 00 E0 00 1D 14 23 06 ...h..........#.
Feb 10 09:05:24 moon charon: 05[TNC] 64: 97 7D E7 E3 AF AE B6 57 FB A3 58 DA 59 6A 4C D3 .}.....W..X.YjL.
Feb 10 09:05:24 moon charon: 05[TNC] 80: 77 49 6B 4B 36 35 DF BB 27 3F 62 E7 EA 5B 6E 7C wIkK65..'?b..[n|
Feb 10 09:05:24 moon charon: 05[TNC] 96: 5E 55 C4 04 04 89 B4 98 66 31 6A A2 A2 4E 5E AC ^U......f1j..N^.
Feb 10 09:05:24 moon charon: 05[TNC] 112: DE 57 B7 3B 97 72 08 A6 90 7C 3C FB FD B3 45 05 .W.;.r...|<...E.
Feb 10 09:05:24 moon charon: 05[TNC] 128: C5 4D 21 10 0E 07 CE 94 B0 61 14 9F C1 22 10 93 .M!......a..."..
Feb 10 09:05:24 moon charon: 05[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
Feb 10 09:05:24 moon charon: 05[TNC] processing PB-TNC CDATA batch
</pre>
containing a PB-PA message with PA message type TCG/PTS to which the PTS-IMV is subscribed:
<pre>
Feb 10 09:05:24 moon charon: 05[TNC] processing PB-PA message (136 bytes)
Feb 10 09:05:24 moon charon: 05[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001
</pre>
The PA-TNC message contains a 'DH Nonce Parameters Response' from the TGC namespace
<pre>
Feb 10 09:05:24 moon charon: 05[IMV] IMV 1 "Attestation" received message for Connection ID 1 from IMC 1
Feb 10 09:05:24 moon charon: 05[TNC] processing PA-TNC message with ID 0x4a9b2c31
Feb 10 09:05:24 moon charon: 05[TNC] processing PA-TNC attribute type 'TCG/DH Nonce Parameters Response' 0x005597/0x04000000
Feb 10 09:05:24 moon charon: 05[TNC] => 92 bytes @ 0x807d614
Feb 10 09:05:24 moon charon: 05[TNC] 0: 00 00 00 14 10 00 E0 00 1D 14 23 06 97 7D E7 E3 ..........#..}..
Feb 10 09:05:24 moon charon: 05[TNC] 16: AF AE B6 57 FB A3 58 DA 59 6A 4C D3 77 49 6B 4B ...W..X.YjL.wIkK
Feb 10 09:05:24 moon charon: 05[TNC] 32: 36 35 DF BB 27 3F 62 E7 EA 5B 6E 7C 5E 55 C4 04 65..'?b..[n|^U..
Feb 10 09:05:24 moon charon: 05[TNC] 48: 04 89 B4 98 66 31 6A A2 A2 4E 5E AC DE 57 B7 3B ....f1j..N^..W.;
Feb 10 09:05:24 moon charon: 05[TNC] 64: 97 72 08 A6 90 7C 3C FB FD B3 45 05 C5 4D 21 10 .r...|<...E..M!.
Feb 10 09:05:24 moon charon: 05[TNC] 80: 0E 07 CE 94 B0 61 14 9F C1 22 10 93 .....a..."..
</pre>
The PTS-IMC selected ECP_256 (IKE DH group 14) as the PTS DH group and returns a 20 byte DH responder nonce and the 32 byte ECP_256 DH responder public value from which together with the PTS-IMV's private DH value the shared DH secret can be derived:
<pre>
Feb 10 09:05:24 moon charon: 05[PTS] selected DH hash algorithm is HASH_SHA1
Feb 10 09:05:24 moon charon: 05[PTS] selected PTS DH group is ECP_256
Feb 10 09:05:24 moon charon: 05[PTS] nonce length is 20
Feb 10 09:05:24 moon charon: 05[PTS] initiator nonce: => 20 bytes @ 0x8080198
Feb 10 09:05:24 moon charon: 05[PTS] 0: A6 CA 36 F6 A1 CC 25 1A EF 13 9C AC 84 1F F6 9B ..6...%.........
Feb 10 09:05:24 moon charon: 05[PTS] 16: F1 31 95 A3 .1..
Feb 10 09:05:24 moon charon: 05[PTS] responder nonce: => 20 bytes @ 0x807d740
Feb 10 09:05:24 moon charon: 05[PTS] 0: 1D 14 23 06 97 7D E7 E3 AF AE B6 57 FB A3 58 DA ..#..}.....W..X.
Feb 10 09:05:24 moon charon: 05[PTS] 16: 59 6A 4C D3 YjL.
Feb 10 09:05:24 moon charon: 05[PTS] shared DH secret: => 32 bytes @ 0x8081f60
Feb 10 09:05:24 moon charon: 05[PTS] 0: F1 6A 3B 1C 72 03 B0 18 EA 3C B6 74 D6 AD 33 E9 .j;.r....<.t..3.
Feb 10 09:05:24 moon charon: 05[PTS] 16: 23 0B 3C 1C A9 5C 77 12 FE FF FF 67 E5 7F CB 04 #.<..\w....g....
Feb 10 09:05:24 moon charon: 05[PTS] secret assessment value: => 20 bytes @ 0x8081fd8
Feb 10 09:05:24 moon charon: 05[PTS] 0: 5F A0 83 5D 35 DF 3C 94 28 8B 79 6F AB 35 86 6C _..]5.<.(.yo.5.l
Feb 10 09:05:24 moon charon: 05[PTS] 16: E2 23 4C CF .#L.
</pre>
h3. DH Nonce Finish and TPM Version/AIK Info
The PTS-IMV sends its 32 byte ECP_256 DH initiator public value and its 20 byte initiator nonce in the 'DH Nonce Finish' attribute. Additionally the 'Get TPM Version Information' and a 'Get Attestation Identity Key' attributes are include in the PA-TNC message:
<pre>
Feb 10 09:05:24 moon charon: 05[TNC] creating PA-TNC message with ID 0xc75a895f
Feb 10 09:05:24 moon charon: 05[TNC] creating PA-TNC attribute type 'TCG/DH Nonce Finish' 0x005597/0x05000000
Feb 10 09:05:24 moon charon: 05[TNC] => 88 bytes @ 0x80821e0
Feb 10 09:05:24 moon charon: 05[TNC] 0: 00 14 80 00 19 14 23 2B 46 C9 C4 56 B5 F6 9C 18 ......#+F..V....
Feb 10 09:05:24 moon charon: 05[TNC] 16: 58 A2 78 B0 E4 A7 4A C7 20 21 32 CD B2 60 7F DB X.x...J. !2..`..
Feb 10 09:05:24 moon charon: 05[TNC] 32: 0F 7B 35 53 AE FA 23 C0 65 A5 48 35 FE DF DF B9 .{5S..#.e.H5....
Feb 10 09:05:24 moon charon: 05[TNC] 48: 72 C4 DD 16 8B 55 E9 84 AE 45 E0 07 05 AF D6 60 r....U...E.....`
Feb 10 09:05:24 moon charon: 05[TNC] 64: 32 95 58 81 A6 CA 36 F6 A1 CC 25 1A EF 13 9C AC 2.X...6...%.....
Feb 10 09:05:24 moon charon: 05[TNC] 80: 84 1F F6 9B F1 31 95 A3 .....1..
Feb 10 09:05:24 moon charon: 05[TNC] creating PA-TNC attribute type 'TCG/Get TPM Version Information' 0x005597/0x08000000
Feb 10 09:05:24 moon charon: 05[TNC] => 4 bytes @ 0x80808e8
Feb 10 09:05:24 moon charon: 05[TNC] 0: 00 00 00 00 ....
Feb 10 09:05:24 moon charon: 05[TNC] creating PA-TNC attribute type 'TCG/Get Attestation Identity Key' 0x005597/0x0d000000
Feb 10 09:05:24 moon charon: 05[TNC] => 4 bytes @ 0x807c830
Feb 10 09:05:24 moon charon: 05[TNC] 0: 00 00 00 00 ....
</pre>
The PA-TNC message transfered via the IF-IMV SendMessage function call is inserted as a PB-PA message in an outbound PB-TNC SDATA batch:
<pre>
Feb 10 09:05:24 moon charon: 05[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001
Feb 10 09:05:24 moon charon: 05[TNC] creating PB-TNC SDATA batch
Feb 10 09:05:24 moon charon: 05[TNC] adding PB-PA message
Feb 10 09:05:24 moon charon: 05[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
Feb 10 09:05:24 moon charon: 05[TNC] sending PB-TNC SDATA batch (172 bytes) for Connection ID 1
Feb 10 09:05:24 moon charon: 05[TNC] => 172 bytes @ 0x807d518
Feb 10 09:05:24 moon charon: 05[TNC] 0: 02 80 00 02 00 00 00 AC 80 00 00 00 00 00 00 01 ................
Feb 10 09:05:24 moon charon: 05[TNC] 16: 00 00 00 A4 00 00 55 97 00 00 00 01 FF FF 00 01 ......U.........
Feb 10 09:05:24 moon charon: 05[TNC] 32: 01 00 00 00 C7 5A 89 5F 80 00 55 97 05 00 00 00 .....Z._..U.....
Feb 10 09:05:24 moon charon: 05[TNC] 48: 00 00 00 64 00 14 80 00 19 14 23 2B 46 C9 C4 56 ...d......#+F..V
Feb 10 09:05:24 moon charon: 05[TNC] 64: B5 F6 9C 18 58 A2 78 B0 E4 A7 4A C7 20 21 32 CD ....X.x...J. !2.
Feb 10 09:05:24 moon charon: 05[TNC] 80: B2 60 7F DB 0F 7B 35 53 AE FA 23 C0 65 A5 48 35 .`...{5S..#.e.H5
Feb 10 09:05:24 moon charon: 05[TNC] 96: FE DF DF B9 72 C4 DD 16 8B 55 E9 84 AE 45 E0 07 ....r....U...E..
Feb 10 09:05:24 moon charon: 05[TNC] 112: 05 AF D6 60 32 95 58 81 A6 CA 36 F6 A1 CC 25 1A ...`2.X...6...%.
Feb 10 09:05:24 moon charon: 05[TNC] 128: EF 13 9C AC 84 1F F6 9B F1 31 95 A3 80 00 55 97 .........1....U.
Feb 10 09:05:24 moon charon: 05[TNC] 144: 08 00 00 00 00 00 00 10 00 00 00 00 80 00 55 97 ..............U.
Feb 10 09:05:24 moon charon: 05[TNC] 160: 0D 00 00 00 00 00 00 10 00 00 00 00 ............
Feb 10 09:05:24 moon charon: 05[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/TNC]
Feb 10 09:05:24 moon charon: 05[ENC] generating IKE_AUTH response 9 [ EAP/REQ/TTLS ]
Feb 10 09:05:24 moon charon: 05[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
</pre>
In response a PB-TNC CDATA batch is received
<pre>
Feb 10 09:05:24 moon charon: 04[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Feb 10 09:05:24 moon charon: 04[ENC] parsed IKE_AUTH request 10 [ EAP/RES/TTLS ]
Feb 10 09:05:24 moon charon: 04[ENC] generating IKE_AUTH response 10 [ EAP/REQ/TTLS ]
Feb 10 09:05:24 moon charon: 04[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Feb 10 09:05:24 moon charon: 03[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Feb 10 09:05:24 moon charon: 03[ENC] parsed IKE_AUTH request 11 [ EAP/RES/TTLS ]
Feb 10 09:05:24 moon charon: 03[IKE] received tunneled EAP-TTLS AVP [EAP/RES/TNC]
Feb 10 09:05:24 moon charon: 03[TNC] received TNCCS batch (1251 bytes) for Connection ID 1
Feb 10 09:05:24 moon charon: 03[TNC] => 1251 bytes @ 0x80837c2
Feb 10 09:05:24 moon charon: 03[TNC] 0: 02 00 00 01 00 00 04 E3 80 00 00 00 00 00 00 01 ................
Feb 10 09:05:24 moon charon: 03[TNC] 16: 00 00 04 DB 00 00 55 97 00 00 00 01 00 01 FF FF ......U.........
Feb 10 09:05:24 moon charon: 03[TNC] 32: 01 00 00 00 9E B3 B6 85 00 00 55 97 09 00 00 00 ..........U.....
Feb 10 09:05:24 moon charon: 03[TNC] 48: 00 00 00 20 00 30 01 02 03 11 00 02 02 49 46 58 ... .0.......IFX
Feb 10 09:05:24 moon charon: 03[TNC] 64: 00 00 05 03 11 00 08 00 00 00 55 97 0E 00 00 00 ..........U.....
Feb 10 09:05:24 moon charon: 03[TNC] 80: 00 00 04 9B 00 30 82 04 8A 30 82 03 72 A0 03 02 .....0...0..r...
Feb 10 09:05:24 moon charon: 03[TNC] 96: 01 02 02 10 33 55 8F BC AE 0F D9 47 78 74 D6 E5 ....3U.....Gxt..
Feb 10 09:05:24 moon charon: 03[TNC] 112: C9 1B 24 28 30 0D 06 09 2A 86 48 86 F7 0D 01 01 ..$(0...*.H.....
Feb 10 09:05:24 moon charon: 03[TNC] 128: 05 05 00 30 50 31 16 30 14 06 03 55 04 0A 13 0D ...0P1.0...U....
Feb 10 09:05:24 moon charon: 03[TNC] 144: 70 72 69 76 61 63 79 63 61 2E 63 6F 6D 31 36 30 privacyca.com160
Feb 10 09:05:24 moon charon: 03[TNC] 160: 34 06 03 55 04 03 13 2D 50 72 69 76 61 63 79 20 4..U...-Privacy
Feb 10 09:05:24 moon charon: 03[TNC] 176: 43 41 20 49 6E 73 65 63 75 72 65 2F 55 6E 63 68 CA Insecure/Unch
Feb 10 09:05:24 moon charon: 03[TNC] 192: 65 63 6B 65 64 20 41 49 4B 20 43 65 72 74 69 66 ecked AIK Certif
Feb 10 09:05:24 moon charon: 03[TNC] 208: 69 63 61 74 65 30 1E 17 0D 31 32 30 32 30 38 31 icate0...1202081
Feb 10 09:05:24 moon charon: 03[TNC] 224: 30 34 31 32 30 5A 17 0D 31 33 30 32 30 38 31 30 04120Z..13020810
Feb 10 09:05:24 moon charon: 03[TNC] 240: 34 31 32 30 5A 30 00 30 82 01 22 30 0D 06 09 2A 4120Z0.0.."0...*
----------------- truncated batch ------------------
Feb 10 09:05:24 moon charon: 03[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
Feb 10 09:05:24 moon charon: 03[TNC] processing PB-TNC CDATA batch
</pre>
containing a PB-PA message with PA message type TCG/PTS to which the PTS-IMV is subscribed:
<pre>
Feb 10 09:05:24 moon charon: 03[TNC] processing PB-PA message (1243 bytes)
Feb 10 09:05:24 moon charon: 03[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001
</pre>
The PA-TNC message contains the 'TPM Version Information' and 'Attestation Identity Key' attributes:
<pre>
Feb 10 09:05:24 moon charon: 03[IMV] IMV 1 "Attestation" received message for Connection ID 1 from IMC 1
Feb 10 09:05:24 moon charon: 03[TNC] processing PA-TNC message with ID 0x9eb3b685
Feb 10 09:05:24 moon charon: 03[TNC] processing PA-TNC attribute type 'TCG/TPM Version Information' 0x005597/0x09000000
Feb 10 09:05:24 moon charon: 03[TNC] => 20 bytes @ 0x8084ed4
Feb 10 09:05:24 moon charon: 03[TNC] 0: 00 30 01 02 03 11 00 02 02 49 46 58 00 00 05 03 .0.......IFX....
Feb 10 09:05:24 moon charon: 03[TNC] 16: 11 00 08 00 ....
Feb 10 09:05:24 moon charon: 03[TNC] processing PA-TNC attribute type 'TCG/Attestation Identity Key' 0x005597/0x0e000000
Feb 10 09:05:24 moon charon: 03[TNC] => 1167 bytes @ 0x8084ef4
Feb 10 09:05:24 moon charon: 03[TNC] 0: 00 30 82 04 8A 30 82 03 72 A0 03 02 01 02 02 10 .0...0..r.......
Feb 10 09:05:24 moon charon: 03[TNC] 16: 33 55 8F BC AE 0F D9 47 78 74 D6 E5 C9 1B 24 28 3U.....Gxt....$(
Feb 10 09:05:24 moon charon: 03[TNC] 32: 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 30 0...*.H........0
Feb 10 09:05:24 moon charon: 03[TNC] 48: 50 31 16 30 14 06 03 55 04 0A 13 0D 70 72 69 76 P1.0...U....priv
Feb 10 09:05:24 moon charon: 03[TNC] 64: 61 63 79 63 61 2E 63 6F 6D 31 36 30 34 06 03 55 acyca.com1604..U
Feb 10 09:05:24 moon charon: 03[TNC] 80: 04 03 13 2D 50 72 69 76 61 63 79 20 43 41 20 49 ...-Privacy CA I
Feb 10 09:05:24 moon charon: 03[TNC] 96: 6E 73 65 63 75 72 65 2F 55 6E 63 68 65 63 6B 65 nsecure/Unchecke
Feb 10 09:05:24 moon charon: 03[TNC] 112: 64 20 41 49 4B 20 43 65 72 74 69 66 69 63 61 74 d AIK Certificat
Feb 10 09:05:24 moon charon: 03[TNC] 128: 65 30 1E 17 0D 31 32 30 32 30 38 31 30 34 31 32 e0...12020810412
Feb 10 09:05:24 moon charon: 03[TNC] 144: 30 5A 17 0D 31 33 30 32 30 38 31 30 34 31 32 30 0Z..130208104120
Feb 10 09:05:24 moon charon: 03[TNC] 160: 5A 30 00 30 82 01 22 30 0D 06 09 2A 86 48 86 F7 Z0.0.."0...*.H..
Feb 10 09:05:24 moon charon: 03[TNC] 176: 0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A 02 ...........0....
Feb 10 09:05:24 moon charon: 03[TNC] 192: 82 01 01 00 81 E3 38 7C 4D 46 70 CB D5 33 62 38 ......8|MFp..3b8
Feb 10 09:05:24 moon charon: 03[TNC] 208: 50 AD 98 D1 28 56 D3 6E 71 CF AA E3 C8 31 BD F6 P...(V.nq....1..
Feb 10 09:05:24 moon charon: 03[TNC] 224: FE 53 6A ED C8 54 0E 7C FB 00 98 80 D6 7D C7 57 .Sj..T.|.....}.W
Feb 10 09:05:24 moon charon: 03[TNC] 240: D4 EC 24 93 59 48 1F DA 67 30 87 4F D3 59 B2 CA ..$.YH..g0.O.Y..
Feb 10 09:05:24 moon charon: 03[TNC] 256: A8 9D CE C9 27 9A 03 57 C0 FE 1F AB EE E5 C2 A8 ....'..W........
Feb 10 09:05:24 moon charon: 03[TNC] 272: C6 D5 DC C7 1E 81 74 4D 3D B5 98 6D 57 22 74 02 ......tM=..mW"t.
Feb 10 09:05:24 moon charon: 03[TNC] 288: F1 41 7C E3 68 C1 1C 1C 2F 57 54 CA 4A FB D6 3D .A|.h.../WT.J..=
Feb 10 09:05:24 moon charon: 03[TNC] 304: 33 37 A9 BC FF 6F 50 13 CC C2 D3 83 F1 4B 01 FD 37...oP......K..
Feb 10 09:05:24 moon charon: 03[TNC] 320: 66 A6 EE 7A D3 E0 E2 C0 51 55 A2 8A AB F4 85 09 f..z....QU......
Feb 10 09:05:24 moon charon: 03[TNC] 336: 74 24 64 03 DD 65 1C 26 2F 35 08 BF 57 D9 28 DA t$d..e.&/5..W.(.
Feb 10 09:05:24 moon charon: 03[TNC] 352: D3 D7 5B ED C8 C6 6C 43 7E DE D3 93 F4 D5 D7 36 ..[...lC~......6
Feb 10 09:05:24 moon charon: 03[TNC] 368: 1E 31 9A A8 42 10 7A F5 94 93 9C 8F BD 6D BC 66 .1..B.z......m.f
Feb 10 09:05:24 moon charon: 03[TNC] 384: 1D 30 A5 B3 B3 44 4D DA 6D 35 64 A6 08 EB D2 A6 .0...DM.m5d.....
Feb 10 09:05:24 moon charon: 03[TNC] 400: 99 18 56 01 28 3B 26 94 FD 6F 7F AD 45 68 3C 8A ..V.(;&..o..Eh<.
Feb 10 09:05:24 moon charon: 03[TNC] 416: 7D 38 8C DB D8 5F 76 16 F5 5E 8A 4B C2 2B 19 8A }8..._v..^.K.+..
Feb 10 09:05:24 moon charon: 03[TNC] 432: 27 D9 80 3C C8 13 01 11 70 CC D6 EF 57 F3 EF 37 '..<....p...W..7
Feb 10 09:05:24 moon charon: 03[TNC] 448: A2 E6 B5 49 02 03 01 00 01 A3 82 01 AE 30 82 01 ...I.........0..
Feb 10 09:05:24 moon charon: 03[TNC] 464: AA 30 37 06 03 55 1D 09 04 30 30 2E 30 16 06 05 .07..U...00.0...
Feb 10 09:05:24 moon charon: 03[TNC] 480: 67 81 05 02 10 31 0D 30 0B 0C 03 31 2E 31 02 01 g....1.0...1.1..
Feb 10 09:05:24 moon charon: 03[TNC] 496: 02 02 01 01 30 14 06 05 67 81 05 02 12 31 0B 30 ....0...g....1.0
Feb 10 09:05:24 moon charon: 03[TNC] 512: 09 80 01 00 81 01 00 82 01 02 30 5D 06 03 55 1D ..........0]..U.
Feb 10 09:05:24 moon charon: 03[TNC] 528: 11 01 01 FF 04 53 30 51 A4 42 30 40 31 16 30 14 .....S0Q.B0@1.0.
Feb 10 09:05:24 moon charon: 03[TNC] 544: 06 05 67 81 05 02 01 0C 0B 69 64 3A 30 30 30 30 ..g......id:0000
Feb 10 09:05:24 moon charon: 03[TNC] 560: 30 30 30 30 31 12 30 10 06 05 67 81 05 02 02 0C 00001.0...g.....
Feb 10 09:05:24 moon charon: 03[TNC] 576: 07 55 6E 6B 6E 6F 77 6E 31 12 30 10 06 05 67 81 .Unknown1.0...g.
Feb 10 09:05:24 moon charon: 03[TNC] 592: 05 02 03 0C 07 69 64 3A 30 30 30 30 A0 0B 06 05 .....id:0000....
Feb 10 09:05:24 moon charon: 03[TNC] 608: 67 81 05 02 0F A0 02 0C 00 30 0C 06 03 55 1D 13 g........0...U..
Feb 10 09:05:24 moon charon: 03[TNC] 624: 01 01 FF 04 02 30 00 30 81 E0 06 03 55 1D 20 01 .....0.0....U. .
Feb 10 09:05:24 moon charon: 03[TNC] 640: 01 FF 04 81 D5 30 81 D2 30 67 06 0A 2B 06 01 04 .....0..0g..+...
Feb 10 09:05:24 moon charon: 03[TNC] 656: 01 81 E3 42 01 10 30 59 30 29 06 08 2B 06 01 05 ...B..0Y0)..+...
Feb 10 09:05:24 moon charon: 03[TNC] 672: 05 07 02 01 16 1D 68 74 74 70 3A 2F 2F 77 77 77 ......http://www
Feb 10 09:05:24 moon charon: 03[TNC] 688: 2E 70 72 69 76 61 63 79 63 61 2E 63 6F 6D 2F 63 .privacyca.com/c
Feb 10 09:05:24 moon charon: 03[TNC] 704: 70 73 2F 30 2C 06 08 2B 06 01 05 05 07 02 02 30 ps/0,..+.......0
Feb 10 09:05:24 moon charon: 03[TNC] 720: 20 0C 1E 54 43 50 41 20 54 72 75 73 74 65 64 20 ..TCPA Trusted
Feb 10 09:05:24 moon charon: 03[TNC] 736: [ Incomplete diff, document too large... ]