具有高表达能力的新型可信计算信任链的设计

doi:10.16511/j.cnki.qhdxxb.2018.25.017

摘要
图/表
参考文献
相关文章
Metrics

全文: PDF(1599 KB)
输出: BibTeX | EndNote (RIS)

摘要基于可信计算芯片的可信启动指从信任根开始，通过建立信任链并沿信任链逐步移交系统控制权的过程。然而，现有信任链是简单的单链结构，并不能满足用户需要。该文首先参考基于身份的层次式签名机制，提出支持多软硬件系统的多信任链方案。该方案支持树状的多启动模块预期或信任路径。其次，参考基于身份的模糊签名机制，提出了支持多种潜在信任状态的信任链方案，该方案支持存在多潜在状态的单信任路径。最后，对上述2种方案进行结合。通过对支持多软硬件系统的方案进行扩充，实现末端节点的密钥拆分，并对回退机制、TPM（trusted platform module）芯片存储等部分进行修改，最终实现了兼有前述2种新信任链的功能的第3种方案：既支持多启动模块预期，又支持多种潜在的信任状态，从而满足用户在动态决定启动模块的同时动态决定信任状态的需求。

	服务

	把本文推荐给朋友
	加入引用管理器
	E-mail Alert
	RSS

	作者相关文章
	龙宇
	王辛
	徐贤
	洪璇

关键词 ：可信计算, 基于身份的签名, 信任链

Abstract：The trusted boot process in trusted computing verifies the next boot module from the root of trust to establish a chain of trust. The classic chain of trust is a simple single-branch tree, but this may not satisfy complete user demands. This paper presents a multi-module chain of trust model based on HIBS (hierarchical identity-based signature) and a multi-pattern chain of trust model based on FIBS (fuzzy identity based signature) that overcome the limitations of single module expectations in a traditional chain so that the user can dynamically choose the module. The two chains of trust models are then combined to improve the results.

Key words： trusted computing identity based signature chain of trust

收稿日期: 2017-08-23 出版日期: 2018-04-15

ZTFLH:

TP309.7

基金资助:国家自然科学基金资助项目（61572318）；上海市自然科学基金资助项目（14ZR1431000）

作者简介: 龙宇(1980-),女,副教授。E-mail:longyu@sjtu.edu.cn

引用本文:

龙宇, 王辛, 徐贤, 洪璇. 具有高表达能力的新型可信计算信任链的设计[J]. 清华大学学报（自然科学版）, 2018, 58(4): 387-394.
LONG Yu, WANG Xin, XU Xian, HONG Xuan. Highly-descriptive chain of trust in trusted computing. Journal of Tsinghua University(Science and Technology), 2018, 58(4): 387-394.

链接本文:

http://jst.tsinghuajournals.com/CN/10.16511/j.cnki.qhdxxb.2018.25.017 或 http://jst.tsinghuajournals.com/CN/Y2018/V58/I4/387

图１传统信任链模型

图２支持多软硬件系统的多信任链模型

图３支持多种潜在信态的信任链模型

图４预期路径树及各自复合节点结构

[1] PEARSON S. Trusted computing platforms, the next security solution[M]. London, England:HP Labs, 2002.
[2] 张焕国, 刘玉珍, 余发江, 等. 一种新型嵌入式安全模块[J]. 武汉大学学报:理学版, 2004, 50(A01):7-11. ZHANG H G, LIU Y Z, YU F J, et al. A new type of embedded secure module[J]. Journal of Wuhan University (Natural Science Edition), 2004, 50(A01):7-11. (in Chinese)
[3] 李子臣. 移动互联网时代信息安全新技术展望[J]. 信息通信技术, 2012(6):75-80. LI Z C. The new techniques of information security in mobile network[J]. Journal of Information and Communication, 2012(6):75-80. (in Chinese)
[4] Trusted Computing Group. TCG software stack (TSS) specification, version 1.2[Z/OL]. (2005-02-01). https://www.trustedcomputinggroup.org/.
[5] 秦中元, 胡爱群. 可信计算系统及其研究现状[J]. 计算机工程, 2006, 32(14):111-113. QIN Z Y, HU A Q. Trusted computing system and its current research[J]. Computer Engineering, 2006, 32(14):111-113. (in Chinese)
[6] CHALLENER D, YODER K, CATHERMAN R, et al. A practical guide to trusted computing[M]. London, UK:Pearson Education, 2007.
[7] 沈昌祥, 张焕国, 冯登国, 等. 信息安全综述[J]. 中国科学E辑:信息科学, 2007, 37(2):129-150. SHEN C X, ZHANG H G, FENG D G, et al. The summarization of information security[J]. Science China Ser E:Information Sciences, 2007, 37(2):129-150. (in Chinese)
[8] 刘宏伟, 朱广志. 可信计算平台认证机制研究[J]. 计算机工程, 2006, 32(24):149-151. LIU H W, ZHU G Z. Research on attestation scheme of trusted computation platform[J]. Computer Engineering, 2006, 32(24):149-151. (in Chinese)
[9] 张旻晋, 桂文明, 苏涤生, 等. 从终端到网络的可信计算技术[J]. 信息技术快报, 2006, 4(2):21-34. ZHANG M J, GUI W M, SU D S, et al. The trusted computing techniques from end to network[J]. Information Technology Letter, 2006, 4(2):21-34. (in Chinese)
[10] SHAMIR A. Identity-based cryptosystems and signature schemes[C]//Advances in Cryptology-CRYPTO 1984. Santa Barbara, CA, USA:Springer Berlin Heidelberg, 1985:47-53.
[11] BONEH D, FRANKLIN M. Identity-based encryption from the Weil pairing[C]//Advances in Cryptology-CRYPTO 2001. Santa Barbara, CA, USA:Springer Berlin Heidelberg, 2001:213-229.
[12] GENTRY C, SILVERBERG A. Hierarchical ID-based cryptography[C]//Advances in Cryptology-ASIACRYPT 2002. Queenstown, NZ, USA:Springer Berlin Heidelberg, 2002:548-566.
[13] SAHAI A, WATERS B. Fuzzy identity-based encryption[C]//Advances in Cryptology-EUROCRYPT 2005. Arhus, DK, USA:Springer Berlin Heidelberg, 2005:457-473.
[14] WANG C J. A provable secure fuzzy identity based signature scheme[J]. Science China Information Sciences, 2012, 55(9):2139-2148.
[15] Trusted Computing Group[Z]. TCG TPM library 2.0, 2014.(2014-10-01). http://www.trustedcomputinggroup.org/tpm-library-specification/.
[16] CAMENISCH J, CHEN L Q, DRIJVERS M, et al. One tpm to bind them all:Fixing tpm2.0 for provably secure anonymous attestation[C]//38th IEEE Symposium on Security and Privacy. San Jose, CA, USA:IEEE, 2017:901-920.
[17] CHEN L Q, LI J. Flexible and scalable digital signatures in tpm 2.0[C]//Proceedings of the 2013 ACMACM Sigsac Conference on Computer and Communications Security. Berlin, Germany:ACM, 2013:37-48.
[18] BRICKELL E, LI J T. A pairing-based daa scheme further reducing TPM resources[C]//Proceedings of the 3rd International Conference on Trust and Trustworthy Computing. Berlin, Germany:Springer Berlin Heidelberg, 2010:181-195.
[19] CHEN L Q, DAN P, SMART P. On the design and implementation of an efficient DAA scheme[C]//Proceedings of the 9th Smart Card Research and Advanced Application IFIP Conference. Passau, Germany:Springer Berlin Heidelberg, 2010:223-237.
[20] CAMENISCH J, LYSYANSKAYA A. Signature schemes and anonymous credentials from bilinear maps[C]//Advances in Cryptology|CRYPTO'04. Santa Barbara, CA, USA:Springer Berlin Heidelberg, 2004:56-72.
[21] SHAMIR A. How to share a secret[J]. Communications of the ACM, 1979, 22(11):612-613.

[1]	韩心慧, 王东祺, 陈兆丰, 张慧琳. 云端Web服务器敏感数据保护方法研究[J]. 清华大学学报（自然科学版）, 2016, 56(1): 51-57,65.

Viewed

Full text

Abstract

Cited

Shared

Discussed