Linking remote attestation to secure tunnel endpoints

Abstract

Client-Server applications have become the backbone of the Internet and are processing increasingly sensitive information. We have come to rely on the correct behavior and trustworthiness of online banking, online shopping, and other remote access services. These services are implemented as cooperating processes on different platforms. To trust distributed services, one must trust each cooperating process and their interconnection.Common practice today is to establish secure tunnels to protect the communication between local and remote processes. Typically, a user controls the local system. The user also controls the security of the tunnel through negotiation and authentication protocols. Ongoing and published work examines how to create and monitor properties of remote systems. What is missing is the link or binding between such properties and the actual remote tunnel endpoint.We examine here how to link specific properties of a remote system "gained through TPM-based attestation" to secure tunnel endpoints to counter attacks where a compromised authenticated SSL endpoint relays the TPM-based attestation to another system. We show how the proposed mechanism can be deployed in virtualized environments to create inexpensive SSL endpoint certificates and instant revocation that scales Internet-wide. Copyright 2006 ACM.