You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
360 lines
22 KiB
360 lines
22 KiB
\chapter{Concept}
|
|
\label{cha:concept}
|
|
The theoretical tool that should be formed to one whole system implementation in this thesis.
|
|
\section{Definition of the Biometric Sensor}
|
|
\label{definitions}
|
|
What part fulfills the BS and what needs to be done.
|
|
Record Sensor data, Network Discovery, send sensor data via trusted channel to PIA
|
|
|
|
\subsection{What has the BS to do?}
|
|
\label{sec:bs-usecase}
|
|
\begin{enumerate}
|
|
\item Listen for a Trigger to start the Authentication Process
|
|
\item Collect Sensor Data (Picture, Fingerprint) and calculate a biometric representation
|
|
\item Start Network Discovery and find the PIA of this person
|
|
\item Create a trusted and secure channel and transmit the attributes for verification
|
|
\item Restore the state of the system as it was before this transaction
|
|
\end{enumerate}
|
|
|
|
\section{Attack Vectors and Threat Model}
|
|
\subsection{The Threat Model}
|
|
\label{ssec:threatmodel}
|
|
\begin{itemize}
|
|
\item Definition of sensitive data / privacy / metadata
|
|
\item This version of BS is not owned by the user, there is no personal data in the System
|
|
\item Rogue Personal Identity Agent (PIA)
|
|
\item Metadata Extraction
|
|
\item Attribute extraction
|
|
\item Sensor Data Modification/manipulation
|
|
\item Wiretap between Sensor and System (USB or network)
|
|
\item Physical Manipulation of the BS-System
|
|
\item Network - Retransmission of sensor data of a rogue BS
|
|
\item Network - Blocking Data transmission of a rogue BS
|
|
\item Rogue BS Sensor Data aggregation
|
|
\item Rogue BS Sensor data modification before transmission
|
|
\end{itemize}
|
|
\section{Trust and Security}
|
|
\label{sec:trust}
|
|
Trust is an essential term in this thesis.
|
|
In the world of IT security, the term \emph{trusted computing} defines a secured environment where special or confidential computing jobs are dispatched.
|
|
This environment or product usually meets the following requirements
|
|
\begin{itemize}
|
|
\item \emph{Minimalization.} The number of features and hence the complexity must be as low as possible.
|
|
\item \emph{Sound definitions.} Every function should be well defined. There should be no margin for interpretation left. Security Engineers should be involved in the development.
|
|
\item \emph{Complete testing.} Testing for trusted computing includes a threat analysis and exhaustive testing if possible.
|
|
\end{itemize}
|
|
Since software and hardware testing is never complete, it is hard to find a good balance between feature set and testing completeness.
|
|
|
|
However trust in IT is not equal to security.
|
|
It defines a subset of IT security where this small well defined environment is embedded in a larger system which is usually untrusted.
|
|
Claiming a system \emph{secure} spans the constraints of trust over the complete system, which is not affordable for commodity computers these days.
|
|
However it is possible to use the trusted environment to get some guarantees on the untrusted parts of a system as well
|
|
In Chapter 3 we will show how trust will be extended in a commodity PC.
|
|
%TODO reference to TPM section how to extend trust into untrusted parts of PC
|
|
|
|
%TODO describe verifiable trust in addition to the previous definition (with example of the ATM?)
|
|
|
|
|
|
Differentiation between trust and security --- and the problem that not everyone is using that right.
|
|
\section{Systems of Trust}
|
|
\label{sec:trustsystems}
|
|
All trust systems are built on the standards of Trusted Computing Group.
|
|
\subsection{Secure Boot, TXT, \ldots}
|
|
\label{ssec:secureboot-txt}
|
|
Trusted Boot is not the same as Secure Boot. Explain the difference
|
|
\subsection{TPM1.2}
|
|
\label{ssec:tpm12}
|
|
Initial Version of the crypto-coprocessor, successfully spread into many systems, but hardly any integration in Trust/security Software
|
|
|
|
%TODO this is an attempt to describe TPM from the beginning.
|
|
\subsection{TPM2.0}
|
|
\label{ssec:tpm20}
|
|
The \emph{Trusted Platform Module} (TPM) is a small cryptocoprocessor that introduces a variety of new features to the platform.
|
|
This module is part of a standard developed by the Trusted Computing Group (TCG), which current revision is 2.0\cite{tcg20}.
|
|
|
|
The hardware itself is strongly defined by the standard and comes in the following flavors:
|
|
%TODO find source of that claim (TPM variants)
|
|
\begin{itemize}
|
|
\item \emph{Dedicated device.} The TPM chip is mounted on a small board with a connector.
|
|
The user can plug it into a compatible compute platform. This gives most control to the end user since it is easy to disable trusted computing or switch to another TPM.
|
|
\item \emph{Mounted device.} The dedicated chip is directly mounted on the target mainboard. Therefore any hardware modification is impossible.
|
|
However most PC platforms provide BIOS features to control the TPM.
|
|
\item \emph{Firmware TPM (fTPM).} This variant was introduced with the TPM2.0 Revision.
|
|
Firmware means in this context an extension of the CPU instruction set which provides the features of a TPM.
|
|
Both Intel and AMD provide this extension for their platforms for several years now.
|
|
When activating this feature on BIOS level, all features of Trusted Computing are available to the user.
|
|
\item \emph{TPM Simulator.} For testing reasons, it is possible to install a TPM simulator. It provides basically every feature of a TPM but cannot be used outside the operating system. Features like Trusted Boot or in hardware persisted keys are not available.
|
|
\end{itemize}
|
|
Even the dedicated devices are small microcontrollers that run the TPM features in software which gives the manufacturer the possibility to update their TPMs in the field.
|
|
FTPMs will be updated with the Microcode updates of the CPU manufacturers.
|
|
|
|
The combination of well constrained hardware and features, an interface for updates and well defined software interfaces make TPMs trustworthy and reliable.
|
|
Since TCG published the new standard in 2014 only six CVE-Entries handled vulnerabilities with TPMs\footnote{\url{https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=\%22Trusted+Platform+Module\%22}}.
|
|
Only two of them had impact on the implementation of a dedicated chip:
|
|
\begin{itemize}
|
|
\item \emph{CVE-2017-15361}
|
|
\end{itemize}
|
|
\subsubsection{Using the TPM}
|
|
\label{sssec:tpm-usage}
|
|
On top of the cryptographic hardware, the TCG provides several software interfaces for application developers:
|
|
\begin{itemize}
|
|
\item \emph{System API (SAPI).} The SAPI is a basic API where the developer has to handle the resources within the application. However this API provides the full set of features.
|
|
\item \emph{Enhanced System API (ESAPI).} While still providing a complete feature set, the ESAPI makes some resources transparent to the application like session handling. Consequently, this API layer is built on top of the SAPI.
|
|
\item \emph{Feature API (FAPI).} This API layer is again built on top of the ESAPI. It provides a simple to use API but the feature set is also reduced to common use cases.
|
|
Although the Interface was formally published from the beginning, an implementation is available since end of 2019.
|
|
\end{itemize}
|
|
|
|
The reference implementation of these APIs is published at Github\cite{tpmsoftware20} and is still under development.
|
|
At the point of writing stable interfaces are available for C and C++, but other languages like Rust, Java, C\# and others will be served in the future.
|
|
The repository additionally provides the tpm2-tools toolset which provides the FAPI features to the command line.
|
|
Unfortunately, the command line parameters changed several times during the major releases of tpm2-tools\cite{pornkitprasan19-tpmtools}.
|
|
|
|
|
|
|
|
\subsubsection{The Hardware}
|
|
\label{sssec:tpm-hardware}
|
|
The TCG achieved with the previous mentioned software layers independence of the underlying hardware.
|
|
Hence, TCG provided different flavors of of the TPM
|
|
|
|
|
|
TCG defined with the TPM2.0 standard a highly constrained hardware with a small feature set.
|
|
It is a passive device with some volatile and non-volatile memory, which provides hardware acceleration for a small number of crypto algorithms.
|
|
The standard allows to add some extra functionality to the device.
|
|
However the TPMs used in this project provided just the minimal set of algorithms and also the minimal amount of memory.
|
|
|
|
|
|
Since TCG published its documents, several IT security teams investigated concept and implementations of TPMs.
|
|
|
|
|
|
|
|
\begin{itemize}
|
|
\item security problems with some implementations
|
|
\end{itemize}
|
|
\begin{itemize}
|
|
\item Hierarchies
|
|
\item Endorsement Key
|
|
\item Attestation Identity Key
|
|
\item Key management
|
|
\end{itemize}
|
|
|
|
\begin{figure}
|
|
\centering
|
|
\includegraphics[width=0.7\textwidth]{../resources/tpmcert}
|
|
\caption[TPM Certification]{The manufacturer certifies every TPM it produces}
|
|
\label{fig:tboot-overview}
|
|
\end{figure}
|
|
|
|
|
|
\begin{figure}
|
|
\centering
|
|
\includegraphics[width=0.7\textwidth]{../resources/tpmattest}
|
|
\caption[DAA Attestation procedure]{The DAA attestation process requires 5 steps. The PIA may trust the Biometric Sensor afterwards.}
|
|
\label{fig:daa-attestation}
|
|
\end{figure}
|
|
|
|
\section{Integrity Measurements}
|
|
Extend the Chain of Trust beyond the boot process.
|
|
The Kernel can measure many different types of Resources.
|
|
What is a useful set of measurements
|
|
|
|
\section{Verify Trust (DA and DAA)}
|
|
|
|
\subsection{Definitions}
|
|
For the definition of the algorithm, some notations and definitions are summarized in the following.
|
|
Greek letters denote a secret that is not known to the verifier whereas all other variable can be used to verify the desired properties.
|
|
The symbol $||$ is a concatenation of binary strings or binary representations of integers.
|
|
|
|
Given an integer $q$, $\mathbb{Z}_q$ denotes the ring of integers modulo $q$ and $\mathbb{Z}_q^*$ denotes the multiplicative group modulo $q$\cite{camenisch97}.
|
|
|
|
\subsection{Discrete Logarithm Problem}
|
|
Given a cyclic group $G = \langle g\rangle$ of order $n$, the discrete logarithm of $y\in G$ to the base $g$ is the smallest positive integer $x$ satisfying
|
|
\begin{math}
|
|
g^\alpha = y
|
|
\end{math}
|
|
if this $x$ exists.
|
|
For sufficiently large $n$ and properly chosen $G$ and $g$, it is infeasible to compute the reverse
|
|
\begin{math}
|
|
\alpha = \log_g{y}
|
|
\end{math}.
|
|
This problem is known as \emph{Discrete Logarithm Problem} and is the basis for the following cryptographic algorithms.
|
|
|
|
\subsection{Signatures of Knowledge}
|
|
Camenisch and Stadler\cite{camenisch97} describe an efficient scheme for proving knowledge of a secret without providing it.
|
|
They assume a collision resistant hash function $\mathcal{H}:\{0,1\}^*\rightarrow\{0,1\}^k$ for signature creation.
|
|
Furthermore, the algorithm is based on the Schnorr signature scheme\cite{schnorr91}.
|
|
For instance,
|
|
\begin{equation*}
|
|
SPK\{(\alpha):y=g^\alpha\}(m)
|
|
\end{equation*}
|
|
denotes a proof of knowledge of the secret $\alpha$, which is embedded in the signature of message $m$.
|
|
The one-way protocol consists of three procedures:
|
|
\begin{enumerate}
|
|
\item \emph{Setup.} Let $m$ be a message to be signed, $\alpha$ be a secret and $y:=g^\alpha$ be the corresponding public representation.
|
|
\item \emph{Sign.} Choose a random number $r$ and create the signature tuple $(c,s)$ as
|
|
\begin{equation*}
|
|
c:=\mathcal{H}(m\,||\,y\,||\,g\,||\,g^r) \quad\text{and}\quad s:=r-c\alpha \quad\text{(mod n) .}
|
|
\end{equation*}
|
|
|
|
\item \emph{Verify.} The verifier knows the values of $y$ and $g$, as they are usually public. The message $m$ comes with the signature values $c$ and $s$. She computes the value
|
|
\begin{equation*}
|
|
c':=\mathcal{H}(m\,||\,y\,||\,g\,||\,g^sy^c)\quad\text{and verifies, that}\quad c' = c\, .
|
|
\end{equation*}
|
|
The verification holds since
|
|
\begin{equation*}
|
|
g^sy^c = g^rg^{-c\alpha}g^{c\alpha} = g^r\, .
|
|
\end{equation*}
|
|
\end{enumerate}
|
|
Camenisch and Stadler\cite{camenisch97} state, that this scheme is extensible to proof knowledge of arbitrary number of secrets.
|
|
Furthermore, complex relations between secret and public values can be represented with that scheme.
|
|
|
|
\subsection{Bilinear Maps}
|
|
The Camenisch-Lysyanskaya (CL) Signature Scheme\cite{camenisch04} is used for the DAA-Protocol.
|
|
Furthermore, the CL-Scheme itself is based on Bilinear Maps.
|
|
|
|
Consider three groups $\mathbb{G}_1$, $\mathbb{G}_2$, with their corresponding base points $g_1$, $g_2$, and $\mathbb{G}_T$.
|
|
Let $e:\mathbb{G}_1 \times \mathbb{G}_2 \rightarrow \mathbb{G}_T$ that satisfies three properties\cite{camenisch04,camenisch16}:
|
|
\begin{itemize}
|
|
\item \emph{Bilinearity.} For all $P\in\mathbb{G}_1, Q\in\mathbb{G}_2$, for all $a,b \in\mathbb{Z}: e(P^a,Q^b) = e(P,Q)^{ab}$.
|
|
\item \emph{Non-degeneracy.} For all generators $g1\in\mathbb{G}_1, g2\in\mathbb{G}_2: e(g_1,g_2)$ generates $\mathbb{G}_T$.
|
|
\item \emph{Efficiency.} There exists an efficient algorithm that outputs the bilinear group\\
|
|
$(q, \mathbb{G}_1,\mathbb{G}_2,\mathbb{G}_T, e, g_1, g_2)$ and an efficient algorithm for computing $e$.
|
|
\end{itemize}
|
|
|
|
\subsection{Camenisch-Lysyanskaya Signature Scheme}
|
|
The Camenisch-Lysyanskaya (CL) Signature Scheme…\cite{camenisch04} allows efficient proofs for signature posession and is the basis for the DAA scheme discussed in section XY. %TODO reference to DAA section
|
|
It is based on a bilinear group $(q, \mathbb{G}_1,\mathbb{G}_2,\mathbb{G}_T, e, g_1, g_2)$ that is available to all steps in the protocol.
|
|
\begin{itemize}
|
|
\item \emph{Setup.} Choose $x\leftarrow\mathbb{Z}_q$ and $y\leftarrow\mathbb{Z}_q$ at random. Set the secret key $sk \leftarrow (x,y)$ and the public key $pk \leftarrow (g_2^x, g_2^y)=(X,Y)$
|
|
\item \emph{Sign.} Given a message $m$, and the secret key $sk$, choose $a$ at random and output the signature $\sigma\leftarrow(a, a^y, a^{x+xym}) = (a,b,c)$
|
|
\item \emph{Verify.} Given message $m$, signature $\sigma$ and public key $pk$, verify, that $a \neq 1_{\mathbb{G}_1}$, $e(a,Y) = e(b,g_2)$ and $e(a,X)\cdot e(b,X)^m = e(c,g_2)$
|
|
\end{itemize}
|
|
Camenisch et al.\@ stated in section 4.2 of their paper\cite{camenisch16} that one has to verify the equation against $e(g_1,b)$ and $e(g_1,c)$ which is proven wrong here.
|
|
|
|
\subsection{DAA History}
|
|
Direct Anonymous Attestation (DAA) is a cryptographic protocol, which aims to provide evidence that a device is a honest member of a group without providing any identification information.
|
|
Brickell, Camenisch and Chen\cite{BriCamChe04} introduce DAA and implement the protocol for the TPM 1.2 standard.
|
|
However it supports only RSA and has limitations in verifying attestation signatures.
|
|
Hence, DAA is not used with the TPM 1.2 standard.
|
|
|
|
Since the DAA protocol is quite complex, it is difficult to provide a sound security model for DAA and formally proof the security properties of it.
|
|
Chen, Morissey and Smart\cite{chen09} add linkability to the protocol.
|
|
Their approach for a formal proof is not correct, since a trivial key can be used for pass verification\cite{camenisch16}
|
|
|
|
|
|
%TODO Chronic of DAA until Camenisch16, Discussion about broken Proofs in previous papers.
|
|
|
|
Camenisch, Drijvers and Lehmann\cite{camenisch16} developed a DAA scheme for the new TPM 2.0 standard.
|
|
It supports linkability and the proofs for security and correctness still hold.
|
|
Furthermore, RSA and ECC cryptography is supported which makes it practicable for a wider variety of use cases.
|
|
However, Camenisch et.\,al.\cite{camenisch17} proposed a fix in the TPM 2.0 API to guarantee all requirements necessary for DAA.
|
|
Xaptum implemented this DAA-variant including the fixes in the TPM API.
|
|
The implementation will be discussed in Chapter 4.%TODO Reference to Xaptum discussion
|
|
|
|
Analyzing the security and integrity of this scheme would exceed the scope of this thesis.
|
|
Hence this thesis describes the DAA protocol and assumes the correctness and integrity.
|
|
|
|
\subsection{DAA Protocol}
|
|
\label{ssec:daa-protocol}
|
|
DAA is a group signature protocol, which aims to reveal no additional information about the signing host.
|
|
According to Camenisch et al.\cite{camenisch16} the DAA protocol consists of three parties.
|
|
\begin{itemize}
|
|
\item \emph{Issuer} \issuer. The issuer maintains a group and has evidence of hosts that are members in this group.
|
|
\item \emph{Host} \host. The Host creates a platform with the corresponding TPM \tpm\. Membership of groups are maintained by the TPM.
|
|
\item \emph{Verifier} \verifier. A verifier can check whether a Host with its TPM is in a group or not. Besides the group membership, no additional information is provided.
|
|
\end{itemize}
|
|
A certificate authority $\mathcal{F}_{ca}$ is providing a certificate for the issuer itself.
|
|
\texttt{bsn} and \texttt{nym} %TODO
|
|
Session ids $sid$ is already available with communication session on the network or on the link between host and TPM. %TODO check that
|
|
$\mathcal{L}$ is the list of registered group members which is maintained by \issuer. %TODO
|
|
%TODO describe \tau
|
|
\begin{itemize}
|
|
\item \emph{Setup.} During Setup \issuer is generating the issuer secret key $isk$ and the corresponding issuer public key $ipk$. The public key is published and assumed to be known to everyone.
|
|
\begin{enumerate}
|
|
\item On input \textsf{SETUP} \issuer
|
|
\begin{itemize}
|
|
\item generates $x,y \leftarrow \mathbb{Z}_q$ and sets $isk=(x.y)$ and $ipk\leftarrow(g_2^x,g_2^y) = (X,Y)$. Initialize $\mathcal{L} \leftarrow \emptyset$,
|
|
\item generates a prove $\pi \sassign SPK\{(x,y):X=g_2^x\wedge Y=g_2^y\}$ that the key pair is well formed,
|
|
\item registers the public key $(X,y,\pi)$ at $\mathcal{F}_{ca}$ and stores the secret key,
|
|
\item outputs \textsf{SETUPDONE}
|
|
\end{itemize}
|
|
\end{enumerate}
|
|
\item \emph{Join.} When a platform, consisting of host \host[j] and TPM \tpm[i], wants to become a member of the issuer's group, it joins the group by authenticating to the issuer \issuer.
|
|
\begin{enumerate}
|
|
\item On input \textsf{JOIN}, host \host[j] sends the message \textsf{JOIN} to \issuer.
|
|
\item \issuer\ upon receiving \textsf{JOIN} from \host[j], chooses a fresh nonce $n\leftarrow\{0,1\}^\tau$ and sends it back to \host[j].
|
|
\item \host[j] upon receiving $n$ from \issuer, forwards $n$ to \tpm[i]
|
|
\item \tpm[i] generates the secret key:
|
|
\begin{itemize}
|
|
\item Check, that no completed key record exists. Otherwise, it is already a member of that group.
|
|
\item Choose $gsk\sassign\mathbb{Z}_q$ and store the key as $(gsk, \bot)$.
|
|
\item Set $Q \leftarrow g_1^{gsk}$ and compute $\pi_1 \sassign SPK\{(gsk):Q=g_1^{gsk}\}(n)$.
|
|
\item Return $(Q,\pi_1)$ to \host[j].
|
|
\end{itemize}
|
|
\item \host[j] forwards \textsf{JOINPROCEED}$(Q, \pi_1)$ to \issuer.
|
|
\item \issuer\ upon input \textsf{JOINPROCEED}$(Q, \pi_1)$ creates the CL-credential:
|
|
\begin{itemize}
|
|
\item Verify that $\pi_1$ is correct.
|
|
\item Add \tpm[i] to $\mathcal{L}$. %TODO what is the representative of the TPM?
|
|
\item Choose $r\sassign\mathbb{Z}_q$ and compute $a\leftarrow g_1^r$, $b\leftarrow a^y$, $c\leftarrow a^x\cdot Q^{rxy}$, $d\leftarrow Q^{ry}$.
|
|
\item Create the prove $\pi_2\sassign SPK\{(t):b=g_1^t\wedge d=Q^t\}$.
|
|
\item Send \textsf{APPEND}$(a,b,c,d,\pi_2)$ to \host[j]
|
|
\end{itemize}
|
|
\item \host[j] upon receiving \textsf{APPEND}$(a,b,c,d,\pi_2)$
|
|
\begin{itemize}
|
|
\item verifies, that $a\neq 1$, $e(a,Y)=e(b,g_2)$ and $e(c,g_2) = e(a\cdot d, X)$.
|
|
\item forwards $(b,d,\pi_2)$ to \tpm[i].
|
|
\end{itemize}
|
|
\item \tpm[i] receives $(b,d,\pi_2)$ and verifies $\pi_2$. The join is completed after the record is extended to $(gsk, (b,d))$. \tpm[i] returns \textsf{JOINED} to \host[j].
|
|
\item \host[j] stores $(a,b,c,d)$ and outputs \textsf{JOINED}.
|
|
\end{enumerate}
|
|
\item \emph{Sign.}
|
|
After joining the group, a host \host[j] and TPM \tpm[i] can sign a message $m$ with respect to basename \texttt{bsn}.
|
|
\begin{enumerate}
|
|
\item \host[j] upon input \textsf{SIGN}$(m,\bsn)$ re-randomizes the CL-credential:
|
|
\begin{itemize}
|
|
\item Retrieve the join record $(a,b,c,d)$ and choose $r\sassign\mathbb{Z}_q$. Set $(a',b',c',d') \leftarrow (a^r,b^r,c^r,d^r)$.
|
|
\item Send $(m, \bsn, r)$ to \tpm[i] and store $(a',b',c',d')$.
|
|
\end{itemize}
|
|
\item \tpm[i] upon receiving $(m, \bsn, r)$
|
|
\begin{itemize}
|
|
\item checks, that a complete join record $(gsk, (b,d))$ exists, and
|
|
\item stores $(m, \bsn, r)$.
|
|
\end{itemize}
|
|
\item \tpm[i] completes the signature after it gets permission to do so. %TODO Why?
|
|
\begin{itemize}
|
|
\item Retrieve group record $(gsk, (b,d))$ and message record $(m, \bsn, r)$.
|
|
\item Compute $b'\leftarrow b^r, d'\leftarrow d^r$.
|
|
\item If $\bsn = \bot$ set $\nym \leftarrow\bot$ and compute $\pi \sassign SPK\{(gsk):d'=b'^{gsk}\}(m, \bsn)$
|
|
\item If $\bsn \neq \bot$ set $\nym\leftarrow H_1(\bsn)^{gsk}$ and compute $\pi \sassign SPK\{(gsk):\nym=H_1(\bsn)^{gsk}\wedge d'=b'^{gsk}\}(m, \bsn)$.
|
|
\item Send $(\pi,\nym)$ to \host[j].
|
|
\end{itemize}
|
|
\item \host[j] assembles the signature $\sigma \leftarrow (a', b', c', d', \pi, \nym)$ and outputs \textsf{SIGNATURE}$(\sigma)$
|
|
\end{enumerate}
|
|
\item \emph{Verify.}
|
|
Given a signed message, everyone can check whether the signature with respect to \bsn\ is valid and the signer is member of this group.
|
|
Furthermore a revocation list \RL\ holds the private keys of corrupted TPMs, whose signatures are no longer accepted.
|
|
\begin{enumerate}
|
|
\item \verifier\ upon input \textsf{VERIFY}$(m, \bsn, \sigma)$
|
|
\begin{itemize}
|
|
\item parses $\sigma\leftarrow(a,b,c,d,\pi,\nym)$,
|
|
\item verifies $\pi$ with respect to $(m,\bsn)$ and \nym if $\bsn\neq\bot$.
|
|
\item checks, that $a\neq 1$, $b\neq 1$ $e(a,Y)=e(b, g_2)$ and $e(c,g_2)=e(a\cdot d,X)$,
|
|
\item checks, that for every $gsk_i \in \RL: b^{gsk_i} \neq d$,
|
|
\item sets $f\leftarrow 1$ if all test pass, otherwise $f\leftarrow 0$, and
|
|
\item outputs \textsf{VERIFIED}$(f)$.
|
|
\end{itemize}
|
|
\end{enumerate}
|
|
\item \emph{Link.}
|
|
After proving validity of the signature, the verifier can test, whether two different messages with the same basename $\bsn \neq\bot$ are generated from the same TPM.
|
|
\begin{enumerate}
|
|
\item \verifier\ on input \textsf{LINK}$(\sigma, m, \sigma', m', bsn)$ verifies the signatures and compares the pseudonyms contained in $\sigma, \sigma'$:
|
|
\begin{itemize}
|
|
\item Check, that $\bsn\neq\bot$ and that both signatures $\sigma, \sigma'$ are valid.
|
|
\item Parse the signatures $\sigma\leftarrow(a,b,c,d,\pi,\nym)$, $\sigma'\leftarrow(a',b',c',d',\pi',\nym')$
|
|
\item If $\nym = \nym'$, set $f\leftarrow 1$, otherwise $f\leftarrow 0$.
|
|
\item Output \textsf{LINK}$(f)$
|
|
\end{itemize}
|
|
\end{enumerate}
|
|
\end{itemize}
|
|
|
|
%TODO: Discussion: sid removed, RL only works with private keys, etc.
|