摘要
为保证终端接入网络时的可信计算平台配置满足特定的安全要求,可信计算组织提出了可信网络接入框架,在该框架中终端向网络决策判定方请求接入网络时采用二进制证明方案进行平台证明,存在完整性管理复杂、暴露用户平台配置隐私等问题.针对上述问题,本文提出了一种基于属性的可信网络接入方案,采用基于属性的远程证明方法,将可信网络接入中的平台证明交给一个可信的安全属性证书颁发方,此属性证书颁发方根据终端平台的完整性颁发安全属性证书,负责网络接入判定的网络接入决策者根据属性证书进行网络接入判定,有效地解决了传统可信网络接入中网络接入决策者完整性管理复杂以及终端平台配置暴露等问题,并能够根据安全属性将平台接入到不同的隔离域,实现了网络中平台多域的隔离.本文在802.1X框架下实现了上述方案,实验结果显示该方案能够根据平台的安全属性实现终端平台VLAN的隔离.
Trusted Computing Organization (TCG) proposes the Trusted Network Connection (TNC) to ensure that a computing platform connecting to the internet satisfies the security requirements defined by the network administrator. However, TNC uses the traditional TCG-based binary attestation, which has the deficiencies of integrity management and exposing the configuration of a computing platform, to verify the integrity of the connecting plat- form. We propose a TNC schema based on property-based attestation, transferring the attestation to a trusted third party which issues security property certificates to remote platforms. That the network access server uses the property certificates issued by the TTP to enforce the connection decision in our schema resolves the problems of integrity managements and configuration exposure. Besides these benefits, our schema allows the network administrator segment the network into more than two separation VLAN domains, which is now used in TNC now. We implement the sche- ma on the 802.1X framework, and the result shows that our schema can separate the platforms into different VLAN domains by their security property certificates.
出处
《武汉大学学报(理学版)》
CAS
CSCD
北大核心
2012年第6期519-525,共7页
Journal of Wuhan University:Natural Science Edition
基金
国家自然科学基金(91118006)资助项目
