Tree-formed Verification Data for Trusted Platforms
Abstract
The establishment of trust relationships to a computing platform relies on validation processes. Validation allows an external entity to build trust in the expected behaviour of the platform based on provided evidence of the platform's configuration. In a process like remote attestation, the 'trusted' platform submits verification data created during a start up process. These data consist of hardware-protected values of platform configuration registers, containing nested measurement values, e.g., hash values, of loaded or started components. Commonly, the register values are created in linear order by a hardware-secured operation. Fine-grained diagnosis of components, based on the linear order of verification data and associated measurement logs, is not optimal. We propose a method to use tree-formed verification data to validate a platform. Component measurement values represent leaves, and protected registers represent roots of a hash tree. We describe the basic mechanism of validating a platform using tree-formed measurement logs and root registers and show an logarithmic speed-up for the search of faults. Secure creation of a tree is possible using a limited number of hardware-protected registers and a single protected operation. In this way, the security of tree-formed verification data is maintained.
- Publication:
-
arXiv e-prints
- Pub Date:
- July 2010
- DOI:
- 10.48550/arXiv.1007.0642
- arXiv:
- arXiv:1007.0642
- Bibcode:
- 2010arXiv1007.0642S
- Keywords:
-
- Computer Science - Cryptography and Security
- E-Print:
- 15 pages, 11 figures, v3: Reference added, v4: Revised, accepted for publication in Computers and Security