Browse Prior Art Database

Platform Configuration Register Value Translation Gateway

IP.com Disclosure Number: IPCOM000185089D
Publication Date: 2009-Jul-10
Document File: 7 page(s) / 814K

Publishing Venue

The IP.com Prior Art Database

This text was extracted from a PDF file.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 18% of the total text.

Page 1 of 7

Platform Configuration Register Value Translation Gateway

Idea: Chen You Lei, Joerg Abendroth

In the field of computer technology standardization, the Trusted Computing Group (TCG) has

published specifications that define the basic measurement infrastructure, including an attestation

mechanism, which measures or decides the level of trust or security status of a remote client. In fact,

the attestation mechanism is based on the hash value of components running on the remote client,

while not only the hash value of components but the sequences of running components affect the

result of attestation as well.

The idea that will be described in the following focuses on the mechanism of how to manage and use

the combination of hash values to effectively attest the remote client device. The field of technology

includes Infrastructure Support for Trusted Computing, Service of Security Scan of End Devices,

Trusted Network Connect and Device/Network Element Management.

Currently, Attestation, which is a basic feature of Trusted Computing, is using PCR values (PCR:

Platform Configuration Register) to verify trust of platforms. However, there are general scalability

and performance problems. For example, a computing system of n components (each extended into

the PCR value with their own Hash) would at worst result in a database of the size nr (n to the power

of r) elements as the change of the sequence of the running components alters the final PCR value in

terms of PCR extend mechanism, but would not constitute an inacceptable device configuration.

Assuming that in most cases the start sequence is not important, yet even changes non-deterministic

(e.g. the user starts a graphic program or a sound player first), will increase the number of valid PCR

values. This may lead to the case that the attestation system has to maintain a huge database

containing all different valid values to satisfy the requirement of different cases of platforms.

To estimate the magnitude of the problem one has to consider the computation power required for

quickly verifying a PCR value of a standard OS (Operating System). For example, an open source

operating system exists that contains about 2.5 Million lines of code. This translates into several

thousand components. Including earlier patch levels of some component will increase the size of the

database of valid values infinitely. Moreover, verifying an PCR value using attestation is comparable

to the task similar to a brute force breaking of an encryption key of 4096 kbit.

In other words, once the components change, the values that have to be stored in a database will

change accordingly, and the PCR value has to be recalculated when attestation occurs. Hence, the

problem is the following: how to design a method or system to balance the computing load of

attestation or improve the performance of at...