Log in / Register
Home arrow Computer Science arrow Building the Infrastructure for Cloud Security
< Prev   CONTENTS   Next >

Host Registration and Attestation Identity Key Certificate Provisioning

Figure 4-6 depicts the sequence diagram showing the steps for host registration and the management of attestation identity key certificates. As mentioned earlier, these steps are applicable only for hosts running on Xen or KVM.

Figure 4-6. Flow of authority identity key certificate provisioning

• The host registration process begins with an API request to the attestation server. This request may come from a system administrator using a management portal, or from an automated system in charge of managing hosts in the data center.

• The attestation server sends an attestation identity key provisioning request to the trust agent on the host using a TLS connection secured by the trust agent TLS certificate.

• The trust agent uses the TPM to create a new AIK private and public key pair. It sends the AIK public key and the endorsement credential to the privacy CA, encrypted using the privacy CA's public key to ensure privacy.

• The privacy CA decrypts the AIK public key and endorsement credential using its private key. It then generates a random challenge and encrypts it using the public key certified by the endorsement credential. It sends this challenge to the host.

• The host decrypts the challenge using the endorsement key, a private key corresponding to the endorsement credential. It re-encrypts the challenge using the privacy CA's public key for privacy and sends the re-encrypted challenge to the privacy CA.

• The privacy CA decrypts the challenge to verify it is correct, then certifies the host's AIK public key. The privacy CA sends the AIK certificate to the host, encrypted using the public key in the host's endorsement credential.

• The host decrypts the AIK certificate using its endorsement key.

• The host sends the AIK certificate to the attestation server over the trust agent TLS connection.

• The attestation server registers the host and stores the AIK certificate in the database.

• The attestation server responds to the system administrator or automated system, indicating the success or failure of the registration process.

Requesting Platform Trust

This is the invocation of the trust APIs by an entity requesting trust information. The API request is authenticated and the input parameters are validated and then handed to the appraiser component of the attestation server. The appraiser follows the remote attestation protocol to challenge the platform for the integrity measurements. Once the verification is done, Mt. Wilson summarizes all these steps by generating a SAML assertion of the platform compliance with its trust policy. Details of the SAML assertion and the security and integrity of the exchange are covered later in this chapter.

Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
Business & Finance
Computer Science
Language & Literature
Political science