A Clientless Endpoint Authentication SchemeBased on TNC
Автор: Kun Wu, Zhongying Bai
Журнал: International Journal of Information Technology and Computer Science(IJITCS) @ijitcs
Статья в выпуске: 2 Vol. 2, 2010 года.
Бесплатный доступ
Trusted Network Connect (TNC) proposes a hierarchical and scalable architecture to securely and efficiently control endpoints` admission to the trusted computing platform to implement message passing and resource sharing. But, not all endpoints support or run a functional TNC client performing integrity checking, which represents a security risk in lots of environments. We have to consider the problem how to make these "clientless endpoints" access to trusted networks. It is of significance for improving the TNC mechanism. To solve the problem above, under the framework of TNC, this paper comes up with a clientless endpoint authentication scheme named CEAS. CEAS designs five enforcement mechanisms and the related message format to authenticate and authorize clientless endpoints. Furthermore, after the endpoints have connected to the networks, their initial determinations may be dynamically modified according to the updated circumstances. The experiment results prove that CEAS has the capability of effectively and flexibly making clientless endpoints access to trusted networks in a controlled and secure manner.
Trusted network connect, network access control, clientless endpoint authentication
Короткий адрес: https://sciup.org/15011584
IDR: 15011584
Текст научной статьи A Clientless Endpoint Authentication SchemeBased on TNC
Published Online December 2010 in MECS
With the rapid development of trusted computing, we have to consider the problem how to make the whole network to be a trusted computing environment. The traditional security safeguards focus in server and network protection, but ignore security of terminal devices themselves. Most of attacks arise from unsafe terminal devices. So, only building up security architecture from the source of terminal devices, and combining with internal and external factors can construct a trusted and safe network environment [1]. This architecture rejects the network connection of an insecure endpoint, which avoids attackers executing destructive activities.
The TNC Work Group defines an open solution architecture that enables network operators to enforce policies regarding endpoint integrity when granting access to a network infrastructure [2]. The TNC architecture clearly describes how to assess endpoint integrity and enforce compliance when a TNC Client (TNCC) is present on the endpoint.
However, today's networks contain many “clientless endpoints”, legacy devices which do not have a functional TNC client and therefore do not support integrity checking. So, clientless endpoints represent a security risk in a lot of environments because of the lack of identity and integrity information provided by the client.
Aiming at this problem, this paper analyzes current technology used for network admission control. According to the different identity credentials extracted from clientless endpoints, this paper gives five methods to make the TNC entities perform policy assessment for deciding a clientless endpoint whether or not to access a network. What`s more, after the endpoint has connected to the protected network, this paper thinks over how to alter that determination based on updates to the endpoint metadata.
The key point is how to synthesize these enforcement mechanisms to be a clientless endpoint authentication scheme (CEAS), which includes designing and implementing the work flow of CEAS.
The experiment results show CEAS can effectively and flexibly make clientless endpoints access to networks in a controlled and secure manner.
The remainder of this paper is structured as follows: Section 2 introduces the relevant research. Section 3 points out the design of enforcement mechanisms and message format of CEAS. Section 4 describes the deployment and work flow of CEAS. The experiment results are given in section 5. Conclusions and References are given in section 6 and 7.
-
II. R ELEVANT R ESEARCH
With respect to TNC, there are many relevant researches having effectively promoted the technology. This paper is inspired.
Список литературы A Clientless Endpoint Authentication SchemeBased on TNC
- ZHANG HuanGuo, CHEN Lu, and ZHANG Liqiang, ”Research on Trusted Network Connection,”Chinese Journal of Computers, vol. 33, pp. 706–717, April 2010, (In Chinese).
- TCG Trusted Network Connect, “TNC Architecture for Interoperability Specification Version 1.4 Revision 4,” http://www.trustedcomputinggroup.org/files/resource_files /51F9691E-1D09-3519-AD1C1E27D285F03B/TNC_Architecture_v1_4_r4.pdf, May 2009.
- LIU Weiwei, HAN Zhen, and SHEN Changxiang, “Trusted network connect control based on terminal behavior,” Journal on Communications, vol. 30, pp. 127–134, November 2009, (In Chinese).
- YIN Jianchun, SI Zhigang, and CHANG Chaowen,“Research on trustworthiness computing-based network access authentication model,” Computer Engineering and Design, vol. 29, pp. 4417–4419, September 2008, (In Chinese).
- LIU Wei, YANG Lin, DAI Hao, and HOU Bin, “A New Network Access Control Method and Performance Analysis of Authentication Session,” Chinese Journal of Computers, vol. 30, pp. 1806–1812, October 2007, (In Chinese).
- XIAO Zheng, LI Jingxia, LIU Xiaojie, CHEN Jun, and HOU Zifeng, “Design and Research of a Trusted Network Attestation Model and Improved OSAP Protocol,” Computer Science, vol. 33, pp. 56–60, 2006, (In Chinese).
- Richard Froom, Balaji Sivasubramanian, Erum Frahim, Building Cisco Multilayer Switched Networks (BCMSN) (Authorized Self-Study Guide), 4rd ed., USA: Cisco Press,2007.
- IEEE Computer Society, “Port-Based Network Access Control,” IEEE Std 802.1XTM-2004, December 2004.
- Telecommunications Industry Association, “Link Layer Discovery Protocol for Media Endpoint Devices,” ANSI/TIA-1057-2006, April 2006.
- TCG Trusted Network Connect, “TNC IF-T: Binding to TLS Specification Version 1.0 Revision 16,” http://www.trustedcomputinggroup.org/files/resource_files/51F0757E-1D09-3519-AD63B6FD099658A6/TNC_IFT_TLS_v1_0_r16.pdf, May 2009.
- TCG Trusted Network Connect, “TNC IF-MAP Metadata for Network Security Specification Version 1.0 Revision 25,” http://www.trustedcomputinggroup.org/files/static_ page_files/FCED7251-1A4B-B294-D000EDCD8C39D226 /TNC_IFMAP_Metadata_For_Network_Security_v1_0r25.pdf, September 2010.
- TCG Trusted Network Connect, “TNC IF-MAP Binding for SOAP Specification Version 2.0 Revision 36,” http://www.trustedcomputinggroup.org/files/static_page_files/15 28BAC2-1A4B-B294-D02E5F053A3CF6C9/TNC_IFMAP_v2_0r36.pdf, July 2010.
