Resultados en relación con las actitudes hacia el multilingüismo

In contrast to the PBAP, the IAP can be used to individually verify whether the plat- form configuration of a SN is trusted. A CN needs only to perform symmetric operations and two short messages need to be exchanged. The messages are very small, because no long public key primitives, e.g., keys, signatures need to be transmitted. Since trans- mitting messages is the most cost intensive factor in WSNs [190], this is of particular

interest, especially if the sink wants to verify the platform configuration of a SN. In this case, messages are transferred along several hops.

The protocol we propose is again divided in initialization phase and attestation phase. The initialization phase is performed only once after deployment of the sensor nodes while the attestation phase can be performed every time a CN (or the sink) wants to verify the platform configuration of a SN. In the embedded world, this initialization phase could for example performed directly before a vehicle leaves the factory site. Initialization Each CN_j establishes a shared, symmetric key K_CNj,SNi with its SN_i. For this purpose, existing (non TPM-based) techniques, e.g., [191], might be used. However, we recommend using a key establishment protocol that uses the functionality of a TPM, e.g., [66]. This approach has the advantage that key generation within a TPM is inherently more secure than key generation on off-the-shelf embedded platforms. As in [191], we assume that this short period of time to establish pairwise keys is secure and nodes cannot be compromised. The keys KCNj,SNi are sealed on SNi to its valid

platform configuration PSNi. Thus, SNi can only access these keys if it is in its valid

state.

To enable the sink to perform the attestation with SNi, a shared symmetric key

K_Sink,SNi is preconfigured on SN_i before deployment and sealed likewise.

Attestation Protocol 6.4.4 shows how CN_j can verify the platform configuration of SN_i. First, CN_j sends a challenge to SN_i. The challenge consists of an encrypted block containing a nonce and the identifier IDCNj of CNj, and an additionally IDCNj

in plaintext. KCNj,SNiis used for encryption. After receiving the challenge, SNiunseals

K_CNj,SNi related to ID_CNj. This is only possible if the platform configuration P_SNi is valid. Using this key, SNi decrypts the encrypted block and verifies if the decrypted

identifier is equal to the identifier received in plaintext. If they match, SNi knows

that this message originates from CNj, encrypts the nonce0 using KCNj,SNi, and sends

it back.1 _{Otherwise, SN}

i aborts. SNi then deletes KCNj,SNi from the RAM. CNj

decrypts the received response message and checks if the decrypted nonce00 _matches

the nonce it has sent in the first step. If they match, SNi is declared trusted and

CN_j can send data to SN_i. This data is encrypted using K_CNj,SNi. The attestation of SNi by the sink is performed likewise, using the key KSink,SNi. Protocol 6.4.4 uses

a challenge-response authentication involving the TPM to verify freshness of integrity information and thus satisfies Requirement 1. In addition, the ID of the CN is also injected to prevent replay attacks. Requirement 3 is also satisfied by binding further transaction data sent over the channel to a specific cryptographic key shared between the SNi and CNj. In contrast to the PBAP, this approach ensures authenticity of the

attestation channel and, thus, establishes a secure attestation channel.

1_{However, the trust level of CN}

j cannot be assumed, because the node could be potentially com-

6.4. ATTESTATION PROTOCOLS 99

Protocol 6.4.4: Individual Attestation Protocol SUMMARY: A CN verifies the integrity of a SN RESULT: Integrity validation

1. Notation.

SN_i is a super node CN is a cluster node

P_SNi denotes the actual platform configuration

K_CNj,SNi denotes the shared key between CN_j and SN_i

2. Protocol steps.

CN_j → SN_i: ID_CNj,{nonce, ID_CNj}_KCNj,SNi (1) SN_i Unseal(P_SNi, d_SNi,{K_CNj,SNi}e_PSNi

SNi) = KCNj,SNi (2)

SN_i D({nonce, ID_CNj}_KCNj,SNi, K_CNj,SNi) = (nonce0, ID0_CNj) (3) SN_i check ID0_CN

j ?

= IDCNj (4)

SN_i E({nonce0, ID_SNi}, K_CNj,SNi) = {nonce0, ID_SNi}_KCNj,SNi (5) SN_i → CN_j : ID_SNi,{nonce0, ID_SNi}_KCNj,SNi (6) SN_i delete K_CNj,SNi from RAM (7) CN_j D({nonce0, ID_SNi}_KCNj,SNi, K_CNj,SNi) = (nonce00, ID0_SNi) (8) CN_j if nonce00 ?= nonce, state of SN_i is valid (9) 3. Protocol actions.

(a) In the first step, CNj transfers an encrypted nonce together with its ID

using the shared key to SNi.

(b) SNi performs the TPM Unseal command and unseals the shared key.

(c) SNi decrypts the sent message an verifies in (4) whether the ID of the

decrypted message matches the ID sent in plaintext.

(d) SNiencrypts the decrypted nonce and the ID of CNj with the unsealed key.

The obtained message is transferred to CNj in (6).

(e) SNi deletes the unsealed key from its RAM.

(f) CNj decrypts the received message and verifies (9) if the received nonce

matches the nonce sent in (1).

It might also be preferable to directly transmit data in an attestation challenge rather than waiting until an attestation response has been received and a SN is declared

trusted. This might be preferable in scenarios where an immediate receipt of data is important or where CNs send data very infrequently to a SN. Therefore, the protocol is modified in steps (1) and (3). Protocol 6.4.5 shows the resulting protocol and also satisfies Requirement 1 and Requirement 3 of a secure attestation channel (see Chapter 3. In step (1) CNj sends the data to SNi within the encrypted block. SNi can only

decrypt this message in step (3) if its platform configuration is valid and access the data. All other steps remain the same as shown in Protocol 6.4.4. Thus, if CNj receives the

message in step (6) and the checks in steps (7) and (8) succeed, CNj can be assured

that SNi has successfully received the data and is still trusted.

Protocol 6.4.5: Modified Individual Attestation Protocol

SUMMARY: A CN delivers data that is bound to a specific state to a SN RESULT: Data transfer with data confirmation and integrity reporting 1. Notation.

SN_i is a super node CN is a cluster node

P_SNi denotes the actual platform configuration

K_CNj,SNi denotes the shared key between CN_j and SN_i

2. Protocol steps.

CN_j → SN_i : ID_CNj,{nonce, ID_CNj, data}_KCNj,SNi (1) SN_i Unseal(P_SNi, d_SNi,{K_CNj,SNi}e_PSNi

SNi) = KCNj,SNi (2)

SN_i D({nonce, ID_CNj, data}_KCNj,SNi, K_CNj,SNi) = (nonce0_{, ID}0 CNj, data) (3) SN_i check ID0_CN j ? = IDCNj (4)

SN_i E({nonce0, ID_SNi}, K_CNj,SNi) = {nonce0, ID_SNi}_KCNj,SNi (5) SN_i → CN_j : ID_SNi,{nonce0, ID_SNi}_KCNj,SNi (6) SN_i delete K_CNj,SNi from RAM (7) CN_j D({nonce0, ID_SNi}_KCNj,SNi, K_CNj,SNi) = (nonce00, ID0_SNi) (8) CN_j if nonce00 ?= nonce, state of SN_i is valid (9) 3. Protocol actions.

(a) In the first step, CNj transfers an encrypted nonce together with its ID and

the sensed data using the shared key to SNi.

6.5. ANALYSIS 101