Cryptography Reference
In-Depth Information
10.4.4 Remote Attestation
Commercial client/server applications as well as emerging peer-to-peer applica-
tions often depend on the correct operation of the software installed in the device
of the other communication party. This specifically holds if the involved communi-
cation partners share a trust relationship.
It is easy to verify the integrity of an application on a local device using well
known and well understood signature mechanisms. It is also relatively easy to
ensure that the application verified in this way is actually running in memory
without being manipulated beforehand. Thus, it is possible to enforce the expected
control and information flow of an application locally.
If we now transfer the same scenario to a remote device, this issue becomes
extremely difficult: Verifying that an unknown application running on a remote
device is actually performing according to a given specification is an open and
extremely difficult problem.
10.4.5 Secure Boot
Many of the security mechanisms described above depend on the security of the
underlying platform and operating system respectively. In fact, Smartphone
manufacturers and OS designers have already recognized the importance of this
initial trust. Thus, many Smartphone operating systems already verify the integrity
of the firmware they load when booting the device. Some of these verification
processes are in fact protected by hardware components that store verification
information. Unfortunately, the motivation for trusted and secure boot processes is
often different and does not aim to obtain an integrity protected architecture which
ensures specific security properties the user expects. In contrast, most of these
mechanisms aim at restricting the user to gain control over his device. Thus, the
trusted boot process is not important for the user but for the provider controlling
the phone.
We think that this security goal should change and the secure boot process should
support an integrity protected security framework which provides the appropriate
security level to the device user instead of the device owner. Inevitably, such
mechanisms will have to support open platforms such as Android. It will be a
challenge to design a secure boot process which guarantees integrity of specific key
security components to different parties, e.g. the user, the network operator, the
device owner or distributor.
Search WWH ::
Custom Search