Mutual remote attestation: Enabling system cloning for TPM based platforms

Abstract

We describe a concept of mutual remote attestation for two identically configured trusted (TPM based) systems. We provide a cryptographic protocol to achieve the goal of deriving a common session key for two systems that have verified each other to be a clone of themselves. The mutual attestation can be applied to backup procedures without providing data access to administrators, i.e. one trusted systems exports its database to another identical trusted system via a secure channel after mutual attestation is completed. Another application is dynamically parallelizing trusted systems in order to increase the performance of a trusted server platform. We present details of our proposed architecture and show results from extensive hardware tests. These tests show that there are some unresolved issues with TPM-BIOS settings currently distributed by PC hardware manufacturers since the specification regarding measurement of extended platform BIOS configuration is either not met or the usage of undocumented options is required. © 2012 Springer-Verlag Berlin Heidelberg.