Direct anonymous attestation

From Wikipedia, the free encyclopedia

Direct anonymous attestation is a digital signature scheme which allows anonymous signing. This works by allowing verifiers to verify that a message was signed by an authorized signer without revealing who the specific signer was.

This is to be used in relation to a trusted platform module where the module would generate a session key, have the key signed anonymously by an external certificate authority, and then present the key to the verifier. If the verifier trusts the CA to only sign session keys from correct TPMs, then the verifier can trust the session key and trust the computer on which the TPM is installed.

By using a trusted third party one obtains anonymity against the verifying site. Had one just signed the session key with the secret TPM key, then the site could identify revisiting visitors, something which would lessen their anonymity.

The DAA protocol is based on three entities and two different steps. The entities are the TPM platform, the DAA Issuer and the DAA verifier. The issuer is charged to verify the TPM platform during the Join step and to issue DAA credential to the platform. The platform uses the DAA credential with the verifier during the Sign step. Through a zero-knowledge proof the verifier can verify the credential without attempting to violate the platform's privacy.

Anonymity can be complete or partial. One of the parameter of the Sign step is a name that is computed both from the platform and verifier. If the name is computed from a random number, the anonymity is complete, otherwise, if the name is computed from a number chosen by the verifier, the verifier is able to track the platform throughout successive attestations always without affecting privacy. In this case the verifier is only able to track that the same platform has performed successive attestation, but he's not able to know the identity of the platform or track attestations done with other verifiers.

The DAA protocol may also involve a Revocation Authority (RA). In this scenario, the platform encodes its identity with RA's public key and sends it to the verifier. The verifier can ask the RA to reveal the real identity or just if it is a trusted party depending on the policy. In this way, the DAA can detect a rogue TPM , that is , a TPM whose EK has been blacklisted .

[edit] See also

[edit] External links

  • E. Brickell, J. Camenisch, and L. Chen: Direct anonymous attestation. In Proceedings of 11th ACM Conference on Computer and Communications Security, ACM Press, 2004. (PDF)