Adrian Leung and Chris J. Mitchell (2007) On a Possible Privacy Flaw in Direct Anonymous Attestation.
Full text access: Open
A possible privacy flaw in the TCG implementation of the Direct Anonymous Attestation (DAA) protocol has recently been discovered by Rudolph. This flaw allows a DAA Issuer to covertly include identifying information within DAA Certificates, enabling a colluding DAA Issuer and one or more verifiers to link and uniquely identify users, compromising user privacy and thereby invalidating the key feature provided by DAA. In this paper we argue that, in typical usage scenarios, the weakness identified by Rudolph is not likely to lead to a feasible attack; specifically we argue that the attack is only likely to be feasible if honest DAA signers and verifiers never check the behaviour of issuers. We also suggest possible ways of avoiding the threat posed by Rudolph's observation.
This is a Published version This version's date is: 23/12/2007 This item is peer reviewed
https://repository.royalholloway.ac.uk/items/b6d2b2e3-6812-e832-98b5-948cbf23d81b/1/
Deposited by () on 28-Jun-2010 in Royal Holloway Research Online.Last modified on 13-Dec-2010
[1] E. Brickell, J. Camenisch, and L. Chen. Direct anonymous attestation.In Proceedings of the 11th ACM Conference on Computer and Commu-nications Security, Washington DC, USA, October 25{29, 2004, pages132{145. ACM Press, 2004.[2] C. J. Mitchell, editor. Trusted Computing. IEE Press, London, 2005.[3] C. Rudolph. Covert identity information in direct anonymous attes-tation (DAA). In H. Venter, M. Elo®, L. Labuschagne, J. Elo®, andR. von Solms, editors, 22nd IFIP TC-11 International Information Se-curity Conference (SEC2007) on \New Approaches for Security, Privacyand Trust in Complex Environments", Sandton, South Africa, May 14-16, 2007. Proceedings, volume 232 of IFIP International Federation forInformation Processing, pages 443{448. Springer, Boston, 2007.[4] Trusted Computing Group (TCG). TCG Speci¯cation ArchitectureOverview. Version 1.2, The Trusted Computing Group, Portland, Ore-gon, USA, April 2004.