[Trustedjava-support] Questions about PCR quoteing (Attestation)

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hello,

the question I have about quoting PCR is probably more likely to understand the concept than how to realize it with jTSS. Nevertheless, I hope someone could help me with that. 

I have taken a closer look at the example, which is provided in the apki-application. As far as I understand this example it works as follows

1.	Client sends a quote request containing a nonce and the number of the PCR which have to be signed
2.	The servers sends a response, with the quote_info(containing: signed PCR, and the nonce), a signature and the AIK-certificate
3.	Client does the verification like follows
     a.	Checks the signature
     b.	Checks the PCR value
           i.	Client first calculates the compositeHash of the expected hash &#8211;value, which is provided by the user of the client
           ii.	Afterwards the composite-hash-value and the received DigestValue will be compared
     c.	Checks the nonce

My understanding of verifying the received signed PCR is to check if the system, which does the quote, is in the expected state  (no hardware and/or software changes).

Now we have the following scenario:

System A communicates with System B for the first time
System A sends a message to system B: containing the same information as the quote-response from above to prove its identity
System B now verifies the received message as follows
     a.	Checks if the AIK is valid; sends request to a PKI-System
     b.	Checks the signature

For my understanding system B cannot check the signed PCR at this time as well as it cannot check the nonce, because of it does not know the expected values.

My questions are:
1.	Is my understanding of verifying and signing PCR correct?
2.	Is there any common solution, how to handle the scenario described above?
3.         Are the checks, which were described int the scenario are enough for attestation?

I hope someone could help me. I'm a little confused. 

Thanks in advance.
Jan

p.s.:
I have read also something about DAA to prove the identity, but as it is not supported by jTSS yet. It is no solution, because of I have to implement a prototypical solution based on Java.