查看文章

Virtual Private Networks (VPNs) enable an organization’s members to telecommute from home or while traveling. Although members may use computers that are shared, borrowed, or rented from others to connect to a VPN, VPN protocols, such as IPsec, typically do not authenticate the configuration of users’ computers. If a computer used for VPN access is compromised, an attacker can exploit it to gain unauthorized access. We propose the use of attestations to overcome this vulnerability. An attestation is a disclosure of a computer’s configuration, signed by a secure coprocessor. We contribute protocol enhancements that enable attestation to be combined with IPsec, such that only an organization’s members that use uncompromised computers can gain and maintain access to the organization’s VPN. Experiments demonstrate the efficacy and efficiency of our solution.