We assume that this mechanism is used over a secure (e.g., SSL-authenticated and protected) connection to guarantee authenticity and confidentiality requirements. Fig. 3 depicts the integrity challenge protocol used by the challenging party to securely validate integrity claims of the attesting system . In steps 1 and 2, creates a non-predictable 160bit random and sends it in a challenge request message to . In step 3, the attesting system loads a protected RSA key into the TPM. This is encrypted with the so-called Storage Root Key (SRK), a key known only to the TPM. The TPM specification  describes, how a 2048-bit AIK is created securely inside the TPM and how the corresponding public key can be securely certified by a trusted party. This trusted party certificate links the signature of the PCR to a specific TPM chip in a specific system. Then, the requests a from the TPM chip that now signs the selected (or multiple PCRs) and the originally provided by with the private key . To complete step 3, the retrieves the ordered list of all measurements (in our case from the kernel). Then, responds with a challenge response message in step 4, including the signed aggregate and nonce in , together with the claimed complete measurement list .
In step 5a, first retrieves a trusted certificate . This AIK certificate binds the verification key of the to a specific system and states that the related secret key is known only to this TPM and never exported unprotected. Thus masquerading can be discovered by the challenging party by comparing the unique identification of with the system identification given in . This certificate must be verified to be valid, e.g., by checking the certificate revocation list at the trusted issuing party. then verifies the signature in step 5b.
In step 5c, validates the freshness of the and thus the freshness of the (the measurement aggregate). Freshness is guaranteed if the nonces match as long the in step 2 is unique and not predictable. As soon as receives a nonce twice or can predict the nonce (or predict even a small enough set into which the nonce will fall), it can decide to replay old measurements or request TPM-signed quotes early using predicted nonces. In both cases, the quoted integrity measurements might not reflect the actual system status, but a past one. If the nonce offers insufficient security, then the validity of the signature keys can be restricted, because the replay window for signed aggregates is also bound to using a valid signature key.
Validating the signature in step 5b, can detect tampering with the TPM aggregate, because it will invalidate the signature (assuming cryptographic properties of a digital 2048-bit signature today, assuming the secret key is known only to the TPM, and assuming no hardware tampering of the TPM). Tampering with the measurement list is made visible in step 5c by walking through the measurement list and re-computing the TPM aggregate (simulating the TPM extend operations as described in Section 4.2) and comparing the result with the TPM aggregate that is included in the signed received in step 4. If the computed aggregate matches the signed aggregate, then the measurement list is valid and untampered, otherwise it is invalid.