Introduction
Verifier Platform
Attestation of Remote Platform • Identify specific platform • Verify software stack on remote platform
verification request
verification data
Use Case
Verify user system
Corporate Network
Connect
TPM
Trusted Platform Module • Secure crypto-processor
Uses • Remote Attestation • Binding, Sealing : Data encryption Applications • Platform Integrity • Disk Encryption • Password Protection • Digital Rights Management • Software Licenses
Verifier Platform
verification data
verification request
TPM deployed on remote platform
TPM Specification
TPM Specification
Design Structure Commands
TPM Chips
No TPMS China, Russia, Belarus, Kazakhstan
TPM Example
300 Million PCs have shipped with a chip called the Trusted Platform Module (TPM)
TPM Specification v1.1 (184 pages)
• FIPS 140-2 certification. • Commands for all operations, e.g. Key generation, PCR extension • Processes for Key generation & management • Cryptographic processes e.g. Random number generation • TPM Architecture • TPM operation including initialization, self-test modes, startup, enabling, disabling etc
FIPS 140-2 Level 1 The lowest, imposes very limited requirements; loosely, all components must be "production-grade" FIPS 140-2 Level 2 Adds requirements for physical tamper-evidence and role-based authentication. FIPS 140-2 Level 3 Adds requirements for physical tamper-resistance (making it difficult for attackers to gain access to sensitive information contained in the module) and identity-based authentication, and for a physical or logical separation between the interfaces by which "critical security parameters" enter and leave the module, and its other interfaces. FIPS 140-2 Level 4 Makes the physical security requirements more stringent, and requires robustness against environmental attacks.
FIPS: Federal Information Processing Standard
TPM Architecture
PCR (Platform Configuration Register)
Problem! Scale, collusion
PCR
160 bits
PCRi New = HASH ( PCRi Old value || value to add)
• Minimum of 16 PCRs • Store integrity metrics • Avoid overwriting
• Unlimited number of measurements • Measurements are ordered • If disable extending PCR still works, but return 0s
Platform
TCG Boot Process
BIOS Boot Block
BIOS
MBR/OS Loader
Operating System
PCR_Extend(n, <BIOS CODE>)
PCR0 = 0
PCR1 = H(PCR0 || <BIOS Code>)
PCR_Extend(n, <MBR CODE>) PCR2 = H(PCR1 || <MBRCode>)
PCR_Extend(n, <OS CODE>) PCR3 = H(PCR2 || <OS Code>)
Application
PCR_Extend(n, <APP CODE>) PCR4 = H(PCR3 || <APP Code>)
H : SHA-1
Root of Trust
BIOS Boot Block
BIOS MBR/OS Loader
Operating System
Application
Root of Trust in Integrity Measurement
Measuring
Extending PCS
Root of Trust in Integrity Reporting
Simple Attestation Method
Platform
TPM
Verifier (PKTPM) Application A generates PKA & SKA
2) {PCR} SKAIK
3) Cert{PKAIK}SKTPM {PCR}SKAIK
6) looks up #A in DB
5) verifies the signature
7) ...
PKTPM & SKTPM (Endorsement key)
1) Read_PCR
DB
Lookup PCR “ok”
PKAIK & SKAIK
(Attestation Identity Key)
Problem! Does not protect user privacy
EK is one-time unique per TPM AIK can be used anew for each attestation
4) Cert{PKAIK} SKTPM , {PCR}SKAIK
Solution : Single key pair for all TPMs
TPM SKTPM
Manufacturer
PKTPM & SKTPM
TPM SKTPM
TPM SKTPM
……..
Verifier
Problem! Identify legitimate TPMs from fake
Solution : Certificate Authority (TPM v1.1)
Problem! Scale, collusion
TPM
PKTPM & SKTPM (Endorsement key)
Privacy Certification Authority (CA) PKTPM1 & SKTPM1
PKTPM2 & SKTPM2 ……….. PKTPMn & SKTPMn
PKAIK & SKAIK (Attestation key)
Verifier
1. Cert{PKAIK } SKTPM
2. Searches PKTPM
3. Cert{PKAIK } SKCA
4. Verification Request
5. Cert{PKAIK } SKCA
Remove rogue TPM key from list
Direct Anonymous Attestation (DAA) – TPM Spec 1.2
• Ernie Brickell (Intel), Jan Camenisch (IBM), Liqun Chen (HP) • Based on Camenisch-Lysyanskaya anonymous credential system
Direct : Without a TTP Anonymous : Does not reveal signer’s identity Attestation : claim from a TPM
TPM
Verifier1
SKAIK1
SKAIK2 Verifier2
DAA{SKAIK1}
DAA{SKAIK2}
Can tell SKAIK1 is from a TPM But not which one
Can tell SKAIK2 is from a TPM But not which one
Cannot tell if SKAIK1 & SKAIK12 Are from the same TPM
Direct Anonymous Attestation (Join)
TPM Issuer Commit to
Derive from issuer’s name by TPM
Proves that
Signature on
Secret
Public
DAA certificate
Direct Anonymous Attestation (Verification)
TPM Verifier1
Zero knowledge proof protocol
TPM proves it knows
TPM Proves the exponent is related
• Used for blacklisting • Used for linking transactions from the same TPM
Secure Storage
TPM_Seal(Blob, PCR’)
SKENC
Blob’ = {Blob || PCR’} SKENC Stores Blob’
TPM_UnSeal(Blob’) Checks if Current PCR = PCR’ in Blob If true Blob = Decrypt{Blob’} SKENC
If false return failure
• OS & Apps sealed with MBR’s PCR • Seal Web Server’s SSL Key • Microsoft BitLocker • Blob size is 256 bytes
DRM – E.g. using TPM counters
TPM_Seal(Blob, PCR’)
SKENC, COUNTER = 0
Blob’ = {Blob || PCR’} SKENC Stores Blob’
TPM_UnSeal(Blob’) Checks if Current PCR = PCR’ in Blob If true Blob = Decrypt{Blob’} SKENC
&& COUNTER < N COUNTER++ If false return failure
• Music can be played for 30 days only
Application : Media Player
Trusted Software Stack (TSS)
• Standard API for accessing functions of the TPM • OS Agnostic
http://www.trustedcomputinggroup.org/resources/tcg_software_stack_tss_specification
DATABASE
SERVER TRUSTED HW
6000 PCI 4764/65 SafeXcel
Trusted by the clients Performs or aids query processing Can provide Tamper Proofing / Detection Supports Cryptographic functions (software or hardware based) Commonly used as accelerators
Trusted Hardware : Introduction
21
IBM 4764 Function (OpenSSL 0.9.7f)
Context IBM 4764 (per second)
P4 @ 3.4 GHz (per second)
RSA signature 1024 bits 848 261 2048 bits 316 – 470 43
RSA verification 1024 bits 1157 – 1242 5324 2048 bits 976-1087 1613
SHA-1 1 KB 1.42 MB 80 MB 64 KB 18.6 MB 120 + MB 1 MB 21 – 24 MB
3 DES 1 KB 1.08 MB 18 MB 64 KB 7.73 MB 17 MB 1 MB 8.56 MB 15 MB
AES 128 1 KB 14+ MB 100+ MB DMA xfer end-to-end 75 – 90 MB 1+ GB
Processor 233 MHz PowerPC Memory 32 MB Crypto H/W engines
AES256, DES, TDES, DSS, SHA-1, MD5, RSA
Tamper resistant and responsive design, FIPS level 4 certified Limited resources Synchronous communication channel with host Hardware crypto engine
Trusted Hardware : Benefits & Limitations
22
SCPU - 4764
TrustedDB – Layer 3
PKTDB SKTDB KDATA
OS – Layer 2
PKOS SKOS
Miniboot 1 – Layer 1
PKDEV SKDEV
Miniboot 0 – Layer 0
PKMAN SKMAN
CLIENT
PKCMAN
KDATA
1. Request
2. OA Certificate
3. OA Certificate
PKTDB H(L3CODE) SKOS
PKOS H(L2CODE)
PKDEV H(L1CODE)
SKMAN PKMAN H(L0CODE)
SKDEV
SKCMAN
Outbound Authentication Certificate
PKA : Public Key of A SKA : Private Key of A H(M) : Hash of message M
Outbound Authentication [Smith et. al]
23 SIGMOD 2011 : TrustedDB