Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

Transcription

1 1 Lecture Secure, Trusted and Trustworthy Computing Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt (CASED) Germany Winter Term 2015/2016

2 Roadmap: TPM Introduction to TPM TPM architecture Integration of TPM in PC s software and hardware, start-up Core Root of Trust for Measurement (CRTM) TCG Terminology and assumptions Identities and keys Authentication and Ownership Key management Slide Nr. 2, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016

3 (TPM) Current implementation is a cryptographic co-processor Hardware-based random number generation Small set of cryptographic functions Key generation, signing, encryption, hashing, MAC Offers additional functionalities Secure storage (ideally tamper-resistant) Platform integrity measurement and reporting Embedded into the platform s motherboard Acts as a Root of Trust TPM must be trusted by all parties Two versions of specification available Many vendors already ship their platforms with a TPM Slide Nr. 3, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016

4 (TPM) Cryptographic Co-Processor Asymmetric en-/decryption (RSA) Digital signature (RSA) TPM Architecture Input/Output Protocol en-/decoding Enforces access policies System Interface (e.g., LPC-Bus) SHA-1 HMAC Random Number Generation Key Generation Asymmetric keys (RSA) Symmetric keys Nonces Platform Configuration Registers (PCR) Storage of integrity measurements PCR[23] : : PCR[1] PCR[0] Opt-In Stores TPM state information (e.g., if TPM is disabled) Enforces state-dependent limitations (e.g., some commands must not be executed if the TPM is disabled) Execution Engine Processes TPM commands Ensures segregation of operations Ensures protection of secrets Non-Volatile Memory Stores persistent TPM data (e.g., the TPM identity or special keys) Provides read-, write- or unprotected storage accessible from outside the TPM

5 Planned Features of Next Generation TPM Variability of cryptographic algorithms Current TPM specifications fixed on RSA and SHA-1 Support of different crypto algorithms needed in many applications (e.g., ECC-based crypto) Support for virtualized systems Current TPMs are difficult to virtualize Virtualization support required in many security architectures (e.g., Virtual Machines need virtual TPMs) Security enhancements e.g., to prevent users from choosing weak TPM passwords Performance and usability improvements Slide Nr. 5, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016

6 TPM-Internal Functions and Features I SHA-1 engine Computes the SHA-1 digest digest of arbitrary data data digest SHA-1(data) HMAC engine Computes the HMAC digest authdigest resulting from a secret secret and arbitrary data data authdigest HMAC(secret; data) Mainly used in TPM s authentication protocols See OSAP/OIAP protocols Platform Configuration Registers (PCRs) Copies the current values stored in the TPM s PCRs to state state getcurrentpcrs( ) e.g., used in the context of sealing to derive platform s current configuration Slide Nr. 6, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016

7 TPM-Internal Functions and Features II Random Number Generator Returns n random bytes rand RNG(n) Mainly used to derive 20 random bytes e.g., to be used as nonce (anti-replay value) Key Generation Engine Generates a key pair (pk, sk) according to the parameters given in par (e.g., key size, key type, etc.) (pk, sk) GenKey(par) Slide Nr. 7, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016

8 TPM Integration into PC-Hardware Central Processing Unit (CPU) Graphics Controller Graphics and Memory Controller HUB (GMCH) Chipset (Northbridge) System Memory Hard Disks Expansion Cards Interface Controller HUB (ICH) Chipset (Southbridge) USB Devices Network Interface Low Pin Count (LPC) Bus System BIOS TPM Floppy Drive PS/2 Super I/O (Legacy Devices) Parallel I/O Serial I/O

9 TPM Software Integration Operating System Applications (local) TCG-Application Conventional Application Remote Trusted Platform Remote TCG-Application TCSI TSP Interface (TSPI) TCG Service Provider (TSP) provides object-oriented interface for TCG-enabled applications TCS Interface (TCSI) Conventional Cryptographic Interface (e.g., MS-CAPI, PKCS#11) TCSI TCG Service Provider (TSP) TCG Service Provider (TSP) RPC Client RPC Server RPC (Remote Procedure Call) TCG Core Services (TCS) key and credential management platform integrity measurement and reporting (TPM Event Log) parsing and handling of TPM commands TDDL Interface (TDDLI) TPM Device Driver Library (TDDL) provides standard interface for TPMs of different manufacturers transition between user mode and kernel mode TPM Device Driver Hardware CRTM TPM Trusted Software Stack (TSS) System Services

10 Core Root of Trust for Measurement (CRTM) Immutable portion of the host platform s initialization code that is executed upon a host platform reset Trust in all measurements is based on the integrity of the CRTM Ideally the CRTM is contained in TPM Implementation decisions may require the CRTM to be located in other firmware (e.g., BIOS boot block) Slide Nr. 11, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016

11 Possible CRTM Implementations 1. CRTM = BIOS Boot Block BIOS is composed of BIOS Boot Block and POST BIOS Each of these are independent components Each can be updated independent of the other POST BIOS is not part of CRTM but is measured by the Chain of Trust 2. CRTM = Entire BIOS BIOS is composed of a single atomic entity Entire BIOS is updated, modified, or maintained as a single component Slide Nr. 12, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016

12 Roadmap: TPM Introduction to TPM TPM architecture Integration of TPM in PC s software and hardware, start-up Core Root of Trust for Measurement (CRTM) TCG Terminology and assumptions Identities and keys Authentication and Ownership Key management and maintenance Slide Nr. 13, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016

13 TCG Terminology I Shielded Location Place where sensitive data can be stored or operated on safely e.g., memory locations inside the TPM or data objects encrypted by the TPM and stored on external storage (e.g., hard disk) Protected Capabilities (Protected Functions) Set of commands with exclusive permission to access shielded locations e.g., commands for cryptographic key management, sealing of data to a system state, etc. Protected Entity Refers to a protected capability or sensitive data object stored in a shielded location Slide Nr. 14, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016

14 TCG Terminology II Integrity Measurement Process of obtaining metrics of platform characteristics that affect the integrity (trustworthiness) of a platform and storing digests of these metrics in the TPM s PCRs Platform characteristic = hash digest of the software to be executed Platform Configuration Registers (PCR) Shielded location to store integrity measurement values PCRs can only be extended: PCR i+1 SHA-1(PCR i, value) PCRs are reset only when the platform is rebooted Integrity Logging Storing integrity metrics in a log for later use Storing additional information about what has been measured like software manufacturer name, software name, version, etc. Slide Nr. 15, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016

15 TCG Assumptions and Trust Model I Unforgeability of measurements Platform configuration cannot be forged after measurements have been taken However, today s OS can be (maliciously) modified Hash digests of binaries express trustworthiness Verifier can determine initial configuration from digests However, TCB of today s platforms are too complex Secure channels can be established Between HW components (TPM and CPU) since they may have certified authentication keys provided by a PKI Between machines running on the same platform (e.g., attestor and host) by using operating system mechanisms (secure OS) Slide Nr. 16, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016

16 TCG Assumption and Trust Model II Protection against software attacks only Unprotected communication link between TPM and CPU Security issues of certain TPM aspects Automated verification available Integration of TPM in chipset may potentially be problematic Engineering trade-off between security and technical evaluation TPM Construction Kit Towards more security against hardware attacks Currently TPMs have rudimentary hardware protection mechanisms Over/under voltage detection, low frequency sensor, high frequency filter, reset filter, memory encryption/decryption, etc. Some manufacturers started 3 rd party certification (Common Criteria) CRTM is not tamper-resistant (implemented in unprotected BIOS) Slide Nr. 17, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016

17 Roadmap: TPM Introduction to TPM TCG Terminology and assumptions Identities and keys TPM and platform identity TPM keys and their properties TPM key types Authentication and Ownership Key management and maintenance Slide Nr. 18, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016

18 TPM Identity (Endorsement Key) TPM identity represented as Endorsement Key (EK) Unique en-/decryption key pair Private key does not leave TPM Public key is privacy-sensitive (since it identifies a TPM/platform) Generated during manufacturing process of TPM Either in TPM or externally and then embedded into the TPM Must be certified by EK-generating entity e.g., by the TPM manufacturer Can be deleted (revoked) and re-generated by a TPM user Revocation must be enabled during creation of the EK Deletion must be authorized by a secret defined during EK creation EK-recreation invalidates Endorsement Credential (EC) Readable from TPM via TPM_ReadPubek (command disabled after taking ownership of the TPM) TPM_OwnerReadInternalPub (requires owner authentication secret set during taking ownership) EK Slide Nr. 19, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016

19 Endorsement Credential Digital certificate stating that EK has been properly created and embedded into a TPM Issued by the entity who generated the EK e.g., the TPM manufacturer Includes TPM manufacturer name TPM model number TPM version Public EK (privacy sensitive) Endorsement pk EK EK Slide Nr. 20, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016

20 Platform Identity Platform identity is equivalent to TPM identity (EK) EK is unique identifier for a TPM A TPM must be bound to only one platform Either physical binding (e.g., soldered to the platform s motherboard) or logical binding (e.g., by using cryptography) Common implementation: TPM soldered to the platform s motherboard Therefore an EK uniquely identifies a platform Platform Credential asserts that a TPM has been correctly integrated into a platform Slide Nr. 21, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016

21 Platform Credential Digital certificate stating that an individual platform contains the TPM described in the Endorsement Credential (EC) Issued by the platform manufacturer e.g., system or motherboard manufacturer Includes Platform manufacturer name Platform model and version number References to (digests of) the corresponding Endorsement and Conformance Credential Conformance Credential asserts that a platform type fulfills the evaluation guidelines defined by the TCG Endorsement pk EK Platform Hash(EK) ConfCred Conformance Slide Nr. 22, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016

22 TPM Credentials on PC Platform TPM credentials may be distributed in the following ways On platform's distribution CD (impractical: every platform requires individual CD) On a partition on the platform's hard disk Over TPM or platform manufacturer s web site In non-volatile storage area of TPM (most commonly used) Current situation: Only one TPM manufacturer is known to provide an Endorsement Credential There is no known TPM that comes with a Platform or Conformance Credential Distribution via non-volatile storage Reserved address space in non-volatile storage of TPM for TPM credentials Access to these credentials only allowed after TPM owner authentication Distribution via manufacturer s website Requires identification of the TPM, e.g., via EK: TSS establishes secure channel (authenticated, confidential) with TPM manufacturer TSS reads public EC pkek from TPM and sends hash(pkek) to TPM manufacturer TPM manufacturer looks up corresponding credentials and sends them to TSS TSS stores received credentials (e.g., on hard disk or in TPM s non-volatile storage) Slide Nr. 23, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016

23 Roadmap: TPM Introduction to TPM TCG Terminology and assumptions Identities and keys TPM identity and platform identity TPM keys and their properties TPM key types Authentication and Ownership Key management and maintenance Slide Nr. 24, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016

24 Migratable and Non-Migratable Keys Migratable keys Can be migrated to other TPMs/platforms Third parties have no assurance that such keys have been generated by a TPM Third parties may not trust migratable keys Non-migratable keys Cannot be migrated to other TPMs/platforms Guaranteed to only reside in TPM-protected locations TPM can generate certificate stating that a key is nonmigratable Slide Nr. 25, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016

25 Storage Root Key (SRK) TPM contains Root of Trust for Storage (RTS) Secure data storage implemented as a hierarchy of keys Storage Root Key (SRK) is root of this key hierarchy Storage Root Key (SRK) represents RTS RSA en-/decryption key pair Must at least have 2048-bit key length Private SRK must not leave TPM Generated by TPM during process of installing TPM Owner Deleted when the TPM Owner is deleted This makes key hierarchy inaccessible and thus destroys all data encrypted with keys in that hierarchy Slide Nr. 27, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016

26 A B means A encrypts B A is called parent key of B TPM Key Hierarchy TPM External Storage e.g., hard disk BindK MigrK StorK File SymK EK AIK StorK SigK File SRK StorK AIK AIK StorK SigK BindK SymK File Depth of hierarchy and number of TPM-protected keys only limited by size of external storage Storage keys (StorK) protect all other key types Attestation ID keys (AIK) Signing keys (SigK) Binding keys (BindK) Migration Keys (MigrK) Symmetric keys (SymK) Transitive protection SRK indirectly protects arbitrary data (e.g., files)

27 TPM Key Object Important Fields TPM Key Object General Information Key Type Algorithm Authentication Secret Specific Information Key Properties Key Length Key Data Migration PCR Values e.g., signing key, binding key, storage key, e.g., RSA, DSA, HMAC, AES, Authentication secret required to use the key Public and private key, asymmetric key. Secret key data is encrypted with the corresponding parent key. Information about the migratability of the key: migratable certified mitgratable non-migratable A key can be sealed to specific PCR values. This means that such a key can only be used when the platform is in a specific (trusted) state.

28 Roadmap: TPM Introduction to TPM TCG Terminology and assumptions Identities and keys TPM identity and platform identity TPM keys and their properties TPM key types Authentication and Ownership Key management and maintenance Slide Nr. 30, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016

29 TPM Key Types TPM provides 9 different types of keys 3 special TPM key types Endorsement Key, Storage Root Key, Attestation Identity Keys 6 general key types Storage, signing, binding, migration, legacy and authchange keys Most important key types explained in following slides Each key may have additional properties, the most important ones are Migratable, non-migratable, certified migratable e.g., whether the key is allowed to be migrated to another TPM Whether the key is allowed only to be used when the platform is in a specific (potentially secure) configuration Slide Nr. 31, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016

30 Attestation Identity Keys (AIK) Purpose Used to attest to current platform configuration e.g., authentically report the current hard- and software environment to a remote party (see attestation) Alias for TPM/platform identity (Endorsement Key) Use of AIKs should prevent tracking of TPMs/platforms e.g., the transactions of a platform can be traced if the EK is used in various protocol runs with different colluding service providers Properties AIKs are non-migratable signing keys (e.g., 2048-bit RSA) Generated by the TPM Owner TPM/platform may have multiple AIKs e.g., one for online-banking, one for , etc. Slide Nr. 32, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016

31 Certification of AIKs AIK requires certification that it comes from a TPM TCG specifies two possibilities (details later) Certification by Trusted Third Party (Privacy CA in TCG Terminology) Privacy problems: Privacy CA can link transactions of a TPM Certification via DAA (Direct Anonymous Attestation) Achieves unlinkability of TPM transactions No Privacy CA needed Zero-knowledge proof of knowledge of possession of a valid certificate Slide Nr. 33, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016

32 Storage Keys Purpose: Protection of keys outside the TPM e.g., a storage key can be used to encrypt other keys, which can be stored on a hard disk Storage Root Key (SRK) is a special storage key Protection based system configuration/properties (sealing) e.g., encryption of secrets, which can only be recovered if the platform has a defined hard-/software environment Properties Typically 2048-bit RSA en-/decryption key pair Generally allowed to be migrated to other TPMs are not allowed to be non-migratable if one of their parent keys is migratable must be non-migratable if used for sealing Slide Nr. 34, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016

33 Binding Keys Purpose Protection of arbitrary data outside the TPM Binding is equivalent to traditional asymmetric encryption Properties Typically RSA 2048-bit en-/decryption key pair Other asymmetric encryption schemes may be supported by the TPM Can only be used with binding commands Migratable to other TPMs/platforms Are not allowed to be non-migratable if one of their parent keys is migratable Slide Nr. 35, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016

34 Signing Keys Purpose Message authentication of arbitrary data external to TPM e.g., to ensure integrity of arbitrary files stored on the platform or protocol messages sent by the platform and their origin Authentic report of TPM-internal information e.g., for auditing TPM commands or reporting TPM capabilities Properties Typically 2048-bit RSA signing/verification key pair Other signing algorithms may be supported by the TPM Signing keys may be migrated to other TPMs/platforms Are not allowed to be non-migratable if one of their parent keys is migratable Slide Nr. 36, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016

35 Migration Keys Purpose Enable TPM to act as migration authority Used to encrypt migratable keys for secure transport from one TPM to another Properties 2048-bit RSA en-/decryption key pair Are allowed to be migrated to another TPM Slide Nr. 37, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016

36 Roadmap: TPM Introduction to TPM TCG Terminology and assumptions Identities and keys Authentication and Ownership Authentication to the TPM Creating TPM identity TPM owner, taking ownership, deleting ownership Key management and maintenance Slide Nr. 38, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016

37 Authentication to the TPM Access to protected entities requires authentication Two ways to authenticate to the TPM Asserting Physical Presence Proof to the TPM that one has physical access to the platform via a hardware switch or BIOS setting (usually the latter is implemented) Can only be used with a limited set of TPM commands Enabling/disabling and activating/deactivating TPM Resetting TPM to default settings, delete TPM Owner and keys Security critical commands (TPM firmware update, deletion of EK) Authentication Protocols (AP) Proof to the TPM that one knows authentication secret e.g., authentication secret = hash digest of a passphrase Authentication secrets set by TPM users e.g., when creating a key, the user sets a passphrase that is required to later authorize the use of the key. The TPM stores the passphrase together with the key in a shielded location. Common way to authenticate to the TPM Slide Nr. 39, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016

38 Asserting Physical Presence via BIOS Changing this option executes the TPM_ForceClear() command, which resets the TPM to its default settings and deletes the current TPM Owner and all keys (except EK) A remote adversary cannot access the BIOS A local adversary with access to the BIOS is able to disable the TPM and even to delete the TPM Owner without the need to know any secret! Slide Nr. 40, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016

39 TPM Authentication Protocols (AP) Authentication of commands and their parameters Provide assurance that the command, its parameters and the corresponding response of the TPM have not been modified during their transmission to or from the TPM TPM basically supports 2 authentication protocols OSAP (Object Specific Authentication Protocol) OIAP (Object Independent Authentication Protocol) TPM must support at least two parallel authentication protocol sessions Some TPM commands require two authentications e.g., command for unsealing data (see sealing) Slide Nr. 41, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016

40 Basic Functionality of TPM s APs knows AuthSecret for protected entity E TPM Generate nonce Nonce TPM Initialize authentication session S referenced by session Handle S (session identifier) Verify AuthData U (i.e., recompute AuthData U, compare it to the received value, and abort if they are different) Execute command Output TPM_Command(Input, Handle E ) Compute authenticator AuthData TPM for the executed TPM command TPM_Command() and its output parameters Output the authentication secret AuthSecret is set by the TPM user/owner during creation/initialization of the protected entity (e.g., as a hash of a passphrase) TPM_OSAP() or TPM_OIAP() Handle S, Nonce TPM TPM_Command(Input, Handle E ), Handle S, Nonce U, AuthData U if o.k., TPM can be assured that call is fresh (no replay) authentic (has not been modified) requested by an authorized user Output, AuthData TPM if o.k., user can be assured that the response is fresh (no replay) is authentic (has not been modified) has been sent by the TPM User U knows AuthSecret for protected Entity E (referenced by Handle E ) Generate Nonce U Compute authenticator AuthData U for the the requested TPM command TPM_Command and its input parameters Input Verify AuthData TPM (i.e., recompute AuthData TPM, compare it to the received value, and abort if they are different) AuthData U HMAC( AuthSecret ; SHA-1(TPM_Command, Input), Nonce TPM, Nonce U ) AuthData TPM HMAC( AuthSecret ; SHA-1(TPM_Command, Output), Nonce U )

41 OIAP vs. OSAP OIAP (Object Independent Authentication Protocol) Properties Can authorize use of multiple different protected entities with multiple commands Only one setup necessary for many different entities to be authorized No session key establishment Mainly used for Authorization of using protected entities without the need for a shared session secret/key Slide Nr. 43, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016 OSAP (Object Specific Authentication Protocol) Properties Can authorize use of a single protected entity with multiple commands One setup required for each entity to be authorized Establishes an ephemeral shared session key, which can be used as a cryptographic secret Mainly used for Setting or changing authentication data for protected entities

42 OIAP Protocol TPM OIAP session initialization TPM_OIAP() TPM User U Handle OIAP, Nonce TPM verify InAuthData OIAP execute TPM_Command compute Nonce TPM2 compute OutAuthData OIAP TPM_Command(Input,Handle E ), InAuthData OIAP Output, OutAuthData OIAP authorized use of protected entity referenced by Handle E (e.g., a key) choose Nonce U compute InAuthData OIAP verify OutAuthData OIAP User Authentication data: InAuthData OIAP ( Handle OIAP, Nonce U, InAuthDigest OIAP ) Authenticator of user U: Digest OIAP HMAC( AuthSecret Entity ; SHA-1(TPM_Command, Input), Nonce TPM, Nonce U ) TPM Authentication data: OutAuthData OIAP ( Nonce TPM,2, OutAuthDigest OIAP ) Authenticator of TPM: OutAuthDigest OIAP HMAC(AuthSecret Entity ; SHA-1(TPM_Command, Ouput ), Nonce TPM2, Nonce U )

43 OSAP Protocol Session TPM choose Nonce TPM1 choose Nonce TPM2 compute session key K verifiy InAuthData OSAP execute TPM_Command choose Nonce TPM3 compute OutAuthData OSAP OSAP session initialization TPM_OSAP(Handle Entity, Nonce U1 ) Handle OSAP, Nonce TPM1, Nonce TPM2 TPM_Command(Input, Handle Entity ), InAuthData OSAP Output, OutAuthData OSAP authorized use of protected entity Handle Entity (e.g., key) and shared session secret K TPM User U choose Nonce U1, Nonce U2 compute session key K compute InAuthData OSAP verifiy OutAuthData OSAP Session key: K HMAC( AuthSecret Entity, Nonce TPM2, Nonce U1 ) User authentication data: InAuthData OSAP ( Handle OSAP, Nonce U2, InAuthDigest OSAP ) Authenticator of user U: InAuthDigest OSAP HMAC( K, SHA-1( TPM_Command, Input ), Nonce TPM1, Nonce U2 ) TPM authentication data: OutAuthData OSAP ( Nonce TPM3, OutAuthDigest OSAP ) Authenticator of TPM: OutAuthDigest OSAP HMAC( K, SHA-1( TPM_Command, Ouput ), Nonce TPM3, Nonce U2 )

44 Roadmap: TPM Introduction to TPM TCG Terminology and assumptions Identities and keys Authentication and Ownership Authentication to the TPM Creating TPM identity TPM owner, taking ownership, deleting ownership Key management and maintenance Slide Nr. 55, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016

45 Creating a Non-Revocable EK ( pk EK, digest EK ) TPM_CreateEndorsementKeyPair(Nonce, par EK ) if EK already exists then return error; else if par EK describes a storage key providing security at least equivalent to RSA-2048 then ( sk EK, pk EK ) GenKey( par EK ); digest EK SHA-1( pk EK, Nonce ); return ( pk EK, digest EK ); else return error; end if; end if; Input Nonce is an anti-replay value chosen by the caller of the command (e.g., a software for creating the EK) par EK are the parameters for the key generation algorithm (e.g., key size, key type, etc.) chosen by the caller of the command Note EK typically is a RSA key Slide Nr. 56, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016

46 Creating a Revocable EK ( pk EK, digest EK, A RevEK ) TPM_CreateRevocableEK(Nonce, par EK, par Rev, A Rev ) if EK already exists then return error; else if par EK describes a storage key providing security at least equivalent to RSA-2048 then ( sk EK, pk EK ) GenKey( par EK ); if par Rev = TRUE then A RevEK RNG( 20 ); else A RevEK A Rev ; end if; digest EK SHA-1( pk EK, Nonce ); return ( pk EK, digest EK, A RevEK ); else return error; end if; end if; Perquisites Command is executed in a secure environment (e.g., during manufacturing) Input A Rev is authentication secret chosen by the caller of the command par Rev indicates whether TPM should choose random authentication secret A RevEK or use A Rev Note A RevEK must be provided to TPM later to authorize revocation of EK This is an optional command Slide Nr. 57, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016

47 Revoking a Revocable EK ( ) TPM_RevokeTrust(A Rev ) if EK is non-revocable then return error; else if A Rev = A RevEK and physical presence is asserted then TPM_OwnerClear(); delete all TPM-internal EK-related data; delete ( sk EK, pk EK ); else return error; end if; end if; Perquisites Existing EK is revocable Authenticationdata required to revoke EK is A RevEK, which has been defined during creation of the EK Note TPM_OwnerClear() resets TPM to its default setting, deletes all owner-specific data to default values (see TPM Owner) This is an optional command Slide Nr. 58, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016

48 Roadmap: TPM Introduction to TPM TCG Terminology and assumptions Identities and keys Authentication and Ownership Authentication to the TPM Creating TPM identity TPM owner, taking ownership, deleting ownership Key management and maintenance Slide Nr. 59, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016

49 TPM Owner Entity owning a TPM-enabled platform e.g., platform owning person or IT-department TPM Owner must initialize TPM to use its full functionality ( take ownership of the TPM) Owner sets owner authentication secret Owner creates the Storage Root Key (SRK) (see TPM keys) Owner authentication Proof of knowledge of the owner credentials to the TPM e.g., via TPM authentication protocols or physical presence Permits the TPM to use several protected capabilities e.g., migration of cryptographic keys or deletion of TPM Owner Slide Nr. 60, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016

50 Protocol for Creating a TPM Owner TPM Initialization of authentication protocol TPM_OIAP() TPM Owner O Handle OIAP, Nonce TPM verifies InAuthData OIAP TPM_TakeOwnership( enc EK ( A Owner ), enc EK ( A SRK ), par SRK ), InAuthData OIAP computes InAuthData OIAP OutAuthData OIAP verifies OutAuthData OIAP Here, OIAP is only used to authenticate the TPM s response to the TPM Owner e.g., on successful verification of OutAuthData OIAP the TPM Owner can be assured that the TPM has created a TPM Owner and set the correct owner authentication secret A Owner and authentication secret A SRK for using the SRK See OIAP protocol Slide Nr. 61, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016

51 Protocol for Deleting a TPM Owner TPM Initialization of authentication protocol TPM_OIAP() TPM Owner O Handle OIAP, Nonce TPM TPM_OwnerClear( Handle Owner ), InAuthData OIAP computes InAuthData OIAP verifies InAuthData OIAP OutAuthData OIAP verifies OutAuthData OIAP OIAP session is used to authenticate the TPM Owner to the TPM e.g., on successful verification of InAuthData OIAP the TPM can be assured that the command has been called by the TPM Owner the TPM s response to the TPM Owner e.g., on successful verification of OutAuthData OIAP the TPM user can be assured that the TPM has actually deleted the TPM Owner and all associated data Slide Nr. 63, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016

52 TPM Interface for Deleting Owner OutAuthData OIAP TPM_OwnerClear(Handle Owner ), InAuthData OIAP if OIAPVerify( Handle Owner, InAuthData OIAP ) ok or deletion of owner has been disabled then return error; else compute OutAuthData OIAP ; unload all currently loaded keys; delete A Owner ; delete SRK; set all owner-related internal variables to their defaults; terminate all currently open sessions; return OutAuthData OIAP ; end if; Notes Handle Owner informs the TPM that the TPM Owner should be authorized InAuthDataOIAP refers to parameters of a previously opened OIAP authentication session used to prove knowledge of the owner authentication secret to the TPM OutAuthData OIAP refers to the parameters of a previously opened OIAP session providing authenticity of the TPM s output (e.g., proof that the TPM actually deleted the TPM Owner) OIAP_Verify() verifies if user knows owner authentication secret See OIAP authentication protocol Slide Nr. 64, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016

53 Roadmap: TPM Introduction to TPM TCG Terminology and assumptions Identities and keys Authentication and Ownership Key management and maintenance Slide Nr. 66, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016

54 Overview of Maintenance Transfers all TPM-protected data to another TPM Necessary when exchanging a (defective) subsystem that contains a TPM without loosing non-migratable data Different from backup/migration Maintenance can also migrate data that cannot be migrated using the TPM s migration functionality Requires intervention of the subsystem s manufacturer Vendor-specific feature Maintenance commands are not exactly specified by TCG Optional feature, but if implemented All specified maintenance capabilities are mandatory No other maintenance capabilities must be implemented Slide Nr. 67, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016

55 Specified Security Requirements Confidentiality and cloning: Data to be migrated must not be accessible by more than one TPM at a time nor exposed to third parties including the manufacturer Policy conformance: Maintenance must require Source and target platforms are from the same manufacturer and model Active participation of the TPM Owner Migration of non-migratable data requires cooperation of owner of the non-migratable data e.g., to authorize moving his sensitive data to another platform manufacturer of the subsystem e.g., must revoke old Endorsement Credential and guarantee destruction of old TPM (which still contains the migrated data) Slide Nr. 68, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016

56 Typical Maintenance Sequence 12. TPM decrypts Arc m using the (subsystem s manufacturer s) secret SRK and the symmetric key chosen by the TPM Owner and overwrites all shielded locations with the data from Arc m Note: The symmetric key can be derived from the owner authentication secret or the TPM s RNG 5. TPM creates maintenance archive Arc m encrypted with symmetric key chosen by TPM Owner and pk M New Subsystem (contains TPM 2 ) Old Subsystem (contains TPM 1 ) 11. TPM_LoadMaintenanceArchive(Arc M ) 6. Arc M 4. TPM_CreateMaintenanceArchive() Note: After finishing maintenance sequence, all owner-specific data has been migrated from TPM 1 to TPM 2 Certification Authorities 8. Revoke EK of TPM 1 Subsystem Owner (TPM Owner) 10. Arc M Subsystem Manufacturer 7. Arc M 2. pk M 3. TPM_LoadManuMaintPub(pk M ) Note: TPM 2 is temporarily owned by the subsystem manufacturer 9. decrypts Arc M using sk M and re-encrypts it to Arc M using the public SRK of TPM 2 1. generates maintenance key pair ( sk M, pk M )