Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module
|
|
- Gwen Watts
- 6 years ago
- Views:
Transcription
1 1 Lecture Secure, Trusted and Trustworthy Computing Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt (CASED) Germany Winter Term 2015/2016
2 Roadmap: TPM Introduction to TPM TPM architecture Integration of TPM in PC s software and hardware, start-up Core Root of Trust for Measurement (CRTM) TCG Terminology and assumptions Identities and keys Authentication and Ownership Key management Slide Nr. 2, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016
3 (TPM) Current implementation is a cryptographic co-processor Hardware-based random number generation Small set of cryptographic functions Key generation, signing, encryption, hashing, MAC Offers additional functionalities Secure storage (ideally tamper-resistant) Platform integrity measurement and reporting Embedded into the platform s motherboard Acts as a Root of Trust TPM must be trusted by all parties Two versions of specification available Many vendors already ship their platforms with a TPM Slide Nr. 3, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016
4 (TPM) Cryptographic Co-Processor Asymmetric en-/decryption (RSA) Digital signature (RSA) TPM Architecture Input/Output Protocol en-/decoding Enforces access policies System Interface (e.g., LPC-Bus) SHA-1 HMAC Random Number Generation Key Generation Asymmetric keys (RSA) Symmetric keys Nonces Platform Configuration Registers (PCR) Storage of integrity measurements PCR[23] : : PCR[1] PCR[0] Opt-In Stores TPM state information (e.g., if TPM is disabled) Enforces state-dependent limitations (e.g., some commands must not be executed if the TPM is disabled) Execution Engine Processes TPM commands Ensures segregation of operations Ensures protection of secrets Non-Volatile Memory Stores persistent TPM data (e.g., the TPM identity or special keys) Provides read-, write- or unprotected storage accessible from outside the TPM
5 Planned Features of Next Generation TPM Variability of cryptographic algorithms Current TPM specifications fixed on RSA and SHA-1 Support of different crypto algorithms needed in many applications (e.g., ECC-based crypto) Support for virtualized systems Current TPMs are difficult to virtualize Virtualization support required in many security architectures (e.g., Virtual Machines need virtual TPMs) Security enhancements e.g., to prevent users from choosing weak TPM passwords Performance and usability improvements Slide Nr. 5, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016
6 TPM-Internal Functions and Features I SHA-1 engine Computes the SHA-1 digest digest of arbitrary data data digest SHA-1(data) HMAC engine Computes the HMAC digest authdigest resulting from a secret secret and arbitrary data data authdigest HMAC(secret; data) Mainly used in TPM s authentication protocols See OSAP/OIAP protocols Platform Configuration Registers (PCRs) Copies the current values stored in the TPM s PCRs to state state getcurrentpcrs( ) e.g., used in the context of sealing to derive platform s current configuration Slide Nr. 6, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016
7 TPM-Internal Functions and Features II Random Number Generator Returns n random bytes rand RNG(n) Mainly used to derive 20 random bytes e.g., to be used as nonce (anti-replay value) Key Generation Engine Generates a key pair (pk, sk) according to the parameters given in par (e.g., key size, key type, etc.) (pk, sk) GenKey(par) Slide Nr. 7, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016
8 TPM Integration into PC-Hardware Central Processing Unit (CPU) Graphics Controller Graphics and Memory Controller HUB (GMCH) Chipset (Northbridge) System Memory Hard Disks Expansion Cards Interface Controller HUB (ICH) Chipset (Southbridge) USB Devices Network Interface Low Pin Count (LPC) Bus System BIOS TPM Floppy Drive PS/2 Super I/O (Legacy Devices) Parallel I/O Serial I/O
9 TPM Software Integration Operating System Applications (local) TCG-Application Conventional Application Remote Trusted Platform Remote TCG-Application TCSI TSP Interface (TSPI) TCG Service Provider (TSP) provides object-oriented interface for TCG-enabled applications TCS Interface (TCSI) Conventional Cryptographic Interface (e.g., MS-CAPI, PKCS#11) TCSI TCG Service Provider (TSP) TCG Service Provider (TSP) RPC Client RPC Server RPC (Remote Procedure Call) TCG Core Services (TCS) key and credential management platform integrity measurement and reporting (TPM Event Log) parsing and handling of TPM commands TDDL Interface (TDDLI) TPM Device Driver Library (TDDL) provides standard interface for TPMs of different manufacturers transition between user mode and kernel mode TPM Device Driver Hardware CRTM TPM Trusted Software Stack (TSS) System Services
10 Core Root of Trust for Measurement (CRTM) Immutable portion of the host platform s initialization code that is executed upon a host platform reset Trust in all measurements is based on the integrity of the CRTM Ideally the CRTM is contained in TPM Implementation decisions may require the CRTM to be located in other firmware (e.g., BIOS boot block) Slide Nr. 11, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016
11 Possible CRTM Implementations 1. CRTM = BIOS Boot Block BIOS is composed of BIOS Boot Block and POST BIOS Each of these are independent components Each can be updated independent of the other POST BIOS is not part of CRTM but is measured by the Chain of Trust 2. CRTM = Entire BIOS BIOS is composed of a single atomic entity Entire BIOS is updated, modified, or maintained as a single component Slide Nr. 12, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016
12 Roadmap: TPM Introduction to TPM TPM architecture Integration of TPM in PC s software and hardware, start-up Core Root of Trust for Measurement (CRTM) TCG Terminology and assumptions Identities and keys Authentication and Ownership Key management and maintenance Slide Nr. 13, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016
13 TCG Terminology I Shielded Location Place where sensitive data can be stored or operated on safely e.g., memory locations inside the TPM or data objects encrypted by the TPM and stored on external storage (e.g., hard disk) Protected Capabilities (Protected Functions) Set of commands with exclusive permission to access shielded locations e.g., commands for cryptographic key management, sealing of data to a system state, etc. Protected Entity Refers to a protected capability or sensitive data object stored in a shielded location Slide Nr. 14, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016
14 TCG Terminology II Integrity Measurement Process of obtaining metrics of platform characteristics that affect the integrity (trustworthiness) of a platform and storing digests of these metrics in the TPM s PCRs Platform characteristic = hash digest of the software to be executed Platform Configuration Registers (PCR) Shielded location to store integrity measurement values PCRs can only be extended: PCR i+1 SHA-1(PCR i, value) PCRs are reset only when the platform is rebooted Integrity Logging Storing integrity metrics in a log for later use Storing additional information about what has been measured like software manufacturer name, software name, version, etc. Slide Nr. 15, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016
15 TCG Assumptions and Trust Model I Unforgeability of measurements Platform configuration cannot be forged after measurements have been taken However, today s OS can be (maliciously) modified Hash digests of binaries express trustworthiness Verifier can determine initial configuration from digests However, TCB of today s platforms are too complex Secure channels can be established Between HW components (TPM and CPU) since they may have certified authentication keys provided by a PKI Between machines running on the same platform (e.g., attestor and host) by using operating system mechanisms (secure OS) Slide Nr. 16, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016
16 TCG Assumption and Trust Model II Protection against software attacks only Unprotected communication link between TPM and CPU Security issues of certain TPM aspects Automated verification available Integration of TPM in chipset may potentially be problematic Engineering trade-off between security and technical evaluation TPM Construction Kit Towards more security against hardware attacks Currently TPMs have rudimentary hardware protection mechanisms Over/under voltage detection, low frequency sensor, high frequency filter, reset filter, memory encryption/decryption, etc. Some manufacturers started 3 rd party certification (Common Criteria) CRTM is not tamper-resistant (implemented in unprotected BIOS) Slide Nr. 17, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016
17 Roadmap: TPM Introduction to TPM TCG Terminology and assumptions Identities and keys TPM and platform identity TPM keys and their properties TPM key types Authentication and Ownership Key management and maintenance Slide Nr. 18, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016
18 TPM Identity (Endorsement Key) TPM identity represented as Endorsement Key (EK) Unique en-/decryption key pair Private key does not leave TPM Public key is privacy-sensitive (since it identifies a TPM/platform) Generated during manufacturing process of TPM Either in TPM or externally and then embedded into the TPM Must be certified by EK-generating entity e.g., by the TPM manufacturer Can be deleted (revoked) and re-generated by a TPM user Revocation must be enabled during creation of the EK Deletion must be authorized by a secret defined during EK creation EK-recreation invalidates Endorsement Credential (EC) Readable from TPM via TPM_ReadPubek (command disabled after taking ownership of the TPM) TPM_OwnerReadInternalPub (requires owner authentication secret set during taking ownership) EK Slide Nr. 19, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016
19 Endorsement Credential Digital certificate stating that EK has been properly created and embedded into a TPM Issued by the entity who generated the EK e.g., the TPM manufacturer Includes TPM manufacturer name TPM model number TPM version Public EK (privacy sensitive) Endorsement pk EK EK Slide Nr. 20, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016
20 Platform Identity Platform identity is equivalent to TPM identity (EK) EK is unique identifier for a TPM A TPM must be bound to only one platform Either physical binding (e.g., soldered to the platform s motherboard) or logical binding (e.g., by using cryptography) Common implementation: TPM soldered to the platform s motherboard Therefore an EK uniquely identifies a platform Platform Credential asserts that a TPM has been correctly integrated into a platform Slide Nr. 21, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016
21 Platform Credential Digital certificate stating that an individual platform contains the TPM described in the Endorsement Credential (EC) Issued by the platform manufacturer e.g., system or motherboard manufacturer Includes Platform manufacturer name Platform model and version number References to (digests of) the corresponding Endorsement and Conformance Credential Conformance Credential asserts that a platform type fulfills the evaluation guidelines defined by the TCG Endorsement pk EK Platform Hash(EK) ConfCred Conformance Slide Nr. 22, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016
22 TPM Credentials on PC Platform TPM credentials may be distributed in the following ways On platform's distribution CD (impractical: every platform requires individual CD) On a partition on the platform's hard disk Over TPM or platform manufacturer s web site In non-volatile storage area of TPM (most commonly used) Current situation: Only one TPM manufacturer is known to provide an Endorsement Credential There is no known TPM that comes with a Platform or Conformance Credential Distribution via non-volatile storage Reserved address space in non-volatile storage of TPM for TPM credentials Access to these credentials only allowed after TPM owner authentication Distribution via manufacturer s website Requires identification of the TPM, e.g., via EK: TSS establishes secure channel (authenticated, confidential) with TPM manufacturer TSS reads public EC pkek from TPM and sends hash(pkek) to TPM manufacturer TPM manufacturer looks up corresponding credentials and sends them to TSS TSS stores received credentials (e.g., on hard disk or in TPM s non-volatile storage) Slide Nr. 23, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016
23 Roadmap: TPM Introduction to TPM TCG Terminology and assumptions Identities and keys TPM identity and platform identity TPM keys and their properties TPM key types Authentication and Ownership Key management and maintenance Slide Nr. 24, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016
24 Migratable and Non-Migratable Keys Migratable keys Can be migrated to other TPMs/platforms Third parties have no assurance that such keys have been generated by a TPM Third parties may not trust migratable keys Non-migratable keys Cannot be migrated to other TPMs/platforms Guaranteed to only reside in TPM-protected locations TPM can generate certificate stating that a key is nonmigratable Slide Nr. 25, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016
25 Storage Root Key (SRK) TPM contains Root of Trust for Storage (RTS) Secure data storage implemented as a hierarchy of keys Storage Root Key (SRK) is root of this key hierarchy Storage Root Key (SRK) represents RTS RSA en-/decryption key pair Must at least have 2048-bit key length Private SRK must not leave TPM Generated by TPM during process of installing TPM Owner Deleted when the TPM Owner is deleted This makes key hierarchy inaccessible and thus destroys all data encrypted with keys in that hierarchy Slide Nr. 27, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016
26 A B means A encrypts B A is called parent key of B TPM Key Hierarchy TPM External Storage e.g., hard disk BindK MigrK StorK File SymK EK AIK StorK SigK File SRK StorK AIK AIK StorK SigK BindK SymK File Depth of hierarchy and number of TPM-protected keys only limited by size of external storage Storage keys (StorK) protect all other key types Attestation ID keys (AIK) Signing keys (SigK) Binding keys (BindK) Migration Keys (MigrK) Symmetric keys (SymK) Transitive protection SRK indirectly protects arbitrary data (e.g., files)
27 TPM Key Object Important Fields TPM Key Object General Information Key Type Algorithm Authentication Secret Specific Information Key Properties Key Length Key Data Migration PCR Values e.g., signing key, binding key, storage key, e.g., RSA, DSA, HMAC, AES, Authentication secret required to use the key Public and private key, asymmetric key. Secret key data is encrypted with the corresponding parent key. Information about the migratability of the key: migratable certified mitgratable non-migratable A key can be sealed to specific PCR values. This means that such a key can only be used when the platform is in a specific (trusted) state.
28 Roadmap: TPM Introduction to TPM TCG Terminology and assumptions Identities and keys TPM identity and platform identity TPM keys and their properties TPM key types Authentication and Ownership Key management and maintenance Slide Nr. 30, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016
29 TPM Key Types TPM provides 9 different types of keys 3 special TPM key types Endorsement Key, Storage Root Key, Attestation Identity Keys 6 general key types Storage, signing, binding, migration, legacy and authchange keys Most important key types explained in following slides Each key may have additional properties, the most important ones are Migratable, non-migratable, certified migratable e.g., whether the key is allowed to be migrated to another TPM Whether the key is allowed only to be used when the platform is in a specific (potentially secure) configuration Slide Nr. 31, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016
30 Attestation Identity Keys (AIK) Purpose Used to attest to current platform configuration e.g., authentically report the current hard- and software environment to a remote party (see attestation) Alias for TPM/platform identity (Endorsement Key) Use of AIKs should prevent tracking of TPMs/platforms e.g., the transactions of a platform can be traced if the EK is used in various protocol runs with different colluding service providers Properties AIKs are non-migratable signing keys (e.g., 2048-bit RSA) Generated by the TPM Owner TPM/platform may have multiple AIKs e.g., one for online-banking, one for , etc. Slide Nr. 32, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016
31 Certification of AIKs AIK requires certification that it comes from a TPM TCG specifies two possibilities (details later) Certification by Trusted Third Party (Privacy CA in TCG Terminology) Privacy problems: Privacy CA can link transactions of a TPM Certification via DAA (Direct Anonymous Attestation) Achieves unlinkability of TPM transactions No Privacy CA needed Zero-knowledge proof of knowledge of possession of a valid certificate Slide Nr. 33, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016
32 Storage Keys Purpose: Protection of keys outside the TPM e.g., a storage key can be used to encrypt other keys, which can be stored on a hard disk Storage Root Key (SRK) is a special storage key Protection based system configuration/properties (sealing) e.g., encryption of secrets, which can only be recovered if the platform has a defined hard-/software environment Properties Typically 2048-bit RSA en-/decryption key pair Generally allowed to be migrated to other TPMs are not allowed to be non-migratable if one of their parent keys is migratable must be non-migratable if used for sealing Slide Nr. 34, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016
33 Binding Keys Purpose Protection of arbitrary data outside the TPM Binding is equivalent to traditional asymmetric encryption Properties Typically RSA 2048-bit en-/decryption key pair Other asymmetric encryption schemes may be supported by the TPM Can only be used with binding commands Migratable to other TPMs/platforms Are not allowed to be non-migratable if one of their parent keys is migratable Slide Nr. 35, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016
34 Signing Keys Purpose Message authentication of arbitrary data external to TPM e.g., to ensure integrity of arbitrary files stored on the platform or protocol messages sent by the platform and their origin Authentic report of TPM-internal information e.g., for auditing TPM commands or reporting TPM capabilities Properties Typically 2048-bit RSA signing/verification key pair Other signing algorithms may be supported by the TPM Signing keys may be migrated to other TPMs/platforms Are not allowed to be non-migratable if one of their parent keys is migratable Slide Nr. 36, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016
35 Migration Keys Purpose Enable TPM to act as migration authority Used to encrypt migratable keys for secure transport from one TPM to another Properties 2048-bit RSA en-/decryption key pair Are allowed to be migrated to another TPM Slide Nr. 37, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016
36 Roadmap: TPM Introduction to TPM TCG Terminology and assumptions Identities and keys Authentication and Ownership Authentication to the TPM Creating TPM identity TPM owner, taking ownership, deleting ownership Key management and maintenance Slide Nr. 38, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016
37 Authentication to the TPM Access to protected entities requires authentication Two ways to authenticate to the TPM Asserting Physical Presence Proof to the TPM that one has physical access to the platform via a hardware switch or BIOS setting (usually the latter is implemented) Can only be used with a limited set of TPM commands Enabling/disabling and activating/deactivating TPM Resetting TPM to default settings, delete TPM Owner and keys Security critical commands (TPM firmware update, deletion of EK) Authentication Protocols (AP) Proof to the TPM that one knows authentication secret e.g., authentication secret = hash digest of a passphrase Authentication secrets set by TPM users e.g., when creating a key, the user sets a passphrase that is required to later authorize the use of the key. The TPM stores the passphrase together with the key in a shielded location. Common way to authenticate to the TPM Slide Nr. 39, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016
38 Asserting Physical Presence via BIOS Changing this option executes the TPM_ForceClear() command, which resets the TPM to its default settings and deletes the current TPM Owner and all keys (except EK) A remote adversary cannot access the BIOS A local adversary with access to the BIOS is able to disable the TPM and even to delete the TPM Owner without the need to know any secret! Slide Nr. 40, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016
39 TPM Authentication Protocols (AP) Authentication of commands and their parameters Provide assurance that the command, its parameters and the corresponding response of the TPM have not been modified during their transmission to or from the TPM TPM basically supports 2 authentication protocols OSAP (Object Specific Authentication Protocol) OIAP (Object Independent Authentication Protocol) TPM must support at least two parallel authentication protocol sessions Some TPM commands require two authentications e.g., command for unsealing data (see sealing) Slide Nr. 41, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016
40 Basic Functionality of TPM s APs knows AuthSecret for protected entity E TPM Generate nonce Nonce TPM Initialize authentication session S referenced by session Handle S (session identifier) Verify AuthData U (i.e., recompute AuthData U, compare it to the received value, and abort if they are different) Execute command Output TPM_Command(Input, Handle E ) Compute authenticator AuthData TPM for the executed TPM command TPM_Command() and its output parameters Output the authentication secret AuthSecret is set by the TPM user/owner during creation/initialization of the protected entity (e.g., as a hash of a passphrase) TPM_OSAP() or TPM_OIAP() Handle S, Nonce TPM TPM_Command(Input, Handle E ), Handle S, Nonce U, AuthData U if o.k., TPM can be assured that call is fresh (no replay) authentic (has not been modified) requested by an authorized user Output, AuthData TPM if o.k., user can be assured that the response is fresh (no replay) is authentic (has not been modified) has been sent by the TPM User U knows AuthSecret for protected Entity E (referenced by Handle E ) Generate Nonce U Compute authenticator AuthData U for the the requested TPM command TPM_Command and its input parameters Input Verify AuthData TPM (i.e., recompute AuthData TPM, compare it to the received value, and abort if they are different) AuthData U HMAC( AuthSecret ; SHA-1(TPM_Command, Input), Nonce TPM, Nonce U ) AuthData TPM HMAC( AuthSecret ; SHA-1(TPM_Command, Output), Nonce U )
41 OIAP vs. OSAP OIAP (Object Independent Authentication Protocol) Properties Can authorize use of multiple different protected entities with multiple commands Only one setup necessary for many different entities to be authorized No session key establishment Mainly used for Authorization of using protected entities without the need for a shared session secret/key Slide Nr. 43, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016 OSAP (Object Specific Authentication Protocol) Properties Can authorize use of a single protected entity with multiple commands One setup required for each entity to be authorized Establishes an ephemeral shared session key, which can be used as a cryptographic secret Mainly used for Setting or changing authentication data for protected entities
42 OIAP Protocol TPM OIAP session initialization TPM_OIAP() TPM User U Handle OIAP, Nonce TPM verify InAuthData OIAP execute TPM_Command compute Nonce TPM2 compute OutAuthData OIAP TPM_Command(Input,Handle E ), InAuthData OIAP Output, OutAuthData OIAP authorized use of protected entity referenced by Handle E (e.g., a key) choose Nonce U compute InAuthData OIAP verify OutAuthData OIAP User Authentication data: InAuthData OIAP ( Handle OIAP, Nonce U, InAuthDigest OIAP ) Authenticator of user U: Digest OIAP HMAC( AuthSecret Entity ; SHA-1(TPM_Command, Input), Nonce TPM, Nonce U ) TPM Authentication data: OutAuthData OIAP ( Nonce TPM,2, OutAuthDigest OIAP ) Authenticator of TPM: OutAuthDigest OIAP HMAC(AuthSecret Entity ; SHA-1(TPM_Command, Ouput ), Nonce TPM2, Nonce U )
43 OSAP Protocol Session TPM choose Nonce TPM1 choose Nonce TPM2 compute session key K verifiy InAuthData OSAP execute TPM_Command choose Nonce TPM3 compute OutAuthData OSAP OSAP session initialization TPM_OSAP(Handle Entity, Nonce U1 ) Handle OSAP, Nonce TPM1, Nonce TPM2 TPM_Command(Input, Handle Entity ), InAuthData OSAP Output, OutAuthData OSAP authorized use of protected entity Handle Entity (e.g., key) and shared session secret K TPM User U choose Nonce U1, Nonce U2 compute session key K compute InAuthData OSAP verifiy OutAuthData OSAP Session key: K HMAC( AuthSecret Entity, Nonce TPM2, Nonce U1 ) User authentication data: InAuthData OSAP ( Handle OSAP, Nonce U2, InAuthDigest OSAP ) Authenticator of user U: InAuthDigest OSAP HMAC( K, SHA-1( TPM_Command, Input ), Nonce TPM1, Nonce U2 ) TPM authentication data: OutAuthData OSAP ( Nonce TPM3, OutAuthDigest OSAP ) Authenticator of TPM: OutAuthDigest OSAP HMAC( K, SHA-1( TPM_Command, Ouput ), Nonce TPM3, Nonce U2 )
44 Roadmap: TPM Introduction to TPM TCG Terminology and assumptions Identities and keys Authentication and Ownership Authentication to the TPM Creating TPM identity TPM owner, taking ownership, deleting ownership Key management and maintenance Slide Nr. 55, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016
45 Creating a Non-Revocable EK ( pk EK, digest EK ) TPM_CreateEndorsementKeyPair(Nonce, par EK ) if EK already exists then return error; else if par EK describes a storage key providing security at least equivalent to RSA-2048 then ( sk EK, pk EK ) GenKey( par EK ); digest EK SHA-1( pk EK, Nonce ); return ( pk EK, digest EK ); else return error; end if; end if; Input Nonce is an anti-replay value chosen by the caller of the command (e.g., a software for creating the EK) par EK are the parameters for the key generation algorithm (e.g., key size, key type, etc.) chosen by the caller of the command Note EK typically is a RSA key Slide Nr. 56, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016
46 Creating a Revocable EK ( pk EK, digest EK, A RevEK ) TPM_CreateRevocableEK(Nonce, par EK, par Rev, A Rev ) if EK already exists then return error; else if par EK describes a storage key providing security at least equivalent to RSA-2048 then ( sk EK, pk EK ) GenKey( par EK ); if par Rev = TRUE then A RevEK RNG( 20 ); else A RevEK A Rev ; end if; digest EK SHA-1( pk EK, Nonce ); return ( pk EK, digest EK, A RevEK ); else return error; end if; end if; Perquisites Command is executed in a secure environment (e.g., during manufacturing) Input A Rev is authentication secret chosen by the caller of the command par Rev indicates whether TPM should choose random authentication secret A RevEK or use A Rev Note A RevEK must be provided to TPM later to authorize revocation of EK This is an optional command Slide Nr. 57, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016
47 Revoking a Revocable EK ( ) TPM_RevokeTrust(A Rev ) if EK is non-revocable then return error; else if A Rev = A RevEK and physical presence is asserted then TPM_OwnerClear(); delete all TPM-internal EK-related data; delete ( sk EK, pk EK ); else return error; end if; end if; Perquisites Existing EK is revocable Authenticationdata required to revoke EK is A RevEK, which has been defined during creation of the EK Note TPM_OwnerClear() resets TPM to its default setting, deletes all owner-specific data to default values (see TPM Owner) This is an optional command Slide Nr. 58, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016
48 Roadmap: TPM Introduction to TPM TCG Terminology and assumptions Identities and keys Authentication and Ownership Authentication to the TPM Creating TPM identity TPM owner, taking ownership, deleting ownership Key management and maintenance Slide Nr. 59, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016
49 TPM Owner Entity owning a TPM-enabled platform e.g., platform owning person or IT-department TPM Owner must initialize TPM to use its full functionality ( take ownership of the TPM) Owner sets owner authentication secret Owner creates the Storage Root Key (SRK) (see TPM keys) Owner authentication Proof of knowledge of the owner credentials to the TPM e.g., via TPM authentication protocols or physical presence Permits the TPM to use several protected capabilities e.g., migration of cryptographic keys or deletion of TPM Owner Slide Nr. 60, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016
50 Protocol for Creating a TPM Owner TPM Initialization of authentication protocol TPM_OIAP() TPM Owner O Handle OIAP, Nonce TPM verifies InAuthData OIAP TPM_TakeOwnership( enc EK ( A Owner ), enc EK ( A SRK ), par SRK ), InAuthData OIAP computes InAuthData OIAP OutAuthData OIAP verifies OutAuthData OIAP Here, OIAP is only used to authenticate the TPM s response to the TPM Owner e.g., on successful verification of OutAuthData OIAP the TPM Owner can be assured that the TPM has created a TPM Owner and set the correct owner authentication secret A Owner and authentication secret A SRK for using the SRK See OIAP protocol Slide Nr. 61, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016
51 Protocol for Deleting a TPM Owner TPM Initialization of authentication protocol TPM_OIAP() TPM Owner O Handle OIAP, Nonce TPM TPM_OwnerClear( Handle Owner ), InAuthData OIAP computes InAuthData OIAP verifies InAuthData OIAP OutAuthData OIAP verifies OutAuthData OIAP OIAP session is used to authenticate the TPM Owner to the TPM e.g., on successful verification of InAuthData OIAP the TPM can be assured that the command has been called by the TPM Owner the TPM s response to the TPM Owner e.g., on successful verification of OutAuthData OIAP the TPM user can be assured that the TPM has actually deleted the TPM Owner and all associated data Slide Nr. 63, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016
52 TPM Interface for Deleting Owner OutAuthData OIAP TPM_OwnerClear(Handle Owner ), InAuthData OIAP if OIAPVerify( Handle Owner, InAuthData OIAP ) ok or deletion of owner has been disabled then return error; else compute OutAuthData OIAP ; unload all currently loaded keys; delete A Owner ; delete SRK; set all owner-related internal variables to their defaults; terminate all currently open sessions; return OutAuthData OIAP ; end if; Notes Handle Owner informs the TPM that the TPM Owner should be authorized InAuthDataOIAP refers to parameters of a previously opened OIAP authentication session used to prove knowledge of the owner authentication secret to the TPM OutAuthData OIAP refers to the parameters of a previously opened OIAP session providing authenticity of the TPM s output (e.g., proof that the TPM actually deleted the TPM Owner) OIAP_Verify() verifies if user knows owner authentication secret See OIAP authentication protocol Slide Nr. 64, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016
53 Roadmap: TPM Introduction to TPM TCG Terminology and assumptions Identities and keys Authentication and Ownership Key management and maintenance Slide Nr. 66, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016
54 Overview of Maintenance Transfers all TPM-protected data to another TPM Necessary when exchanging a (defective) subsystem that contains a TPM without loosing non-migratable data Different from backup/migration Maintenance can also migrate data that cannot be migrated using the TPM s migration functionality Requires intervention of the subsystem s manufacturer Vendor-specific feature Maintenance commands are not exactly specified by TCG Optional feature, but if implemented All specified maintenance capabilities are mandatory No other maintenance capabilities must be implemented Slide Nr. 67, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016
55 Specified Security Requirements Confidentiality and cloning: Data to be migrated must not be accessible by more than one TPM at a time nor exposed to third parties including the manufacturer Policy conformance: Maintenance must require Source and target platforms are from the same manufacturer and model Active participation of the TPM Owner Migration of non-migratable data requires cooperation of owner of the non-migratable data e.g., to authorize moving his sensitive data to another platform manufacturer of the subsystem e.g., must revoke old Endorsement Credential and guarantee destruction of old TPM (which still contains the migrated data) Slide Nr. 68, Lecture Secure, Trusted and Trustworthy Computing, WS 2015/2016
56 Typical Maintenance Sequence 12. TPM decrypts Arc m using the (subsystem s manufacturer s) secret SRK and the symmetric key chosen by the TPM Owner and overwrites all shielded locations with the data from Arc m Note: The symmetric key can be derived from the owner authentication secret or the TPM s RNG 5. TPM creates maintenance archive Arc m encrypted with symmetric key chosen by TPM Owner and pk M New Subsystem (contains TPM 2 ) Old Subsystem (contains TPM 1 ) 11. TPM_LoadMaintenanceArchive(Arc M ) 6. Arc M 4. TPM_CreateMaintenanceArchive() Note: After finishing maintenance sequence, all owner-specific data has been migrated from TPM 1 to TPM 2 Certification Authorities 8. Revoke EK of TPM 1 Subsystem Owner (TPM Owner) 10. Arc M Subsystem Manufacturer 7. Arc M 2. pk M 3. TPM_LoadManuMaintPub(pk M ) Note: TPM 2 is temporarily owned by the subsystem manufacturer 9. decrypts Arc M using sk M and re-encrypts it to Arc M using the public SRK of TPM 2 1. generates maintenance key pair ( sk M, pk M )
Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module
1 Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt Germany Winter Term 2017/18 Roadmap: TPM
More informationLecture Secure, Trusted and Trustworthy Computing Trusted Platform Module
1 Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt Germany Winter Term 2016/17 Roadmap: TPM
More informationLecture Embedded System Security Trusted Platform Module
1 Lecture Embedded System Security Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt (CASED) Germany Summer Term 2015 Roadmap: TPM Introduction to TPM TPM architecture
More informationTRUSTED COMPUTING TRUSTED COMPUTING. Overview. Why trusted computing?
Overview TRUSTED COMPUTING Why trusted computing? Intuitive model of trusted computing Hardware versus software Root-of-trust concept Secure boot Trusted Platforms using hardware features Description of
More informationAuthenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing. Hermann Härtig Technische Universität Dresden Summer Semester 2009
Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing Hermann Härtig Technische Universität Dresden Summer Semester 2009 Goals Understand principles of: authenticated booting the
More informationDistributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing
Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing 30/05/11 Goals Understand principles of: Authenticated booting The difference to (closed) secure
More informationLecture Embedded System Security Introduction to Trusted Computing
1 Lecture Embedded System Security Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt (CASED) Summer Term 2015 Roadmap: Trusted Computing Motivation Notion of trust
More informationTrusted Computing: Introduction & Applications
Trusted Computing: Introduction & Applications Lecture 8: TSS and TC Infrastructure Dr. Andreas U. Schmidt Fraunhofer Institute for Secure Information Technology SIT, Darmstadt, Germany Literature 1. Thomas
More informationAuthenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing. Hermann Härtig Technische Universität Dresden Summer Semester 2007
Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing Hermann Härtig Technische Universität Dresden Summer Semester 2007 Goals Understand: authenticated booting the difference
More informationDepartment of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD
Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD THIS LECTURE... Today: Technology Lecture discusses basics in context of TPMs
More informationLecture Embedded System Security Introduction to Trusted Computing
1 Lecture Embedded System Security Introduction to Trusted Computing Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt Summer Term 2017 Roadmap: Trusted Computing Motivation
More informationLecture Embedded System Security Introduction to Trusted Computing
1 Lecture Embedded System Security Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt (CASED) Summer Term 2012 Roadmap: Trusted Computing Motivation Notion of trust
More informationDepartment of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD
Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD THIS LECTURE... Today: Technology Lecture discusses basics in context of TPMs
More informationSecure, Trusted and Trustworthy Computing
http://www.trust.cased.de Assignments for the Course Secure, Trusted and Trustworthy Computing WS 2011/2012 Prof. Dr.-Ing. Ahmad-Reza Sadeghi Authors: Sven Bugiel Based on work by: B.Cubaleska, L. Davi,
More informationDistributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing
Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing 02/06/14 Goals Understand principles of: Authenticated booting, diference to (closed) secure
More informationTPM Entities. Permanent Entities. Chapter 8. Persistent Hierarchies
Chapter 8 TPM Entities A TPM 2.0 entity is an item in the TPM that can be directly referenced with a handle. The term encompasses more than objects because the specification uses the word object to identify
More informationCSE543 - Computer and Network Security Module: Trusted Computing
CSE543 - Computer and Network Security Module: Trusted Computing Professor Trent Jaeger CSE543 - Introduction to Computer and Network Security 1 What is Trust? 2 What is Trust? dictionary.com Firm reliance
More informationApplications of Attestation:
Lecture Secure, Trusted and Trustworthy Computing : IMA and TNC Prof. Dr. Ing. Ahmad Reza Sadeghi System Security Lab Technische Universität Darmstadt (CASED) Germany Winter Term 2011/2012 1 Roadmap: TC
More informationISO/IEC INTERNATIONAL STANDARD. Information technology Trusted Platform Module Part 2: Design principles
INTERNATIONAL STANDARD ISO/IEC 11889-2 First edition 2009-05-15 Information technology Trusted Platform Module Part 2: Design principles Technologies de l'information Module de plate-forme de confiance
More informationDepartment of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD
Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD THIS LECTURE... Today: Technology Lecture discusses basics in context of TPMs
More informationAtmel Trusted Platform Module June, 2014
Atmel Trusted Platform Module June, 2014 1 2014 Atmel Corporation What is a TPM? The TPM is a hardware-based secret key generation and storage device providing a secure vault for any embedded system Four
More informationPlatform Configuration Registers
Chapter 12 Platform Configuration Registers Platform Configuration Registers (PCRs) are one of the essential features of a TPM. Their prime use case is to provide a method to cryptographically record (measure)
More informationTrusted Computing Group
Trusted Computing Group Backgrounder May 2003 Copyright 2003 Trusted Computing Group (www.trustedcomputinggroup.org.) All Rights Reserved Trusted Computing Group Enabling the Industry to Make Computing
More informationPreliminary analysis of a trusted platform module (TPM) initialization process
Calhoun: The NPS Institutional Archive Theses and Dissertations Thesis Collection 2007-06 Preliminary analysis of a trusted platform module (TPM) initialization process Wiese, Brian K. Monterey, California.
More informationTPM v.s. Embedded Board. James Y
TPM v.s. Embedded Board James Y What Is A Trusted Platform Module? (TPM 1.2) TPM 1.2 on the Enano-8523 that: How Safe is your INFORMATION? Protects secrets from attackers Performs cryptographic functions
More informationTrusted Computing: Introduction & Applications
Trusted Computing: Introduction & Applications Lecture 5: Remote Attestation, Direct Anonymous Attestation Dr. Andreas U. Schmidt Fraunhofer Institute for Secure Information Technology SIT, Darmstadt,
More informationTCG. TCG Specification Architecture Overview. Specification Revision nd August Contact:
TCG Architecture Overview 2 nd August 2007 Contact: admin@trustedcomputinggroup.org Work In Progress This document is an intermediate draft for comment only and is subject to change without notice. Readers
More informationTerra: A Virtual Machine-Based Platform for Trusted Computing by Garfinkel et al. (Some slides taken from Jason Franklin s 712 lecture, Fall 2006)
Terra: A Virtual Machine-Based Platform for Trusted Computing by Garfinkel et al. (Some slides taken from Jason Franklin s 712 lecture, Fall 2006) Trusted Computing Hardware What can you do if you have
More informationDesign and Analysis of Fair-Exchange Protocols based on TPMs
2013 Technical University of Denmark Master Thesis Design and Analysis of Fair-Exchange Protocols based on TPMs Supervisor: Sebastian Alexander Mödersheim Author: Qiuzi Zhang Student number: s104664 Technical
More informationIntelligent Terminal System Based on Trusted Platform Module
American Journal of Mobile Systems, Applications and Services Vol. 4, No. 3, 2018, pp. 13-18 http://www.aiscience.org/journal/ajmsas ISSN: 2471-7282 (Print); ISSN: 2471-7290 (Online) Intelligent Terminal
More informationOffline dictionary attack on TCG TPM authorisation data
Offline dictionary attack on TCG TPM authorisation data Liqun Chen HP Labs, Bristol Mark D. Ryan HP Labs, Bristol University of Birmingham ASA workshop @CSF'08 June 2008 The Trusted Platform Module A hardware
More informationDigital Certificates Demystified
Digital Certificates Demystified Ross Cooper, CISSP IBM Corporation RACF/PKI Development Poughkeepsie, NY Email: rdc@us.ibm.com August 9 th, 2012 Session 11622 Agenda Cryptography What are Digital Certificates
More informationFrom TPM 1.2 to 2.0 and some more. Federico Mancini AFSecurity Seminar,
From TPM 1.2 to 2.0 and some more Federico Mancini AFSecurity Seminar, 30.11.2015 The trusted platform module - TPM The TPM (Trusted Platform Module) is both a set of specifications and its implementation.
More informationCrypto Background & Concepts SGX Software Attestation
CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 Lecture 4b Slide deck extracted from Kamran s tutorial on SGX, presented during ECE 6095 Spring 2017 on Secure Computation and Storage, a precursor to this course
More informationEmbedded System Security Mobile Hardware Platform Security
1 Embedded System Security Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt Germany Summer Term 2016 Acknowledgement This slide set is based on slides provided by
More informationAri Singer. November 7, Slide #1
Introduction to Using the TSS Ari Singer NTRU Cryptosystems November 7, 2005 Slide #1 Outline Motivating Use Cases TPM overview Summary of TCG (PC) Architecture Accessing the TPM TSS overview Coding to
More informationISO/IEC INTERNATIONAL STANDARD. Information technology Trusted Platform Module Part 1: Overview
INTERNATIONAL STANDARD ISO/IEC 11889-1 First edition 2009-05-15 Information technology Trusted Platform Module Part 1: Overview Technologies de l'information Module de plate-forme de confiance Partie 1:
More informationOVAL + The Trusted Platform Module
OVAL + The Trusted Platform Module Charles Schmidt June 14, 2010 Overview OVAL Can assess a vast diversity of system state Usually software based software attacks can compromise Trusted Platform Module
More informationConnecting Securely to the Cloud
Connecting Securely to the Cloud Security Primer Presented by Enrico Gregoratto Andrew Marsh Agenda 2 Presentation Speaker Trusting The Connection Transport Layer Security Connecting to the Cloud Enrico
More informationHow to create a trust anchor with coreboot.
How to create a trust anchor with coreboot. Trusted Computing vs Authenticated Code Modules Philipp Deppenwiese About myself Member of a hackerspace in germany. 10 years of experience in it-security. Did
More informationEmbedded System Security Mobile Hardware Platform Security
1 Embedded System Security Mobile Hardware Platform Security Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt Germany Summer Term 2017 Acknowledgement This slide set
More informationUNIT - IV Cryptographic Hash Function 31.1
UNIT - IV Cryptographic Hash Function 31.1 31-11 SECURITY SERVICES Network security can provide five services. Four of these services are related to the message exchanged using the network. The fifth service
More informationA TRUSTED STORAGE SYSTEM FOR THE CLOUD
University of Kentucky UKnowledge University of Kentucky Master's Theses Graduate School 2010 A TRUSTED STORAGE SYSTEM FOR THE CLOUD Sushama Karumanchi University of Kentucky, ska226@uky.edu Click here
More informationTrusted Computing: Security and Applications
Trusted Computing: Security and Applications Eimear Gallery and Chris J. Mitchell Information Security Group, Royal Holloway, University of London Egham, Surrey TW20 0EX, UK 1st May 2008 Abstract The main
More informationDemonstration Lecture: Cyber Security (MIT Department) Trusted cloud hardware and advanced cryptographic solutions. Andrei Costin
Demonstration Lecture: Cyber Security (MIT Department) Trusted cloud hardware and advanced cryptographic solutions Topic Prerequisites Security concepts Security-related concepts (e.g., entropy) Virtualization
More informationOverview. SSL Cryptography Overview CHAPTER 1
CHAPTER 1 Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet. SSL ensures the secure transmission of data between a client and a server through
More informationSystems View -- Current. Trustworthy Computing. TC Advantages. Systems View -- Target. Bootstrapping a typical PC. Boot Guarantees
Trustworthy Computing s View -- Current Trent Jaeger February 18, 2004 Process 1 Web server Process 2 Mail server Process 3 Java VM Operating Hardware (CPU, MMU, I/O devices) s View -- Target TC Advantages
More informationTrusted Virtual Domains: Towards Trustworthy Distributed Services. Ahmad-Reza Sadeghi System Security Lab Ruhr-Universität Bochum
Trusted Virtual Domains: Towards Trustworthy Distributed Services Ahmad-Reza Sadeghi System Security Lab Ruhr-Universität Bochum The Main Motivation Trustworthy Distributed Computing Selected Applications..
More informationAuditing TPM Commands
Chapter 16 Auditing TPM Commands As used in the TPM, audit is the process of logging TPM command and response parameters that pass between the host and the TPM. The host is responsible for maintaining
More information6.857 L17. Secure Processors. Srini Devadas
6.857 L17 Secure Processors Srini Devadas 1 Distributed Computation Example: Distributed Computation on the Internet (SETI@home, etc.) Job Dispatcher Internet DistComp() { x = Receive(); result = Func(x);
More informationAn Introduction to Trusted Platform Technology
An Introduction to Trusted Platform Technology Siani Pearson Hewlett Packard Laboratories, UK Siani_Pearson@hp.com Content What is Trusted Platform technology and TCPA? Why is Trusted Platform technology
More informationSlides by Kent Seamons and Tim van der Horst Last Updated: Oct 7, 2013
Digital Signatures Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 7, 2013 Digital Signatures Diagram illustrating how to sign a message Why do we use a one-way hash? How does a collision
More informationSolving Bigger Problems with the TPM 2.0
Chapter 21 Solving Bigger Problems with the TPM 2.0 Throughout this book, we have described examples of how you can use particular TPM commands in programs. This chapter looks at how some of those commands
More informationTCG TPM2 Software Stack & Embedded Linux. Philip Tricca
TCG TPM2 Software Stack & Embedded Linux Philip Tricca philip.b.tricca@intel.com Agenda Background Security basics Terms TPM basics What it is / what it does Why this matters / specific features TPM Software
More informationCS252 Project TFS: An Encrypted File System using TPM
CS252 Project TFS: An Encrypted File System using TPM Steven Houston: shouston@eecs.berkeley.edu Thomas Kho: tkho@eecs.berkeley.edu May 15, 2007 Abstract In this project, we implement a trusted file system
More informationTrusted Computing in Drives and Other Peripherals Michael Willett TCG and Seagate 12 Sept TCG Track: SEC 502 1
Trusted Computing in Drives and Other Peripherals Michael Willett TCG and Seagate 12 Sept 2005 TCG Track: SEC 502 1 The Need for Trusted Computing 2 The Real World Innovation is needed: Client software
More informationCIS 4360 Secure Computer Systems. Trusted Platform Module
CIS 4360 Secure Computer Systems Trusted Platform Module Professor Qiang Zeng Spring 2017 Some slides were stolen from Stanford s Security Course, Bruce Maggs, and Bryan Parno Signed Integer Representation
More informationTRUSTED SUPPLY CHAIN & REMOTE PROVISIONING WITH THE TRUSTED PLATFORM MODULE
SESSION ID: TECH-F03 TRUSTED SUPPLY CHAIN & REMOTE PROVISIONING WITH THE TRUSTED PLATFORM MODULE Tom Dodson Supply Chain Security Architect Intel Corporation/Business Client Products Monty Wiseman Security
More informationSoftware Vulnerability Assessment & Secure Storage
Software Vulnerability Assessment & Secure Storage 1 Software Vulnerability Assessment Vulnerability assessment is the process of identifying flaws that reside in an OS, application software or devices
More informationCS 425 / ECE 428 Distributed Systems Fall 2017
CS 425 / ECE 428 Distributed Systems Fall 2017 Indranil Gupta (Indy) Dec 5, 2017 Lecture 27: Security All slides IG Security Threats Leakage Unauthorized access to service or data E.g., Someone knows your
More informationTERRA. Boneh. A virtual machine-based platform for trusted computing. Presented by: David Rager November 10, 2004
TERRA Authored by: Garfinkel,, Pfaff, Chow, Rosenblum,, and Boneh A virtual machine-based platform for trusted computing Presented by: David Rager November 10, 2004 Why there exists a need Commodity OS
More informationSeagate Secure TCG Enterprise and TCG Opal SSC Self-Encrypting Drive Common Criteria Configuration Guide
Seagate Secure TCG Enterprise and TCG Opal SSC Self-Encrypting Drive Common Criteria Configuration Guide Version 1.0 February 14, 2018 Contents Introduction 3 Operational Environment 3 Setup and Configuration
More informationPKI Credentialing Handbook
PKI Credentialing Handbook Contents Introduction...3 Dissecting PKI...4 Components of PKI...6 Digital certificates... 6 Public and private keys... 7 Smart cards... 8 Certificate Authority (CA)... 10 Key
More informationTrusted Computing Special Aspects and Challenges
Trusted Computing Special Aspects and Challenges Prof. Dr. Ing. Ahmad Reza Sadeghi Chair for System Security Horst Görtz Institute for IT Security Ruhr University Bochum, Germany http://www.trust.rub.de
More informationThis Security Policy describes how this module complies with the eleven sections of the Standard:
Vormetric, Inc Vormetric Data Security Server Module Firmware Version 4.4.1 Hardware Version 1.0 FIPS 140-2 Non-Proprietary Security Policy Level 2 Validation May 24 th, 2012 2011 Vormetric Inc. All rights
More informationJava Specification Request 321: Trusted Computing API for Java. Tutorial on the Early Draft Review
Java Specification Request 321: Trusted Computing API for Java Tutorial on the Early Draft Review Ronald Toegl, Werner Keil Expert Group JSR-321 1 Agenda This is an overview of the upcoming Trusted Computing
More informationSecurity and Privacy in Cloud Computing
Security and Privacy in Cloud Computing Ragib Hasan Johns Hopkins University en.600.412 Spring 2010 Lecture 5 03/08/2010 Securing Clouds Goal: Learn about different techniques for protecting a cloud against
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.
CS355: Cryptography Lecture 17: X509. PGP. Authentication protocols. Key establishment. Public Keys and Trust Public Key:P A Secret key: S A Public Key:P B Secret key: S B How are public keys stored How
More informationSealing and Attestation in Intel Software Guard Extensions (SGX)
Sealing and Attestation in Intel Software Guard Extensions (SGX) Rebekah Leslie-Hurd Intel Corporation January 8 th, 2016 2016 Intel Corporation. All rights reserved. A Typical Computing Platform Application
More informationOffline dictionary attack on TCG TPM weak authorisation data, and solution
Offline dictionary attack on TCG TPM weak authorisation data, and solution Liqun Chen HP Labs, UK Mark Ryan HP Labs, UK, and University of Birmingham Abstract The Trusted Platform Module (TPM) is a hardware
More informationA Design of Trusted Computing Supporting Software based on Security Function
A Design of Trusted Computing Supporting Software based on Security Function LENG Jing 1, a, HE Fan 2*,b 1 Department of Information Technology, Hubei University of Police, Wuhan 430034, China 2* Corresponding
More informationTrusted Disk Loading in the Emulab Network Testbed. Cody Cutler, Mike Hibler, Eric Eide, Rob Ricci
Trusted Disk Loading in the Emulab Network Testbed Cody Cutler, Mike Hibler, Eric Eide, Rob Ricci 1 Emulab Public network testbed Create complex experiments quickly 500+ nodes at Utah Emulab 2 Emulab Nodes
More informationSecurity. Communication security. System Security
Security Communication security security of data channel typical assumption: adversary has access to the physical link over which data is transmitted cryptographic separation is necessary System Security
More informationHypervisor Security First Published On: Last Updated On:
First Published On: 02-22-2017 Last Updated On: 05-03-2018 1 Table of Contents 1. Secure Design 1.1.Secure Design 1.2.Security Development Lifecycle 1.3.ESXi and Trusted Platform Module 2.0 (TPM) FAQ 2.
More informationARX (Algorithmic Research) PrivateServer Hardware version 4.7 Firmware version 4.8.1
ARX (Algorithmic Research) PrivateServer Hardware version 4.7 Firmware version 4.8.1 FIPS 140-2 Non-Proprietary Security Policy Level 3 Validation April 2012 Copyright 2012 Algorithmic Research This document
More informationSharing Secrets using Encryption Facility - Handson
Sharing Secrets using Encryption Facility - Handson Lab Steven R. Hart IBM March 12, 2014 Session Number 14963 Encryption Facility for z/os Encryption Facility for z/os is a host based software solution
More informationTrusted Disk Loading in the Emulab Network Testbed. Cody Cutler, Eric Eide, Mike Hibler, Rob Ricci
Trusted Disk Loading in the Emulab Network Testbed Cody Cutler, Eric Eide, Mike Hibler, Rob Ricci 1 Emulab Public network testbed Create complex experiments quickly 500+ nodes at Utah Emulab 2 Emulab Nodes
More informationSeagate Secure TCG Enterprise SSC Pulsar.2 Self-Encrypting Drive FIPS 140 Module Security Policy
Seagate Secure TCG Enterprise SSC Pulsar.2 Self-Encrypting Drive FIPS 140 Module Security Policy Security Level 2 Rev. 0.9 November 12, 2012 Seagate Technology, LLC Page 1 Table of Contents 1 Introduction...
More informationCSC 5930/9010 Modern Cryptography: Public-Key Infrastructure
CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure Professor Henry Carter Fall 2018 Recap Digital signatures provide message authenticity and integrity in the public-key setting As well as public
More informationSirrix AG security technologies. TPM Laboratory I. Marcel Selhorst etiss 2007 Bochum Sirrix AG
TPM Laboratory I Marcel Selhorst m.selhorst@sirrix.com etiss 2007 Bochum What's this? 00 00 DC 76 4A 0B 1E 53 2F FF 81 13 92 5D A8 33 E4 2 C4 00 FC 8E 81 E1 24 6F 09 79 EA 84 32 9B 67 C8 76 00 0C C6 FD
More informationComputer Security CS 426 Lecture 17
Computer Security CS 426 Lecture 17 Trusted Computing Base. Orange Book, Common Criteria Elisa Bertino Purdue University IN, USA bertino@cs.purdue.edu 1 Trusted vs. Trustworthy A component of a system
More informationOS Security IV: Virtualization and Trusted Computing
1 OS Security IV: Virtualization and Trusted Computing Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab2 More questions? 3 Virtual machine monitor +-----------+----------------+-------------+
More informationSecurity in ECE Systems
Lecture 11 Information Security ECE 197SA Systems Appreciation Security in ECE Systems Information security Information can be very valuable Secure communication important to protect information Today
More informationKey Management and Distribution
Key Management and Distribution Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-14/
More informationCIS 4360 Secure Computer Systems Secured System Boot
CIS 4360 Secure Computer Systems Secured System Boot Professor Qiang Zeng Spring 2017 Previous Class Attacks against System Boot Bootkit Evil Maid Attack Bios-kit Attacks against RAM DMA Attack Cold Boot
More informationTrusted Mobile Platform
PAGE 1 Hardware Architecture Description 10/27/2004 NTT DoCoMo, IBM, Intel Corporation File Name: TMP_HWAD_rev1_00_20040405.doc PAGE 2 Hardware Architecture Description Rev. 1.00 June 23, 2004 Copy Right
More informationBuilding on existing security
Building on existing security infrastructures Chris Mitchell Royal Holloway, University of London http://www.isg.rhul.ac.uk/~cjm 1 Acknowledgements This is joint work with Chunhua Chen and Shaohua Tang
More informationBlackVault Hardware Security Platform SECURE TRUSTED INTUITIVE. Cryptographic Appliances with Integrated Level 3+ Hardware Security Module
BlackVault Hardware Security Platform SECURE TRUSTED INTUITIVE Cryptographic Appliances with Integrated Level 3+ Hardware Security Module The BlackVault hardware security platform keeps cryptographic material
More informationSecurity Requirements for Crypto Devices
Security Requirements for Crypto Devices Version 1.0 02 May 2018 Controller of Certifying Authorities Ministry of Electronics and Information Technology 1 Document Control Document Name Security Requirements
More informationRefresher: Applied Cryptography
Refresher: Applied Cryptography (emphasis on common tools for secure processors) Chris Fletcher Fall 2017, 598 CLF, UIUC Complementary reading Intel SGX Explained (ISE) Victor Costan, Srini Devadas https://eprint.iacr.org/2016/086.pdf
More informationNational Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report
National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme Validation Report TM Trusted Computing Group (TCG) Personal Computer (PC) Specific Trusted Building Block (TBB)
More informationCryptography and Network Security Chapter 14
Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 14 Key Management and Distribution No Singhalese, whether man or woman, would venture
More informationLecture 9a: Secure Sockets Layer (SSL) March, 2004
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York University artg@cs.nyu.edu Security Achieved by
More informationSecurity Target NUVOTON TECHNOLOGY CORPORATION. Version: 1.1. Date: April Rachel Menda-Shabat
NUVOTON TECHNOLOGY CORPORATION Security Target Version: 1.1 Date: April 2015 Author: Rachel Menda-Shabat Product: TPM1.2 (Hardware FB5C85D, Firmware 5.81.0.0) Manufacturer: Nuvoton Technology Corporation
More informationCS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to share so many secrets?!?
50fb6be35f4c3105 9d4ed08fb86d8887 b746c452a9c9443b 15b22f450c76218e CS 470 Spring 2018 9df7031cdbff9d10 b700a92855f16328 5b757e66d2131841 62fedd7d9131e42e Mike Lam, Professor Security a.k.a. Why on earth
More informationA Robust Integrity Reporting Protocol for Remote Attestation
A Robust Integrity Reporting Protocol for Remote Attestation Frederic Stumpf, Omid Tafreschi, Patrick Röder, Claudia Eckert Darmstadt University of Technology, Department of Computer Science, D-64289 Darmstadt,
More informationTLS-ENFORCED ATTESTATION. A Project. California State University, Sacramento. Submitted in partial satisfaction of the requirements for the degree of
TLS-ENFORCED ATTESTATION A Project Presented to the faculty of the Department of Computer Science California State University, Sacramento Submitted in partial satisfaction of the requirements for the degree
More informationFIPS Security Policy. for Marvell Semiconductor, Inc. Solaris 2 Cryptographic Module
FIPS 140-2 Security Policy for Marvell Semiconductor, Inc. Solaris 2 Cryptographic Module Hardware Version: 88i8925, 88i8922, 88i8945, and 88i8946 Firmware Version: Solaris2-FIPS-FW-V1.0 Document Version:
More informationEasy Incorporation of OPTIGA TPMs to Support Mission-Critical Applications
Infineon Network Use Case Easy Incorporation of OPTIGA TPMs to Support Mission-Critical Applications Providing Infineon customers with an easy path to integrating TPM support into their products and systems
More informationBinding keys to programs using Intel SGX remote attestation
Binding keys to programs using Intel SGX remote attestation Mark D. Ryan London Crypto Day 22 September 2017 1 Intel SGX Intel SGX is a set of processor instructions which allow one: To set up an enclave
More information