Lecture Embedded System Security Trusted Platform Module

Size: px
Start display at page:

Download "Lecture Embedded System Security Trusted Platform Module"

Transcription

1 1 Lecture Embedded System Security Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt (CASED) Germany Summer Term 2015

2 Roadmap: TPM Introduction to TPM TPM architecture Integration of TPM in PC s software and hardware, start-up Core Root of Trust for Measurement (CRTM) TCG Terminology and assumptions Identities and keys Authentication and Ownership Slide Nr. 2, Lecture Embedded System Security, SS 2015

3 (TPM) Current implementation is a cryptographic coprocessor Hardware-based random number generation Small set of cryptographic functions Key generation, signing, encryption, hashing, MAC Slide Nr. 3, Lecture Embedded System Security, SS 2015

4 (TPM) Current implementation is a cryptographic coprocessor Hardware-based random number generation Small set of cryptographic functions Key generation, signing, encryption, hashing, MAC Offers additional functionalities Secure storage (ideally tamper-resistant) Platform integrity measurement and reporting Slide Nr. 4, Lecture Embedded System Security, SS 2015

5 (TPM) Current implementation is a cryptographic coprocessor Hardware-based random number generation Small set of cryptographic functions Key generation, signing, encryption, hashing, MAC Offers additional functionalities Secure storage (ideally tamper-resistant) Platform integrity measurement and reporting Embedded into the platform s motherboard Slide Nr. 5, Lecture Embedded System Security, SS 2015

6 (TPM) Current implementation is a cryptographic coprocessor Hardware-based random number generation Small set of cryptographic functions Key generation, signing, encryption, hashing, MAC Offers additional functionalities Secure storage (ideally tamper-resistant) Platform integrity measurement and reporting Embedded into the platform s motherboard Acts as a Root of Trust TPM must be trusted by all parties Slide Nr. 6, Lecture Embedded System Security, SS 2015

7 (TPM) Current implementation is a cryptographic coprocessor Hardware-based random number generation Small set of cryptographic functions Key generation, signing, encryption, hashing, MAC Offers additional functionalities Secure storage (ideally tamper-resistant) Platform integrity measurement and reporting Embedded into the platform s motherboard Acts as a Root of Trust TPM must be trusted by all parties Three versions of specification available Slide Nr. 7, Lecture Embedded System Security, SS 2015

8 (TPM) Current implementation is a cryptographic coprocessor Hardware-based random number generation Small set of cryptographic functions Key generation, signing, encryption, hashing, MAC Offers additional functionalities Secure storage (ideally tamper-resistant) Platform integrity measurement and reporting Embedded into the platform s motherboard Acts as a Root of Trust TPM must be trusted by all parties Three versions of specification available Version 1.2 is the focus of this lecture Slide Nr. 8, Lecture Embedded System Security, SS 2015

9 (TPM) Current implementation is a cryptographic coprocessor Hardware-based random number generation Small set of cryptographic functions Key generation, signing, encryption, hashing, MAC Offers additional functionalities Secure storage (ideally tamper-resistant) Platform integrity measurement and reporting Embedded into the platform s motherboard Acts as a Root of Trust TPM must be trusted by all parties Three versions of specification available Version 1.2 is the focus of this lecture Many vendors already ship their platforms with a TPM Slide Nr. 9, Lecture Embedded System Security, SS 2015

10 (TPM) Cryptographic Co-Processor Asymmetric en-/decryption (RSA) Digital signature (RSA) TPM Architecture Input/Output Protocol en-/decoding Enforces access policies System Interface (e.g., LPC-Bus) SHA-1 HMAC Random Number Generation Key Generation Asymmetric keys (RSA) Symmetric keys Nonces Platform Configuration Registers (PCR) Storage of integrity measurements Opt-In Stores TPM state information (e.g., if TPM is disabled) Enforces state-dependent limitations (e.g., some commands must not be executed if the TPM is disabled) Execution Engine Processes TPM commands Ensures segregation of operations Ensures protection of secrets Non-Volatile Memory Stores persistent TPM data (e.g., the TPM identity or special keys) Provides read-, write- or unprotected storage accessible from outside the TPM

11 (TPM) Cryptographic Co-Processor Asymmetric en-/decryption (RSA) Digital signature (RSA) TPM Architecture Input/Output Protocol en-/decoding Enforces access policies System Interface (e.g., LPC-Bus) SHA-1 HMAC Random Number Generation Key Generation Asymmetric keys (RSA) Symmetric keys Nonces PCR[23] PCR[0] Platform Configuration Registers (PCR) Storage of integrity measurements : : PCR[1] Opt-In Stores TPM state information (e.g., if TPM is disabled) Enforces state-dependent limitations (e.g., some commands must not be executed if the TPM is disabled) Execution Engine Processes TPM commands Ensures segregation of operations Ensures protection of secrets Non-Volatile Memory Stores persistent TPM data (e.g., the TPM identity or special keys) Provides read-, write- or unprotected storage accessible from outside the TPM

12 Features of Next Generation TPM Variability of cryptographic algorithms Current TPM specifications fixed on RSA and SHA-1 Support of different crypto algorithms needed in many applications (e.g., ECC-based crypto) Support for virtualized systems Current TPMs are difficult to virtualize Virtualization support required in many security architectures (e.g., Virtual Machines need virtual TPMs) Security enhancements e.g., to prevent users from choosing weak TPM passwords Performance and usability improvements Slide Nr. 12, Lecture Embedded System Security, SS 2015

13 TPM Integration into PC-Hardware Central Processing Unit (CPU) Graphics Controller Graphics and Memory Controller HUB (GMCH) Chipset (Northbridge) System Memory Hard Disks Expansion Cards Interface Controller HUB (ICH) Chipset (Southbridge) USB Devices Network Interface Low Pin Count (LPC) Bus System BIOS TPM Floppy Drive PS/2 Super I/O (Legacy Devices) Parallel I/O Serial I/O

14 TPM Software Integration Operating System Applications (local) TPM Device Driver Hardware CRTM TPM Trusted Software Stack (TSS) System Services

15 TPM Software Integration Operating System Applications (local) TDDL Interface (TDDLI) TPM Device Driver Library (TDDL) provides standard interface for TPMs of different manufacturers transition between user mode and kernel mode TPM Device Driver Hardware CRTM TPM Trusted Software Stack (TSS) System Services

16 TPM Software Integration Operating System Applications (local) TCS Interface (TCSI) TCG Core Services (TCS) key and credential management platform integrity measurement and reporting (TPM Event Log) parsing and handling of TPM commands TDDL Interface (TDDLI) TPM Device Driver Library (TDDL) provides standard interface for TPMs of different manufacturers transition between user mode and kernel mode TPM Device Driver Hardware CRTM TPM Trusted Software Stack (TSS) System Services

17 TPM Software Integration Operating System Applications (local) TSP Interface (TSPI) TCG Service Provider (TSP) provides object-oriented interface for TCG-enabled applications TCS Interface (TCSI) TCG Core Services (TCS) key and credential management platform integrity measurement and reporting (TPM Event Log) parsing and handling of TPM commands TDDL Interface (TDDLI) TPM Device Driver Library (TDDL) provides standard interface for TPMs of different manufacturers transition between user mode and kernel mode TPM Device Driver Hardware CRTM TPM Trusted Software Stack (TSS) System Services

18 TPM Software Integration Operating System Applications (local) TCG-Application TSP Interface (TSPI) TCG Service Provider (TSP) provides object-oriented interface for TCG-enabled applications TCS Interface (TCSI) TCG Core Services (TCS) key and credential management platform integrity measurement and reporting (TPM Event Log) parsing and handling of TPM commands TDDL Interface (TDDLI) TPM Device Driver Library (TDDL) provides standard interface for TPMs of different manufacturers transition between user mode and kernel mode TPM Device Driver Hardware CRTM TPM Trusted Software Stack (TSS) System Services

19 TPM Software Integration Operating System Applications (local) TCG-Application Conventional Application TSP Interface (TSPI) TCG Service Provider (TSP) provides object-oriented interface for TCG-enabled applications TCS Interface (TCSI) Conventional Cryptographic Interface (e.g., MS-CAPI, PKCS#11) TCSI TCG Service Provider (TSP) TCG Core Services (TCS) key and credential management platform integrity measurement and reporting (TPM Event Log) parsing and handling of TPM commands TDDL Interface (TDDLI) TPM Device Driver Library (TDDL) provides standard interface for TPMs of different manufacturers transition between user mode and kernel mode TPM Device Driver Hardware CRTM TPM Trusted Software Stack (TSS) System Services

20 TPM Software Integration Operating System Applications (local) TCG-Application Conventional Application Remote Trusted Platform Remote TCG-Application TCSI TSP Interface (TSPI) TCG Service Provider (TSP) provides object-oriented interface for TCG-enabled applications TCS Interface (TCSI) Conventional Cryptographic Interface (e.g., MS-CAPI, PKCS#11) TCSI TCG Service Provider (TSP) TCG Service Provider (TSP) RPC Client RPC Server RPC (Remote Procedure Call) TCG Core Services (TCS) key and credential management platform integrity measurement and reporting (TPM Event Log) parsing and handling of TPM commands TDDL Interface (TDDLI) TPM Device Driver Library (TDDL) provides standard interface for TPMs of different manufacturers transition between user mode and kernel mode TPM Device Driver Hardware CRTM TPM Trusted Software Stack (TSS) System Services

21 Core Root of Trust for Measurement (CRTM) Immutable portion of the host platform s initialization code that is executed upon a host platform reset Trust in all measurements is based on the integrity of the CRTM Ideally the CRTM is contained in TPM Implementation decisions may require the CRTM to be located in other firmware (e.g., BIOS boot block) Slide Nr. 28, Lecture Embedded System Security, SS 2015

22 Possible CRTM Implementations 1. CRTM = BIOS Boot Block BIOS is composed of BIOS Boot Block and POST BIOS Each of these are independent components Each can be updated independent of the other POST BIOS is not part of CRTM but is measured by the Chain of Trust Slide Nr. 29, Lecture Embedded System Security, SS 2015

23 Possible CRTM Implementations 1. CRTM = BIOS Boot Block BIOS is composed of BIOS Boot Block and POST BIOS Each of these are independent components Each can be updated independent of the other POST BIOS is not part of CRTM but is measured by the Chain of Trust 2. CRTM = Entire BIOS BIOS is composed of a single atomic entity Entire BIOS is updated, modified, or maintained as a single component Slide Nr. 30, Lecture Embedded System Security, SS 2015

24 Roadmap: TPM Introduction to TPM TPM architecture Integration of TPM in PC s software and hardware, start-up Core Root of Trust for Measurement (CRTM) TCG Terminology and assumptions Identities and keys Authentication and Ownership Slide Nr. 31, Lecture Embedded System Security, SS 2015

25 TCG Terminology I Shielded Location Place where sensitive data can be stored or operated on safely e.g., memory locations inside the TPM or data objects encrypted by the TPM and stored on external storage (e.g., hard disk) Slide Nr. 32, Lecture Embedded System Security, SS 2015

26 TCG Terminology I Shielded Location Place where sensitive data can be stored or operated on safely e.g., memory locations inside the TPM or data objects encrypted by the TPM and stored on external storage (e.g., hard disk) Protected Capabilities (Protected Functions) Set of commands with exclusive permission to access shielded locations e.g., commands for cryptographic key management, sealing of data to a system state, etc. Slide Nr. 33, Lecture Embedded System Security, SS 2015

27 TCG Terminology I Shielded Location Place where sensitive data can be stored or operated on safely e.g., memory locations inside the TPM or data objects encrypted by the TPM and stored on external storage (e.g., hard disk) Protected Capabilities (Protected Functions) Set of commands with exclusive permission to access shielded locations e.g., commands for cryptographic key management, sealing of data to a system state, etc. Protected Entity Refers to a protected capability or sensitive data object stored in a shielded location Slide Nr. 34, Lecture Embedded System Security, SS 2015

28 TCG Terminology II Integrity Measurement Process of obtaining metrics of platform characteristics that affect the integrity (trustworthiness) of a platform and storing digests of these metrics in the TPM s PCRs Platform characteristic = hash digest of the software to be executed Platform Configuration Registers (PCR) Shielded location to store integrity measurement values PCRs can only be extended: PCR i+1 SHA-1(PCR i, value) PCRs are reset only when the platform is rebooted Integrity Logging Storing integrity metrics in a log for later use Storing additional information about what has been measured like software manufacturer name, software name, version, etc. Slide Nr. 35, Lecture Embedded System Security, SS 2015

29 TCG Assumptions and Trust Model I Unforgeability of measurements Platform configuration cannot be forged after measurements have been taken However, today s OS can be (maliciously) modified Slide Nr. 36, Lecture Embedded System Security, SS 2015

30 TCG Assumptions and Trust Model I Unforgeability of measurements Platform configuration cannot be forged after measurements have been taken However, today s OS can be (maliciously) modified Hash digests of binaries express trustworthiness Verifier can determine initial configuration from digests However, TCB of today s platforms are too complex Slide Nr. 37, Lecture Embedded System Security, SS 2015

31 TCG Assumptions and Trust Model I Unforgeability of measurements Platform configuration cannot be forged after measurements have been taken However, today s OS can be (maliciously) modified Hash digests of binaries express trustworthiness Verifier can determine initial configuration from digests However, TCB of today s platforms are too complex Secure channels can be established Between HW components (TPM and CPU) since they may have certified authentication keys provided by a PKI Between machines running on the same platform (e.g., attestor and host) by using operating system mechanisms (secure OS) Slide Nr. 38, Lecture Embedded System Security, SS 2015

32 TCG Assumption and Trust Model II Protection against software attacks only Unprotected communication link between TPM and CPU Slide Nr. 39, Lecture Embedded System Security, SS 2015

33 TCG Assumption and Trust Model II Protection against software attacks only Unprotected communication link between TPM and CPU Security issues of certain TPM aspects Automated verification available Slide Nr. 40, Lecture Embedded System Security, SS 2015

34 TCG Assumption and Trust Model II Protection against software attacks only Unprotected communication link between TPM and CPU Security issues of certain TPM aspects Automated verification available Integration of TPM in chipset may potentially be problematic Engineering trade-off between security and technical evaluation TPM Construction Kit Towards more security against hardware attacks Slide Nr. 41, Lecture Embedded System Security, SS 2015

35 TCG Assumption and Trust Model II Protection against software attacks only Unprotected communication link between TPM and CPU Security issues of certain TPM aspects Automated verification available Integration of TPM in chipset may potentially be problematic Engineering trade-off between security and technical evaluation TPM Construction Kit Towards more security against hardware attacks Currently TPMs have rudimentary hardware protection mechanisms Over/under voltage detection, low frequency sensor, high frequency filter, reset filter, memory encryption/decryption, etc. Some manufacturers started 3 rd party certification (Common Criteria) CRTM is not tamper-resistant (implemented in unprotected BIOS) Slide Nr. 42, Lecture Embedded System Security, SS 2015

36 Roadmap: TPM Introduction to TPM TCG Terminology and assumptions Identities and keys TPM and platform identity TPM keys and their properties TPM key types Authentication and Ownership Slide Nr. 43, Lecture Embedded System Security, SS 2015

37 TPM Identity (Endorsement Key) TPM identity represented as Endorsement Key (EK) EK Slide Nr. 44, Lecture Embedded System Security, SS 2015

38 TPM Identity (Endorsement Key) TPM identity represented as Endorsement Key (EK) Unique en-/decryption key pair Private key does not leave TPM Public key is privacy-sensitive (since it identifies a TPM/platform) EK Slide Nr. 45, Lecture Embedded System Security, SS 2015

39 TPM Identity (Endorsement Key) TPM identity represented as Endorsement Key (EK) Unique en-/decryption key pair Private key does not leave TPM Public key is privacy-sensitive (since it identifies a TPM/platform) Generated during manufacturing process of TPM Either in TPM or externally and then embedded into the TPM EK Slide Nr. 46, Lecture Embedded System Security, SS 2015

40 TPM Identity (Endorsement Key) TPM identity represented as Endorsement Key (EK) Unique en-/decryption key pair Private key does not leave TPM Public key is privacy-sensitive (since it identifies a TPM/platform) Generated during manufacturing process of TPM Either in TPM or externally and then embedded into the TPM Must be certified by EK-generating entity e.g., by the TPM manufacturer EK Slide Nr. 47, Lecture Embedded System Security, SS 2015

41 TPM Identity (Endorsement Key) TPM identity represented as Endorsement Key (EK) Unique en-/decryption key pair Private key does not leave TPM Public key is privacy-sensitive (since it identifies a TPM/platform) Generated during manufacturing process of TPM Either in TPM or externally and then embedded into the TPM Must be certified by EK-generating entity e.g., by the TPM manufacturer Can be deleted (revoked) and re-generated by a TPM user Revocation must be enabled during creation of the EK Deletion must be authorized by a secret defined during EK creation EK-recreation invalidates Endorsement Credential (EC) EK Slide Nr. 48, Lecture Embedded System Security, SS 2015

42 TPM Identity (Endorsement Key) TPM identity represented as Endorsement Key (EK) Unique en-/decryption key pair Private key does not leave TPM Public key is privacy-sensitive (since it identifies a TPM/platform) Generated during manufacturing process of TPM Either in TPM or externally and then embedded into the TPM Must be certified by EK-generating entity e.g., by the TPM manufacturer Can be deleted (revoked) and re-generated by a TPM user Revocation must be enabled during creation of the EK Deletion must be authorized by a secret defined during EK creation EK-recreation invalidates Endorsement Credential (EC) Readable from TPM via TPM_ReadPubek (command disabled after taking ownership of the TPM) TPM_OwnerReadInternalPub (requires owner authentication secret set during taking ownership) EK Slide Nr. 49, Lecture Embedded System Security, SS 2015

43 Endorsement Credential Digital certificate stating that EK has been properly created and embedded into a TPM Endorsement pk EK EK Slide Nr. 50, Lecture Embedded System Security, SS 2015

44 Endorsement Credential Digital certificate stating that EK has been properly created and embedded into a TPM Issued by the entity who generated the EK e.g., the TPM manufacturer Endorsement pk EK EK Slide Nr. 51, Lecture Embedded System Security, SS 2015

45 Endorsement Credential Digital certificate stating that EK has been properly created and embedded into a TPM Issued by the entity who generated the EK e.g., the TPM manufacturer Includes TPM manufacturer name TPM model number TPM version Public EK (privacy sensitive) Endorsement pk EK EK Slide Nr. 52, Lecture Embedded System Security, SS 2015

46 Platform Identity Platform identity is equivalent to TPM identity (EK) EK is unique identifier for a TPM A TPM must be bound to only one platform Either physical binding (e.g., soldered to the platform s motherboard) or logical binding (e.g., by using cryptography) Common implementation: TPM soldered to the platform s motherboard Therefore an EK uniquely identifies a platform Platform Credential asserts that a TPM has been correctly integrated into a platform Slide Nr. 53, Lecture Embedded System Security, SS 2015

47 Platform Credential Digital certificate stating that an individual platform contains the TPM described in the Endorsement Credential (EC) Platform Hash(EK) ConfCred Endorsement Conformance pk EK Slide Nr. 54, Lecture Embedded System Security, SS 2015

48 Platform Credential Digital certificate stating that an individual platform contains the TPM described in the Endorsement Credential (EC) Issued by the platform manufacturer e.g., system or motherboard manufacturer Endorsement pk EK Platform Hash(EK) ConfCred Conformance Slide Nr. 55, Lecture Embedded System Security, SS 2015

49 Platform Credential Digital certificate stating that an individual platform contains the TPM described in the Endorsement Credential (EC) Issued by the platform manufacturer e.g., system or motherboard manufacturer Includes Platform manufacturer name Platform model and version number References to (digests of) the corresponding Endorsement and Conformance Credential Conformance Credential asserts that a platform type fulfills the evaluation guidelines defined by the TCG Endorsement pk EK Platform Hash(EK) ConfCred Conformance Slide Nr. 56, Lecture Embedded System Security, SS 2015

50 TPM Credentials on PC Platform TPM credentials may be distributed in the following ways On platform's distribution CD (impractical: every platform requires individual CD) On a partition on the platform's hard disk Over TPM or platform manufacturer s web site In non-volatile storage area of TPM (most commonly used) Slide Nr. 57, Lecture Embedded System Security, SS 2015

51 TPM Credentials on PC Platform TPM credentials may be distributed in the following ways On platform's distribution CD (impractical: every platform requires individual CD) On a partition on the platform's hard disk Over TPM or platform manufacturer s web site In non-volatile storage area of TPM (most commonly used) Current situation: Only one TPM manufacturer is known to provide an Endorsement Credential There is no known TPM that comes with a Platform or Conformance Credential Slide Nr. 58, Lecture Embedded System Security, SS 2015

52 TPM Credentials on PC Platform TPM credentials may be distributed in the following ways On platform's distribution CD (impractical: every platform requires individual CD) On a partition on the platform's hard disk Over TPM or platform manufacturer s web site In non-volatile storage area of TPM (most commonly used) Current situation: Only one TPM manufacturer is known to provide an Endorsement Credential There is no known TPM that comes with a Platform or Conformance Credential Distribution via non-volatile storage Reserved address space in non-volatile storage of TPM for TPM credentials Access to these credentials only allowed after TPM owner authentication Slide Nr. 59, Lecture Embedded System Security, SS 2015

53 TPM Credentials on PC Platform TPM credentials may be distributed in the following ways On platform's distribution CD (impractical: every platform requires individual CD) On a partition on the platform's hard disk Over TPM or platform manufacturer s web site In non-volatile storage area of TPM (most commonly used) Current situation: Only one TPM manufacturer is known to provide an Endorsement Credential There is no known TPM that comes with a Platform or Conformance Credential Distribution via non-volatile storage Reserved address space in non-volatile storage of TPM for TPM credentials Access to these credentials only allowed after TPM owner authentication Distribution via manufacturer s website Requires identification of the TPM, e.g., via EK: TSS establishes secure channel (authenticated, confidential) with TPM manufacturer TSS reads public EC pkek from TPM and sends hash(pkek) to TPM manufacturer TPM manufacturer looks up corresponding credentials and sends them to TSS TSS stores received credentials (e.g., on hard disk or in TPM s non-volatile storage) Slide Nr. 60, Lecture Embedded System Security, SS 2015

54 Roadmap: TPM Introduction to TPM TCG Terminology and assumptions Identities and keys TPM identity and platform identity TPM keys and their properties TPM key types Authentication and Ownership Slide Nr. 61, Lecture Embedded System Security, SS 2015

55 Migratable and Non-Migratable Keys Migratable keys Can be migrated to other TPMs/platforms Third parties have no assurance that such keys have been generated by a TPM Third parties may not trust migratable keys Non-migratable keys Cannot be migrated to other TPMs/platforms Guaranteed to only reside in TPM-protected locations TPM can generate certificate stating that a key is nonmigratable Slide Nr. 62, Lecture Embedded System Security, SS 2015

56 Storage Root Key (SRK) TPM contains Root of Trust for Storage (RTS) Secure data storage implemented as a hierarchy of keys Storage Root Key (SRK) is root of this key hierarchy Storage Root Key (SRK) represents RTS RSA en-/decryption key pair Must at least have 2048-bit key length Private SRK must not leave TPM Generated by TPM during process of installing TPM Owner Deleted when the TPM Owner is deleted This makes key hierarchy inaccessible and thus destroys all data encrypted with keys in that hierarchy Slide Nr. 64, Lecture Embedded System Security, SS 2015

57 A B means A encrypts B A is called parent key of B TPM Key Hierarchy TPM External Storage e.g., hard disk EK SRK Depth of hierarchy and number of TPM-protected keys only limited by size of external storage Storage keys (StorK) protect all other key types Attestation ID keys (AIK) Signing keys (SigK) Binding keys (BindK) Migration Keys (MigrK) Symmetric keys (SymK) Transitive protection SRK indirectly protects arbitrary data (e.g., files)

58 A B means A encrypts B A is called parent key of B TPM Key Hierarchy TPM External Storage e.g., hard disk EK SRK BindK AIK StorK AIK Depth of hierarchy and number of TPM-protected keys only limited by size of external storage Storage keys (StorK) protect all other key types Attestation ID keys (AIK) Signing keys (SigK) Binding keys (BindK) Migration Keys (MigrK) Symmetric keys (SymK) Transitive protection SRK indirectly protects arbitrary data (e.g., files)

59 A B means A encrypts B A is called parent key of B TPM Key Hierarchy TPM External Storage e.g., hard disk EK SRK Depth of hierarchy and number of TPM-protected keys only limited by size of external storage BindK MigrK AIK StorK StorK AIK AIK StorK Storage keys (StorK) protect all other key types Attestation ID keys (AIK) Signing keys (SigK) Binding keys (BindK) Migration Keys (MigrK) Symmetric keys (SymK) Transitive protection SRK indirectly protects arbitrary data (e.g., files)

60 A B means A encrypts B A is called parent key of B TPM Key Hierarchy TPM External Storage e.g., hard disk EK SRK Depth of hierarchy and number of TPM-protected keys only limited by size of external storage BindK MigrK StorK AIK StorK SigK StorK AIK SigK AIK StorK BindK Storage keys (StorK) protect all other key types Attestation ID keys (AIK) Signing keys (SigK) Binding keys (BindK) Migration Keys (MigrK) Symmetric keys (SymK) Transitive protection SRK indirectly protects arbitrary data (e.g., files)

61 A B means A encrypts B A is called parent key of B TPM Key Hierarchy TPM External Storage e.g., hard disk BindK MigrK StorK File SymK EK AIK StorK SigK File SRK StorK AIK AIK StorK SigK BindK SymK File Depth of hierarchy and number of TPM-protected keys only limited by size of external storage Storage keys (StorK) protect all other key types Attestation ID keys (AIK) Signing keys (SigK) Binding keys (BindK) Migration Keys (MigrK) Symmetric keys (SymK) Transitive protection SRK indirectly protects arbitrary data (e.g., files)

62 Roadmap: TPM Introduction to TPM TCG Terminology and assumptions Identities and keys TPM identity and platform identity TPM keys and their properties TPM key types Authentication and Ownership Slide Nr. 77, Lecture Embedded System Security, SS 2015

63 TPM Key Types TPM provides 9 different types of keys 3 special TPM key types Endorsement Key, Storage Root Key, Attestation Identity Keys 6 general key types Storage, signing, binding, migration, legacy and authchange keys Most important key types explained in following slides Each key may have additional properties, the most important ones are Migratable, non-migratable, certified migratable e.g., whether the key is allowed to be migrated to another TPM Whether the key is allowed only to be used when the platform is in a specific (potentially secure) configuration Slide Nr. 78, Lecture Embedded System Security, SS 2015

64 Attestation Identity Keys (AIK) Purpose Used to attest to current platform configuration e.g., authentically report the current hard- and software environment to a remote party (see attestation) Alias for TPM/platform identity (Endorsement Key) Use of AIKs should prevent tracking of TPMs/platforms e.g., the transactions of a platform can be traced if the EK is used in various protocol runs with different colluding service providers Properties AIKs are non-migratable signing keys (e.g., 2048-bit RSA) Generated by the TPM Owner TPM/platform may have multiple AIKs e.g., one for online-banking, one for , etc. Slide Nr. 79, Lecture Embedded System Security, SS 2015

65 Certification of AIKs AIK requires certification that it comes from a TPM TCG specifies two possibilities (details later) Certification by Trusted Third Party (Privacy CA in TCG Terminology) Privacy problems: Privacy CA can link transactions of a TPM Certification via DAA (Direct Anonymous Attestation) Achieves unlinkability of TPM transactions No Privacy CA needed Zero-knowledge proof of knowledge of possession of a valid certificate Slide Nr. 80, Lecture Embedded System Security, SS 2015

66 Storage Keys Purpose: Protection of keys outside the TPM e.g., a storage key can be used to encrypt other keys, which can be stored on a hard disk Storage Root Key (SRK) is a special storage key Protection based system configuration/properties (sealing) e.g., encryption of secrets, which can only be recovered if the platform has a defined hard-/software environment Properties Typically 2048-bit RSA en-/decryption key pair Generally allowed to be migrated to other TPMs are not allowed to be non-migratable if one of their parent keys is migratable must be non-migratable if used for sealing Slide Nr. 81, Lecture Embedded System Security, SS 2015

67 Binding Keys Purpose Protection of arbitrary data outside the TPM Binding is equivalent to traditional asymmetric encryption Properties Typically RSA 2048-bit en-/decryption key pair Other asymmetric encryption schemes may be supported by the TPM Can only be used with binding commands Migratable to other TPMs/platforms Are not allowed to be non-migratable if one of their parent keys is migratable Slide Nr. 82, Lecture Embedded System Security, SS 2015

68 Signing Keys Purpose Message authentication of arbitrary data external to TPM e.g., to ensure integrity of arbitrary files stored on the platform or protocol messages sent by the platform and their origin Authentic report of TPM-internal information e.g., for auditing TPM commands or reporting TPM capabilities Properties Typically 2048-bit RSA signing/verification key pair Other signing algorithms may be supported by the TPM Signing keys may be migrated to other TPMs/platforms Are not allowed to be non-migratable if one of their parent keys is migratable Slide Nr. 83, Lecture Embedded System Security, SS 2015

69 Migration Keys Purpose Enable TPM to act as migration authority Used to encrypt migratable keys for secure transport from one TPM to another Properties 2048-bit RSA en-/decryption key pair Are allowed to be migrated to another TPM Slide Nr. 84, Lecture Embedded System Security, SS 2015

70 Roadmap: TPM Introduction to TPM TCG Terminology and assumptions Identities and keys Authentication and Ownership Authentication to the TPM TPM owner, taking ownership, deleting ownership Slide Nr. 85, Lecture Embedded System Security, SS 2015

71 Authentication to the TPM Access to protected entities requires authentication Two ways to authenticate to the TPM Slide Nr. 86, Lecture Embedded System Security, SS 2015

72 Authentication to the TPM Access to protected entities requires authentication Two ways to authenticate to the TPM Asserting Physical Presence Proof to the TPM that one has physical access to the platform via a hardware switch or BIOS setting (usually the latter is implemented) Can only be used with a limited set of TPM commands Enabling/disabling and activating/deactivating TPM Resetting TPM to default settings, delete TPM Owner and keys Security critical commands (TPM firmware update, deletion of EK) Slide Nr. 87, Lecture Embedded System Security, SS 2015

73 Authentication to the TPM Access to protected entities requires authentication Two ways to authenticate to the TPM Asserting Physical Presence Proof to the TPM that one has physical access to the platform via a hardware switch or BIOS setting (usually the latter is implemented) Can only be used with a limited set of TPM commands Enabling/disabling and activating/deactivating TPM Resetting TPM to default settings, delete TPM Owner and keys Security critical commands (TPM firmware update, deletion of EK) Authentication Protocols (AP) Proof to the TPM that one knows authentication secret e.g., authentication secret = hash digest of a passphrase Authentication secrets set by TPM users e.g., when creating a key, the user sets a passphrase that is required to later authorize the use of the key. The TPM stores the passphrase together with the key in a shielded location. Common way to authenticate to the TPM Slide Nr. 88, Lecture Embedded System Security, SS 2015

74 Asserting Physical Presence via BIOS Changing this option executes the TPM_ForceClear() command, which resets the TPM to its default settings and deletes the current TPM Owner and all keys (except EK) A remote adversary cannot access the BIOS A local adversary with access to the BIOS is able to disable the TPM and even to delete the TPM Owner without the need to know any secret! Slide Nr. 89, Lecture Embedded System Security, SS 2015

75 TPM Authentication Protocols (AP) Authentication of commands and their parameters Provide assurance that the command, its parameters and the corresponding response of the TPM have not been modified during their transmission to or from the TPM Slide Nr. 90, Lecture Embedded System Security, SS 2015

76 TPM Authentication Protocols (AP) Authentication of commands and their parameters Provide assurance that the command, its parameters and the corresponding response of the TPM have not been modified during their transmission to or from the TPM TPM basically supports 2 authentication protocols OSAP (Object Specific Authentication Protocol) OIAP (Object Independent Authentication Protocol) Slide Nr. 91, Lecture Embedded System Security, SS 2015

77 TPM Authentication Protocols (AP) Authentication of commands and their parameters Provide assurance that the command, its parameters and the corresponding response of the TPM have not been modified during their transmission to or from the TPM TPM basically supports 2 authentication protocols OSAP (Object Specific Authentication Protocol) OIAP (Object Independent Authentication Protocol) TPM must support at least two parallel authentication protocol sessions Some TPM commands require two authentications e.g., command for unsealing data (see sealing) Slide Nr. 92, Lecture Embedded System Security, SS 2015

78 OIAP vs. OSAP OIAP (Object Independent Authentication Protocol) Properties Can authorize use of multiple different protected entities with multiple commands Only one setup necessary for many different entities to be authorized No session key establishment Mainly used for Authorization of using protected entities without the need for a shared session secret/key Slide Nr. 104, Lecture Embedded System Security, SS 2015 OSAP (Object Specific Authentication Protocol) Properties Can authorize use of a single protected entity with multiple commands One setup required for each entity to be authorized Establishes an ephemeral shared session key, which can be used as a cryptographic secret Mainly used for Setting or changing authentication data for protected entities

79 Roadmap: TPM Introduction to TPM TCG Terminology and assumptions Identities and keys Authentication and Ownership Authentication to the TPM TPM owner, taking ownership, deleting ownership Slide Nr. 144, Lecture Embedded System Security, SS 2015

80 TPM Owner Entity owning a TPM-enabled platform e.g., platform owning person or IT-department Slide Nr. 145, Lecture Embedded System Security, SS 2015

81 TPM Owner Entity owning a TPM-enabled platform e.g., platform owning person or IT-department TPM Owner must initialize TPM to use its full functionality ( take ownership of the TPM) Owner sets owner authentication secret Owner creates the Storage Root Key (SRK) (see TPM keys) Slide Nr. 146, Lecture Embedded System Security, SS 2015

82 TPM Owner Entity owning a TPM-enabled platform e.g., platform owning person or IT-department TPM Owner must initialize TPM to use its full functionality ( take ownership of the TPM) Owner sets owner authentication secret Owner creates the Storage Root Key (SRK) (see TPM keys) Owner authentication Proof of knowledge of the owner credentials to the TPM e.g., via TPM authentication protocols or physical presence Permits the TPM to use several protected capabilities e.g., migration of cryptographic keys or deletion of TPM Owner Slide Nr. 147, Lecture Embedded System Security, SS 2015

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module 1 Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt Germany Winter Term 2017/18 Roadmap: TPM

More information

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module 1 Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt Germany Winter Term 2016/17 Roadmap: TPM

More information

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module 1 Lecture Secure, Trusted and Trustworthy Computing Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt (CASED) Germany Winter Term 2015/2016 Roadmap: TPM Introduction

More information

Lecture Embedded System Security Introduction to Trusted Computing

Lecture Embedded System Security Introduction to Trusted Computing 1 Lecture Embedded System Security Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt (CASED) Summer Term 2015 Roadmap: Trusted Computing Motivation Notion of trust

More information

Lecture Embedded System Security Introduction to Trusted Computing

Lecture Embedded System Security Introduction to Trusted Computing 1 Lecture Embedded System Security Introduction to Trusted Computing Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt Summer Term 2017 Roadmap: Trusted Computing Motivation

More information

Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing. Hermann Härtig Technische Universität Dresden Summer Semester 2009

Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing. Hermann Härtig Technische Universität Dresden Summer Semester 2009 Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing Hermann Härtig Technische Universität Dresden Summer Semester 2009 Goals Understand principles of: authenticated booting the

More information

Lecture Embedded System Security Introduction to Trusted Computing

Lecture Embedded System Security Introduction to Trusted Computing 1 Lecture Embedded System Security Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt (CASED) Summer Term 2012 Roadmap: Trusted Computing Motivation Notion of trust

More information

TRUSTED COMPUTING TRUSTED COMPUTING. Overview. Why trusted computing?

TRUSTED COMPUTING TRUSTED COMPUTING. Overview. Why trusted computing? Overview TRUSTED COMPUTING Why trusted computing? Intuitive model of trusted computing Hardware versus software Root-of-trust concept Secure boot Trusted Platforms using hardware features Description of

More information

Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing

Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing 30/05/11 Goals Understand principles of: Authenticated booting The difference to (closed) secure

More information

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD THIS LECTURE... Today: Technology Lecture discusses basics in context of TPMs

More information

Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing. Hermann Härtig Technische Universität Dresden Summer Semester 2007

Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing. Hermann Härtig Technische Universität Dresden Summer Semester 2007 Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing Hermann Härtig Technische Universität Dresden Summer Semester 2007 Goals Understand: authenticated booting the difference

More information

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD THIS LECTURE... Today: Technology Lecture discusses basics in context of TPMs

More information

Trusted Computing: Introduction & Applications

Trusted Computing: Introduction & Applications Trusted Computing: Introduction & Applications Lecture 8: TSS and TC Infrastructure Dr. Andreas U. Schmidt Fraunhofer Institute for Secure Information Technology SIT, Darmstadt, Germany Literature 1. Thomas

More information

Secure, Trusted and Trustworthy Computing

Secure, Trusted and Trustworthy Computing http://www.trust.cased.de Assignments for the Course Secure, Trusted and Trustworthy Computing WS 2011/2012 Prof. Dr.-Ing. Ahmad-Reza Sadeghi Authors: Sven Bugiel Based on work by: B.Cubaleska, L. Davi,

More information

Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing

Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing 02/06/14 Goals Understand principles of: Authenticated booting, diference to (closed) secure

More information

CSE543 - Computer and Network Security Module: Trusted Computing

CSE543 - Computer and Network Security Module: Trusted Computing CSE543 - Computer and Network Security Module: Trusted Computing Professor Trent Jaeger CSE543 - Introduction to Computer and Network Security 1 What is Trust? 2 What is Trust? dictionary.com Firm reliance

More information

TPM Entities. Permanent Entities. Chapter 8. Persistent Hierarchies

TPM Entities. Permanent Entities. Chapter 8. Persistent Hierarchies Chapter 8 TPM Entities A TPM 2.0 entity is an item in the TPM that can be directly referenced with a handle. The term encompasses more than objects because the specification uses the word object to identify

More information

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD THIS LECTURE... Today: Technology Lecture discusses basics in context of TPMs

More information

Applications of Attestation:

Applications of Attestation: Lecture Secure, Trusted and Trustworthy Computing : IMA and TNC Prof. Dr. Ing. Ahmad Reza Sadeghi System Security Lab Technische Universität Darmstadt (CASED) Germany Winter Term 2011/2012 1 Roadmap: TC

More information

Trusted Computing: Introduction & Applications

Trusted Computing: Introduction & Applications Trusted Computing: Introduction & Applications Lecture 5: Remote Attestation, Direct Anonymous Attestation Dr. Andreas U. Schmidt Fraunhofer Institute for Secure Information Technology SIT, Darmstadt,

More information

Trusted Computing Group

Trusted Computing Group Trusted Computing Group Backgrounder May 2003 Copyright 2003 Trusted Computing Group (www.trustedcomputinggroup.org.) All Rights Reserved Trusted Computing Group Enabling the Industry to Make Computing

More information

TPM v.s. Embedded Board. James Y

TPM v.s. Embedded Board. James Y TPM v.s. Embedded Board James Y What Is A Trusted Platform Module? (TPM 1.2) TPM 1.2 on the Enano-8523 that: How Safe is your INFORMATION? Protects secrets from attackers Performs cryptographic functions

More information

Terra: A Virtual Machine-Based Platform for Trusted Computing by Garfinkel et al. (Some slides taken from Jason Franklin s 712 lecture, Fall 2006)

Terra: A Virtual Machine-Based Platform for Trusted Computing by Garfinkel et al. (Some slides taken from Jason Franklin s 712 lecture, Fall 2006) Terra: A Virtual Machine-Based Platform for Trusted Computing by Garfinkel et al. (Some slides taken from Jason Franklin s 712 lecture, Fall 2006) Trusted Computing Hardware What can you do if you have

More information

Atmel Trusted Platform Module June, 2014

Atmel Trusted Platform Module June, 2014 Atmel Trusted Platform Module June, 2014 1 2014 Atmel Corporation What is a TPM? The TPM is a hardware-based secret key generation and storage device providing a secure vault for any embedded system Four

More information

Preliminary analysis of a trusted platform module (TPM) initialization process

Preliminary analysis of a trusted platform module (TPM) initialization process Calhoun: The NPS Institutional Archive Theses and Dissertations Thesis Collection 2007-06 Preliminary analysis of a trusted platform module (TPM) initialization process Wiese, Brian K. Monterey, California.

More information

TCG. TCG Specification Architecture Overview. Specification Revision nd August Contact:

TCG. TCG Specification Architecture Overview. Specification Revision nd August Contact: TCG Architecture Overview 2 nd August 2007 Contact: admin@trustedcomputinggroup.org Work In Progress This document is an intermediate draft for comment only and is subject to change without notice. Readers

More information

Platform Configuration Registers

Platform Configuration Registers Chapter 12 Platform Configuration Registers Platform Configuration Registers (PCRs) are one of the essential features of a TPM. Their prime use case is to provide a method to cryptographically record (measure)

More information

ISO/IEC INTERNATIONAL STANDARD. Information technology Trusted Platform Module Part 2: Design principles

ISO/IEC INTERNATIONAL STANDARD. Information technology Trusted Platform Module Part 2: Design principles INTERNATIONAL STANDARD ISO/IEC 11889-2 First edition 2009-05-15 Information technology Trusted Platform Module Part 2: Design principles Technologies de l'information Module de plate-forme de confiance

More information

Intelligent Terminal System Based on Trusted Platform Module

Intelligent Terminal System Based on Trusted Platform Module American Journal of Mobile Systems, Applications and Services Vol. 4, No. 3, 2018, pp. 13-18 http://www.aiscience.org/journal/ajmsas ISSN: 2471-7282 (Print); ISSN: 2471-7290 (Online) Intelligent Terminal

More information

From TPM 1.2 to 2.0 and some more. Federico Mancini AFSecurity Seminar,

From TPM 1.2 to 2.0 and some more. Federico Mancini AFSecurity Seminar, From TPM 1.2 to 2.0 and some more Federico Mancini AFSecurity Seminar, 30.11.2015 The trusted platform module - TPM The TPM (Trusted Platform Module) is both a set of specifications and its implementation.

More information

Embedded System Security Mobile Hardware Platform Security

Embedded System Security Mobile Hardware Platform Security 1 Embedded System Security Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt Germany Summer Term 2016 Acknowledgement This slide set is based on slides provided by

More information

OVAL + The Trusted Platform Module

OVAL + The Trusted Platform Module OVAL + The Trusted Platform Module Charles Schmidt June 14, 2010 Overview OVAL Can assess a vast diversity of system state Usually software based software attacks can compromise Trusted Platform Module

More information

Ari Singer. November 7, Slide #1

Ari Singer. November 7, Slide #1 Introduction to Using the TSS Ari Singer NTRU Cryptosystems November 7, 2005 Slide #1 Outline Motivating Use Cases TPM overview Summary of TCG (PC) Architecture Accessing the TPM TSS overview Coding to

More information

Systems View -- Current. Trustworthy Computing. TC Advantages. Systems View -- Target. Bootstrapping a typical PC. Boot Guarantees

Systems View -- Current. Trustworthy Computing. TC Advantages. Systems View -- Target. Bootstrapping a typical PC. Boot Guarantees Trustworthy Computing s View -- Current Trent Jaeger February 18, 2004 Process 1 Web server Process 2 Mail server Process 3 Java VM Operating Hardware (CPU, MMU, I/O devices) s View -- Target TC Advantages

More information

Trusted Computing: Security and Applications

Trusted Computing: Security and Applications Trusted Computing: Security and Applications Eimear Gallery and Chris J. Mitchell Information Security Group, Royal Holloway, University of London Egham, Surrey TW20 0EX, UK 1st May 2008 Abstract The main

More information

How to create a trust anchor with coreboot.

How to create a trust anchor with coreboot. How to create a trust anchor with coreboot. Trusted Computing vs Authenticated Code Modules Philipp Deppenwiese About myself Member of a hackerspace in germany. 10 years of experience in it-security. Did

More information

Embedded System Security Mobile Hardware Platform Security

Embedded System Security Mobile Hardware Platform Security 1 Embedded System Security Mobile Hardware Platform Security Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt Germany Summer Term 2017 Acknowledgement This slide set

More information

Demonstration Lecture: Cyber Security (MIT Department) Trusted cloud hardware and advanced cryptographic solutions. Andrei Costin

Demonstration Lecture: Cyber Security (MIT Department) Trusted cloud hardware and advanced cryptographic solutions. Andrei Costin Demonstration Lecture: Cyber Security (MIT Department) Trusted cloud hardware and advanced cryptographic solutions Topic Prerequisites Security concepts Security-related concepts (e.g., entropy) Virtualization

More information

Digital Certificates Demystified

Digital Certificates Demystified Digital Certificates Demystified Ross Cooper, CISSP IBM Corporation RACF/PKI Development Poughkeepsie, NY Email: rdc@us.ibm.com August 9 th, 2012 Session 11622 Agenda Cryptography What are Digital Certificates

More information

ISO/IEC INTERNATIONAL STANDARD. Information technology Trusted Platform Module Part 1: Overview

ISO/IEC INTERNATIONAL STANDARD. Information technology Trusted Platform Module Part 1: Overview INTERNATIONAL STANDARD ISO/IEC 11889-1 First edition 2009-05-15 Information technology Trusted Platform Module Part 1: Overview Technologies de l'information Module de plate-forme de confiance Partie 1:

More information

Connecting Securely to the Cloud

Connecting Securely to the Cloud Connecting Securely to the Cloud Security Primer Presented by Enrico Gregoratto Andrew Marsh Agenda 2 Presentation Speaker Trusting The Connection Transport Layer Security Connecting to the Cloud Enrico

More information

Trusted Computing Special Aspects and Challenges

Trusted Computing Special Aspects and Challenges Trusted Computing Special Aspects and Challenges Prof. Dr. Ing. Ahmad Reza Sadeghi Chair for System Security Horst Görtz Institute for IT Security Ruhr University Bochum, Germany http://www.trust.rub.de

More information

Overview. SSL Cryptography Overview CHAPTER 1

Overview. SSL Cryptography Overview CHAPTER 1 CHAPTER 1 Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet. SSL ensures the secure transmission of data between a client and a server through

More information

Design and Analysis of Fair-Exchange Protocols based on TPMs

Design and Analysis of Fair-Exchange Protocols based on TPMs 2013 Technical University of Denmark Master Thesis Design and Analysis of Fair-Exchange Protocols based on TPMs Supervisor: Sebastian Alexander Mödersheim Author: Qiuzi Zhang Student number: s104664 Technical

More information

UNIT - IV Cryptographic Hash Function 31.1

UNIT - IV Cryptographic Hash Function 31.1 UNIT - IV Cryptographic Hash Function 31.1 31-11 SECURITY SERVICES Network security can provide five services. Four of these services are related to the message exchanged using the network. The fifth service

More information

TERRA. Boneh. A virtual machine-based platform for trusted computing. Presented by: David Rager November 10, 2004

TERRA. Boneh. A virtual machine-based platform for trusted computing. Presented by: David Rager November 10, 2004 TERRA Authored by: Garfinkel,, Pfaff, Chow, Rosenblum,, and Boneh A virtual machine-based platform for trusted computing Presented by: David Rager November 10, 2004 Why there exists a need Commodity OS

More information

A TRUSTED STORAGE SYSTEM FOR THE CLOUD

A TRUSTED STORAGE SYSTEM FOR THE CLOUD University of Kentucky UKnowledge University of Kentucky Master's Theses Graduate School 2010 A TRUSTED STORAGE SYSTEM FOR THE CLOUD Sushama Karumanchi University of Kentucky, ska226@uky.edu Click here

More information

TRUSTED SUPPLY CHAIN & REMOTE PROVISIONING WITH THE TRUSTED PLATFORM MODULE

TRUSTED SUPPLY CHAIN & REMOTE PROVISIONING WITH THE TRUSTED PLATFORM MODULE SESSION ID: TECH-F03 TRUSTED SUPPLY CHAIN & REMOTE PROVISIONING WITH THE TRUSTED PLATFORM MODULE Tom Dodson Supply Chain Security Architect Intel Corporation/Business Client Products Monty Wiseman Security

More information

An Introduction to Trusted Platform Technology

An Introduction to Trusted Platform Technology An Introduction to Trusted Platform Technology Siani Pearson Hewlett Packard Laboratories, UK Siani_Pearson@hp.com Content What is Trusted Platform technology and TCPA? Why is Trusted Platform technology

More information

Easy Incorporation of OPTIGA TPMs to Support Mission-Critical Applications

Easy Incorporation of OPTIGA TPMs to Support Mission-Critical Applications Infineon Network Use Case Easy Incorporation of OPTIGA TPMs to Support Mission-Critical Applications Providing Infineon customers with an easy path to integrating TPM support into their products and systems

More information

Software Vulnerability Assessment & Secure Storage

Software Vulnerability Assessment & Secure Storage Software Vulnerability Assessment & Secure Storage 1 Software Vulnerability Assessment Vulnerability assessment is the process of identifying flaws that reside in an OS, application software or devices

More information

PKI Credentialing Handbook

PKI Credentialing Handbook PKI Credentialing Handbook Contents Introduction...3 Dissecting PKI...4 Components of PKI...6 Digital certificates... 6 Public and private keys... 7 Smart cards... 8 Certificate Authority (CA)... 10 Key

More information

Security and Privacy in Cloud Computing

Security and Privacy in Cloud Computing Security and Privacy in Cloud Computing Ragib Hasan Johns Hopkins University en.600.412 Spring 2010 Lecture 5 03/08/2010 Securing Clouds Goal: Learn about different techniques for protecting a cloud against

More information

A Design of Trusted Computing Supporting Software based on Security Function

A Design of Trusted Computing Supporting Software based on Security Function A Design of Trusted Computing Supporting Software based on Security Function LENG Jing 1, a, HE Fan 2*,b 1 Department of Information Technology, Hubei University of Police, Wuhan 430034, China 2* Corresponding

More information

Java Specification Request 321: Trusted Computing API for Java. Tutorial on the Early Draft Review

Java Specification Request 321: Trusted Computing API for Java. Tutorial on the Early Draft Review Java Specification Request 321: Trusted Computing API for Java Tutorial on the Early Draft Review Ronald Toegl, Werner Keil Expert Group JSR-321 1 Agenda This is an overview of the upcoming Trusted Computing

More information

TCG TPM2 Software Stack & Embedded Linux. Philip Tricca

TCG TPM2 Software Stack & Embedded Linux. Philip Tricca TCG TPM2 Software Stack & Embedded Linux Philip Tricca philip.b.tricca@intel.com Agenda Background Security basics Terms TPM basics What it is / what it does Why this matters / specific features TPM Software

More information

Trusted Disk Loading in the Emulab Network Testbed. Cody Cutler, Mike Hibler, Eric Eide, Rob Ricci

Trusted Disk Loading in the Emulab Network Testbed. Cody Cutler, Mike Hibler, Eric Eide, Rob Ricci Trusted Disk Loading in the Emulab Network Testbed Cody Cutler, Mike Hibler, Eric Eide, Rob Ricci 1 Emulab Public network testbed Create complex experiments quickly 500+ nodes at Utah Emulab 2 Emulab Nodes

More information

Solving Bigger Problems with the TPM 2.0

Solving Bigger Problems with the TPM 2.0 Chapter 21 Solving Bigger Problems with the TPM 2.0 Throughout this book, we have described examples of how you can use particular TPM commands in programs. This chapter looks at how some of those commands

More information

Trusted Disk Loading in the Emulab Network Testbed. Cody Cutler, Eric Eide, Mike Hibler, Rob Ricci

Trusted Disk Loading in the Emulab Network Testbed. Cody Cutler, Eric Eide, Mike Hibler, Rob Ricci Trusted Disk Loading in the Emulab Network Testbed Cody Cutler, Eric Eide, Mike Hibler, Rob Ricci 1 Emulab Public network testbed Create complex experiments quickly 500+ nodes at Utah Emulab 2 Emulab Nodes

More information

Crypto Background & Concepts SGX Software Attestation

Crypto Background & Concepts SGX Software Attestation CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 Lecture 4b Slide deck extracted from Kamran s tutorial on SGX, presented during ECE 6095 Spring 2017 on Secure Computation and Storage, a precursor to this course

More information

Trusted Computing in Drives and Other Peripherals Michael Willett TCG and Seagate 12 Sept TCG Track: SEC 502 1

Trusted Computing in Drives and Other Peripherals Michael Willett TCG and Seagate 12 Sept TCG Track: SEC 502 1 Trusted Computing in Drives and Other Peripherals Michael Willett TCG and Seagate 12 Sept 2005 TCG Track: SEC 502 1 The Need for Trusted Computing 2 The Real World Innovation is needed: Client software

More information

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 7, 2013

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 7, 2013 Digital Signatures Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 7, 2013 Digital Signatures Diagram illustrating how to sign a message Why do we use a one-way hash? How does a collision

More information

Offline dictionary attack on TCG TPM authorisation data

Offline dictionary attack on TCG TPM authorisation data Offline dictionary attack on TCG TPM authorisation data Liqun Chen HP Labs, Bristol Mark D. Ryan HP Labs, Bristol University of Birmingham ASA workshop @CSF'08 June 2008 The Trusted Platform Module A hardware

More information

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea Cryptography SSL/TLS Network Security Workshop 3-5 October 2017 Port Moresby, Papua New Guinea 1 History Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent

More information

Sealing and Attestation in Intel Software Guard Extensions (SGX)

Sealing and Attestation in Intel Software Guard Extensions (SGX) Sealing and Attestation in Intel Software Guard Extensions (SGX) Rebekah Leslie-Hurd Intel Corporation January 8 th, 2016 2016 Intel Corporation. All rights reserved. A Typical Computing Platform Application

More information

Hypervisor Security First Published On: Last Updated On:

Hypervisor Security First Published On: Last Updated On: First Published On: 02-22-2017 Last Updated On: 05-03-2018 1 Table of Contents 1. Secure Design 1.1.Secure Design 1.2.Security Development Lifecycle 1.3.ESXi and Trusted Platform Module 2.0 (TPM) FAQ 2.

More information

Trusted Virtual Domains: Towards Trustworthy Distributed Services. Ahmad-Reza Sadeghi System Security Lab Ruhr-Universität Bochum

Trusted Virtual Domains: Towards Trustworthy Distributed Services. Ahmad-Reza Sadeghi System Security Lab Ruhr-Universität Bochum Trusted Virtual Domains: Towards Trustworthy Distributed Services Ahmad-Reza Sadeghi System Security Lab Ruhr-Universität Bochum The Main Motivation Trustworthy Distributed Computing Selected Applications..

More information

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment. CS355: Cryptography Lecture 17: X509. PGP. Authentication protocols. Key establishment. Public Keys and Trust Public Key:P A Secret key: S A Public Key:P B Secret key: S B How are public keys stored How

More information

CS252 Project TFS: An Encrypted File System using TPM

CS252 Project TFS: An Encrypted File System using TPM CS252 Project TFS: An Encrypted File System using TPM Steven Houston: shouston@eecs.berkeley.edu Thomas Kho: tkho@eecs.berkeley.edu May 15, 2007 Abstract In this project, we implement a trusted file system

More information

ARM Security Solutions and Numonyx Authenticated Flash

ARM Security Solutions and Numonyx Authenticated Flash ARM Security Solutions and Numonyx Authenticated Flash How to integrate Numonyx Authenticated Flash with ARM TrustZone* for maximum system protection Introduction Through a combination of integrated hardware

More information

Auditing TPM Commands

Auditing TPM Commands Chapter 16 Auditing TPM Commands As used in the TPM, audit is the process of logging TPM command and response parameters that pass between the host and the TPM. The host is responsible for maintaining

More information

CSPN Security Target. HP Sure Start HW Root of Trust NPCE586HA0. December 2016 Reference: HPSSHW v1.3 Version : 1.3

CSPN Security Target. HP Sure Start HW Root of Trust NPCE586HA0. December 2016 Reference: HPSSHW v1.3 Version : 1.3 CSPN Security Target HP Sure Start HW Root of Trust NPCE586HA0 December 2016 Reference: HPSSHW v1.3 Version : 1.3 1 Table of contents 1 Introduction... 4 1.1 Document Context... 4 1.2 Product identification...

More information

This Security Policy describes how this module complies with the eleven sections of the Standard:

This Security Policy describes how this module complies with the eleven sections of the Standard: Vormetric, Inc Vormetric Data Security Server Module Firmware Version 4.4.1 Hardware Version 1.0 FIPS 140-2 Non-Proprietary Security Policy Level 2 Validation May 24 th, 2012 2011 Vormetric Inc. All rights

More information

Intel s s Security Vision for Xen

Intel s s Security Vision for Xen Intel s s Security Vision for Xen Carlos Rozas Intel Corporation Xen Summit April 7-8, 7 2005 INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. EXCEPT AS PROVIDED IN INTEL'S TERMS

More information

OS Security IV: Virtualization and Trusted Computing

OS Security IV: Virtualization and Trusted Computing 1 OS Security IV: Virtualization and Trusted Computing Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab2 More questions? 3 Virtual machine monitor +-----------+----------------+-------------+

More information

A Robust Integrity Reporting Protocol for Remote Attestation

A Robust Integrity Reporting Protocol for Remote Attestation A Robust Integrity Reporting Protocol for Remote Attestation Frederic Stumpf, Omid Tafreschi, Patrick Röder, Claudia Eckert Darmstadt University of Technology, Department of Computer Science, D-64289 Darmstadt,

More information

Index. Boot sequence DRTM breakout measured launch, 336 local applications, 339 measured launch, 338 SINIT ACM, 338

Index. Boot sequence DRTM breakout measured launch, 336 local applications, 339 measured launch, 338 SINIT ACM, 338 Index A adminwithpolicy, 256 Advanced encryption standard (AES), 29 Asymmetric algorithms, 9 Attestation identity keys (AIKs), 29, 101 Auditing commands audit log, 264, 267 bit field, 264 command audit,

More information

6.857 L17. Secure Processors. Srini Devadas

6.857 L17. Secure Processors. Srini Devadas 6.857 L17 Secure Processors Srini Devadas 1 Distributed Computation Example: Distributed Computation on the Internet (SETI@home, etc.) Job Dispatcher Internet DistComp() { x = Receive(); result = Func(x);

More information

Security in ECE Systems

Security in ECE Systems Lecture 11 Information Security ECE 197SA Systems Appreciation Security in ECE Systems Information security Information can be very valuable Secure communication important to protect information Today

More information

ARX (Algorithmic Research) PrivateServer Hardware version 4.7 Firmware version 4.8.1

ARX (Algorithmic Research) PrivateServer Hardware version 4.7 Firmware version 4.8.1 ARX (Algorithmic Research) PrivateServer Hardware version 4.7 Firmware version 4.8.1 FIPS 140-2 Non-Proprietary Security Policy Level 3 Validation April 2012 Copyright 2012 Algorithmic Research This document

More information

CS 425 / ECE 428 Distributed Systems Fall 2017

CS 425 / ECE 428 Distributed Systems Fall 2017 CS 425 / ECE 428 Distributed Systems Fall 2017 Indranil Gupta (Indy) Dec 5, 2017 Lecture 27: Security All slides IG Security Threats Leakage Unauthorized access to service or data E.g., Someone knows your

More information

Computer Security CS 426 Lecture 17

Computer Security CS 426 Lecture 17 Computer Security CS 426 Lecture 17 Trusted Computing Base. Orange Book, Common Criteria Elisa Bertino Purdue University IN, USA bertino@cs.purdue.edu 1 Trusted vs. Trustworthy A component of a system

More information

CIS 4360 Secure Computer Systems Secured System Boot

CIS 4360 Secure Computer Systems Secured System Boot CIS 4360 Secure Computer Systems Secured System Boot Professor Qiang Zeng Spring 2017 Previous Class Attacks against System Boot Bootkit Evil Maid Attack Bios-kit Attacks against RAM DMA Attack Cold Boot

More information

Security. Communication security. System Security

Security. Communication security. System Security Security Communication security security of data channel typical assumption: adversary has access to the physical link over which data is transmitted cryptographic separation is necessary System Security

More information

Background. Network Security - Certificates, Keys and Signatures - Digital Signatures. Digital Signatures. Dr. John Keeney 3BA33

Background. Network Security - Certificates, Keys and Signatures - Digital Signatures. Digital Signatures. Dr. John Keeney 3BA33 Background Network Security - Certificates, Keys and Signatures - Dr. John Keeney 3BA33 Slides Sources: Karl Quinn, Donal O Mahoney, Henric Johnson, Charlie Kaufman, Wikipedia, Google, Brian Raiter. Recommended

More information

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme Validation Report TM Trusted Computing Group (TCG) Personal Computer (PC) Specific Trusted Building Block (TBB)

More information

Building on existing security

Building on existing security Building on existing security infrastructures Chris Mitchell Royal Holloway, University of London http://www.isg.rhul.ac.uk/~cjm 1 Acknowledgements This is joint work with Chunhua Chen and Shaohua Tang

More information

Unicorn: Two- Factor Attestation for Data Security

Unicorn: Two- Factor Attestation for Data Security ACM CCS - Oct. 18, 2011 Unicorn: Two- Factor Attestation for Data Security M. Mannan Concordia University, Canada B. Kim, A. Ganjali & D. Lie University of Toronto, Canada 1 Unicorn target systems q High

More information

Refresher: Applied Cryptography

Refresher: Applied Cryptography Refresher: Applied Cryptography (emphasis on common tools for secure processors) Chris Fletcher Fall 2017, 598 CLF, UIUC Complementary reading Intel SGX Explained (ISE) Victor Costan, Srini Devadas https://eprint.iacr.org/2016/086.pdf

More information

Covert Identity Information in Direct Anonymous Attestation (DAA)

Covert Identity Information in Direct Anonymous Attestation (DAA) Covert Identity Information in Direct Anonymous Attestation (DAA) Carsten Rudolph Fraunhofer Institute for Secure Information Technology - SIT, Rheinstrasse 75, Darmstadt, Germany, Carsten.Rudolph@sit.fraunhofer.de

More information

Trusted Mobile Platform

Trusted Mobile Platform Software Architecture Description 10/27/2004 Trusted Mobile Platform NTT DoCoMo, IBM, Intel Corporation File Name: TMP_SWAD_rev1_00_20040405.doc Change History (Informative) Type of Change Date Section

More information

Past, Present, and Future Justin Johnson Senior Principal Firmware Engineer

Past, Present, and Future Justin Johnson Senior Principal Firmware Engineer Dell Firmware Security Past, Present, and Future Justin Johnson Senior Principal Firmware Engineer justin.johnson1@dell.com Dell Security 2 What does BIOS do? Configure and Test System Memory Configure

More information

But where'd that extra "s" come from, and what does it mean?

But where'd that extra s come from, and what does it mean? SSL/TLS While browsing Internet, some URLs start with "http://" while others start with "https://"? Perhaps the extra "s" when browsing websites that require giving over sensitive information, like paying

More information

Sharing Secrets using Encryption Facility - Handson

Sharing Secrets using Encryption Facility - Handson Sharing Secrets using Encryption Facility - Handson Lab Steven R. Hart IBM March 12, 2014 Session Number 14963 Encryption Facility for z/os Encryption Facility for z/os is a host based software solution

More information

Bootstrapping Trust in Commodity Computers

Bootstrapping Trust in Commodity Computers Bootstrapping Trust in Commodity Computers Bryan Parno Jonathan M. McCune Adrian Perrig CyLab, Carnegie Mellon University Abstract Trusting a computer for a security-sensitive task (such as checking email

More information

Cryptography and Network Security. Sixth Edition by William Stallings

Cryptography and Network Security. Sixth Edition by William Stallings Cryptography and Network Security Sixth Edition by William Stallings Chapter 19 Electronic Mail Security Despite the refusal of VADM Poindexter and LtCol North to appear, the Board's access to other sources

More information

Creating the Complete Trusted Computing Ecosystem:

Creating the Complete Trusted Computing Ecosystem: FEBRUARY 2018 Creating the Complete Trusted Computing Ecosystem: An Overview of the Trusted Software Stack (TSS) 2.0 Trusted Computing Group 3855 SW 153rd Drive Beaverton, OR 97003 Tel (503) 619-0562 Fax

More information

Seagate Secure TCG Enterprise and TCG Opal SSC Self-Encrypting Drive Common Criteria Configuration Guide

Seagate Secure TCG Enterprise and TCG Opal SSC Self-Encrypting Drive Common Criteria Configuration Guide Seagate Secure TCG Enterprise and TCG Opal SSC Self-Encrypting Drive Common Criteria Configuration Guide Version 1.0 February 14, 2018 Contents Introduction 3 Operational Environment 3 Setup and Configuration

More information

Key Management and Distribution

Key Management and Distribution Key Management and Distribution Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-14/

More information

Smart Grid Embedded Cyber Security: Ensuring Security While Promoting Interoperability

Smart Grid Embedded Cyber Security: Ensuring Security While Promoting Interoperability Smart Grid Embedded Cyber Security: Ensuring Security While Promoting Interoperability Communications and Embedded Systems Department Southwest Research Institute Gary Ragsdale, Ph.D., P.E. August 24 25,

More information