Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

Similar documents
Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

Lecture Embedded System Security Trusted Platform Module

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

Lecture Embedded System Security Introduction to Trusted Computing

Lecture Embedded System Security Introduction to Trusted Computing

TRUSTED COMPUTING TRUSTED COMPUTING. Overview. Why trusted computing?

Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing. Hermann Härtig Technische Universität Dresden Summer Semester 2009

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD

Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing

Lecture Embedded System Security Introduction to Trusted Computing

Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing. Hermann Härtig Technische Universität Dresden Summer Semester 2007

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD

Secure, Trusted and Trustworthy Computing

Trusted Computing: Introduction & Applications

Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing

CSE543 - Computer and Network Security Module: Trusted Computing

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD

Trusted Computing: Introduction & Applications

Applications of Attestation:

Trusted Computing Group

TPM Entities. Permanent Entities. Chapter 8. Persistent Hierarchies

Terra: A Virtual Machine-Based Platform for Trusted Computing by Garfinkel et al. (Some slides taken from Jason Franklin s 712 lecture, Fall 2006)

Atmel Trusted Platform Module June, 2014

TPM v.s. Embedded Board. James Y

Preliminary analysis of a trusted platform module (TPM) initialization process

ISO/IEC INTERNATIONAL STANDARD. Information technology Trusted Platform Module Part 2: Design principles

Platform Configuration Registers

TCG. TCG Specification Architecture Overview. Specification Revision nd August Contact:

From TPM 1.2 to 2.0 and some more. Federico Mancini AFSecurity Seminar,

OVAL + The Trusted Platform Module

Intelligent Terminal System Based on Trusted Platform Module

Ari Singer. November 7, Slide #1

Trusted Computing: Security and Applications

Systems View -- Current. Trustworthy Computing. TC Advantages. Systems View -- Target. Bootstrapping a typical PC. Boot Guarantees

Connecting Securely to the Cloud

How to create a trust anchor with coreboot.

ISO/IEC INTERNATIONAL STANDARD. Information technology Trusted Platform Module Part 1: Overview

UNIT - IV Cryptographic Hash Function 31.1

Overview. SSL Cryptography Overview CHAPTER 1

A TRUSTED STORAGE SYSTEM FOR THE CLOUD

Demonstration Lecture: Cyber Security (MIT Department) Trusted cloud hardware and advanced cryptographic solutions. Andrei Costin

Embedded System Security Mobile Hardware Platform Security

Digital Certificates Demystified

Embedded System Security Mobile Hardware Platform Security

TRUSTED SUPPLY CHAIN & REMOTE PROVISIONING WITH THE TRUSTED PLATFORM MODULE

An Introduction to Trusted Platform Technology

Design and Analysis of Fair-Exchange Protocols based on TPMs

TERRA. Boneh. A virtual machine-based platform for trusted computing. Presented by: David Rager November 10, 2004

Trusted Computing Special Aspects and Challenges

PKI Credentialing Handbook

Easy Incorporation of OPTIGA TPMs to Support Mission-Critical Applications

Security and Privacy in Cloud Computing

Software Vulnerability Assessment & Secure Storage

Java Specification Request 321: Trusted Computing API for Java. Tutorial on the Early Draft Review

Trusted Disk Loading in the Emulab Network Testbed. Cody Cutler, Mike Hibler, Eric Eide, Rob Ricci

TCG TPM2 Software Stack & Embedded Linux. Philip Tricca

Trusted Disk Loading in the Emulab Network Testbed. Cody Cutler, Eric Eide, Mike Hibler, Rob Ricci

Solving Bigger Problems with the TPM 2.0

Offline dictionary attack on TCG TPM authorisation data

Trusted Computing in Drives and Other Peripherals Michael Willett TCG and Seagate 12 Sept TCG Track: SEC 502 1

Crypto Background & Concepts SGX Software Attestation

Sealing and Attestation in Intel Software Guard Extensions (SGX)

Hypervisor Security First Published On: Last Updated On:

A Design of Trusted Computing Supporting Software based on Security Function

CSPN Security Target. HP Sure Start HW Root of Trust NPCE586HA0. December 2016 Reference: HPSSHW v1.3 Version : 1.3

This Security Policy describes how this module complies with the eleven sections of the Standard:

Intel s s Security Vision for Xen

A Robust Integrity Reporting Protocol for Remote Attestation

ARM Security Solutions and Numonyx Authenticated Flash

6.857 L17. Secure Processors. Srini Devadas

CIS 4360 Secure Computer Systems Secured System Boot

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Computer Security CS 426 Lecture 17

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 7, 2013

OS Security IV: Virtualization and Trusted Computing

Security in ECE Systems

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report

Trusted Virtual Domains: Towards Trustworthy Distributed Services. Ahmad-Reza Sadeghi System Security Lab Ruhr-Universität Bochum

Covert Identity Information in Direct Anonymous Attestation (DAA)

ARX (Algorithmic Research) PrivateServer Hardware version 4.7 Firmware version 4.8.1

CS252 Project TFS: An Encrypted File System using TPM

Auditing TPM Commands

Index. Boot sequence DRTM breakout measured launch, 336 local applications, 339 measured launch, 338 SINIT ACM, 338

Past, Present, and Future Justin Johnson Senior Principal Firmware Engineer

Seagate Secure TCG Enterprise and TCG Opal SSC Self-Encrypting Drive Common Criteria Configuration Guide

Refresher: Applied Cryptography

Building on existing security

TLS-ENFORCED ATTESTATION. A Project. California State University, Sacramento. Submitted in partial satisfaction of the requirements for the degree of

But where'd that extra "s" come from, and what does it mean?

Trusted Tamperproof Time on Mobile Devices

Key Management and Distribution

BlackVault Hardware Security Platform SECURE TRUSTED INTUITIVE. Cryptographic Appliances with Integrated Level 3+ Hardware Security Module

CS 425 / ECE 428 Distributed Systems Fall 2017

Background. Network Security - Certificates, Keys and Signatures - Digital Signatures. Digital Signatures. Dr. John Keeney 3BA33

Encrypting stored data

Bootstrapping Trust in Commodity Computers

Sirrix AG security technologies. TPM Laboratory I. Marcel Selhorst etiss 2007 Bochum Sirrix AG

The SafeNet Security System Version 3 Overview

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

Cryptography and Network Security. Sixth Edition by William Stallings

Transcription:

1 Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt Germany Winter Term 2016/17

Roadmap: TPM Introduction to TPM TPM architecture Integration of TPM in PC s software and hardware, start-up Core Root of Trust for Measurement (CRTM) TCG Terminology and assumptions Identities and keys Authentication and Ownership

Trusted Platform Module (TPM) Current implementation is a cryptographic coprocessor Hardware-based random number generation Small set of cryptographic functions Key generation, signing, encryption, hashing, MAC Offers additional functionalities Secure storage (ideally tamper-resistant) Platform integrity measurement and reporting Embedded into the platform s motherboard Acts as a Root of Trust TPM must be trusted by all parties Three versions of specification available Version 1.2 is the focus of this lecture Many vendors already ship their platforms with a TPM

Trusted Platform Module (TPM) Cryptographic Co-Processor Asymmetric en-/decryption (RSA) Digital signature (RSA) TPM Architecture Input/Output Protocol en-/decoding Enforces access policies System Interface (e.g., LPC-Bus) SHA-1 HMAC Random Number Generation Key Generation Asymmetric keys (RSA) Symmetric keys Nonces PCR[23] PCR[0] Platform Configuration Registers (PCR) Storage of integrity measurements : : PCR[1] Opt-In Stores TPM state information (e.g., if TPM is disabled) Enforces state-dependent limitations (e.g., some commands must not be executed if the TPM is disabled) Execution Engine Processes TPM commands Ensures segregation of operations Ensures protection of secrets Non-Volatile Memory Stores persistent TPM data (e.g., the TPM identity or special keys) Provides read-, write- or unprotected storage accessible from outside the TPM

Features of Next Generation TPM Variability of cryptographic algorithms Current TPM specifications fixed on RSA and SHA-1 Support of different crypto algorithms needed in many applications (e.g., ECC-based crypto) Support for virtualized systems Current TPMs are difficult to virtualize Virtualization support required in many security architectures (e.g., Virtual Machines need virtual TPMs) Security enhancements e.g., to prevent users from choosing weak TPM passwords Performance and usability improvements

TPM Integration into PC-Hardware Central Processing Unit (CPU) Graphics Controller Graphics and Memory Controller HUB (GMCH) Chipset (Northbridge) System Memory Hard Disks Expansion Cards Interface Controller HUB (ICH) Chipset (Southbridge) USB Devices Network Interface Low Pin Count (LPC) Bus System BIOS TPM Floppy Drive PS/2 Super I/O (Legacy Devices) Parallel I/O Serial I/O

TPM Software Integration Operating System Applications (local) Remote Trusted Platform TCG-Application TSP Interface (TSPI) TCG Service Provider (TSP) provides object-oriented interface for TCGenabled TCS Interface (TCSI) applications TPM Device Driver Conventional Application Conventional Cryptographic Interface (e.g., MS-CAPI, PKCS#11) Remote TCG-Application TCS I TCG Service Provider (TSP) RPC Client TCS I TCG Service Provider RPC Server (TSP) RPC (Remote Procedure Call) TCG Core Services (TCS) key and credential management platform integrity measurement and reporting (TPM Event Log) parsing and handling of TPM commands TDDL Interface (TDDLI) TPM Device Driver Library (TDDL) provides standard interface for TPMs of different manufacturers transition between user mode and kernel mode Hardware CRTM TPM Trusted Software Stack (TSS) System Services

Core Root of Trust for Measurement (CRTM) Immutable portion of the host platform s initialization code that is executed upon a host platform reset Trust in all measurements is based on the integrity of the CRTM Ideally the CRTM is contained in TPM Implementation decisions may require the CRTM to be located in other firmware (e.g., BIOS boot block)

Possible CRTM Implementations 1. CRTM = BIOS Boot Block BIOS is composed of BIOS Boot Block and POST BIOS Each of these are independent components Each can be updated independent of the other POST BIOS is not part of CRTM but is measured by the Chain of Trust 2. CRTM = Entire BIOS BIOS is composed of a single atomic entity Entire BIOS is updated, modified, or maintained as a single component

Roadmap: TPM Introduction to TPM TPM architecture Integration of TPM in PC s software and hardware, start-up Core Root of Trust for Measurement (CRTM) TCG Terminology and assumptions Identities and keys Authentication and Ownership

TCG Terminology I Shielded Location Place where sensitive data can be stored or operated on safely e.g., memory locations inside the TPM or data objects encrypted by the TPM and stored on external storage (e.g., hard disk) Protected Capabilities (Protected Functions) Set of commands with exclusive permission to access shielded locations e.g., commands for cryptographic key management, sealing of data to a system state, etc. Protected Entity Refers to a protected capability or sensitive data object stored in a shielded location

TCG Terminology II Integrity Measurement Process of obtaining metrics of platform characteristics that affect the integrity (trustworthiness) of a platform and storing digests of these metrics in the TPM s PCRs Platform characteristic = hash digest of the software to be executed Platform Configuration Registers (PCR) Shielded location to store integrity measurement values PCRs can only be extended: PCR i+1 SHA-1(PCR i, value) PCRs are reset only when the platform is rebooted Integrity Logging Storing integrity metrics in a log for later use Storing additional information about what has been measured like software manufacturer name, software name, version, etc.

TCG Assumptions and Trust Model I Unforgeability of measurements Platform configuration cannot be forged after measurements have been taken However, today s OS can be (maliciously) modified Hash digests of binaries express trustworthiness Verifier can determine initial configuration from digests However, TCB of today s platforms are too complex Secure channels can be established Between HW components (TPM and CPU) since they may have certified authentication keys provided by a PKI Between machines running on the same platform (e.g., attestor and host) by using operating system mechanisms (secure OS)

TCG Assumption and Trust Model II Protection against software attacks only Unprotected communication link between TPM and CPU Security issues of certain TPM aspects Automated verification available Integration of TPM in chipset may potentially be problematic Engineering trade-off between security and technical evaluation TPM Construction Kit Towards more security against hardware attacks Currently TPMs have rudimentary hardware protection mechanisms Over/under voltage detection, low frequency sensor, high frequency filter, reset filter, memory encryption/decryption, etc. Some manufacturers started 3 rd party certification (Common Criteria) CRTM is not tamper-resistant (implemented in unprotected BIOS)

Roadmap: TPM Introduction to TPM TCG Terminology and assumptions Identities and keys TPM and platform identity TPM keys and their properties TPM key types Authentication and Ownership

TPM Identity (Endorsement Key) TPM identity represented as Endorsement Key (EK) Unique en-/decryption key pair Private key does not leave TPM Public key is privacy-sensitive (since it identifies a TPM/platform) Generated during manufacturing process of TPM Either in TPM or externally and then embedded into the TPM Must be certified by EK-generating entity e.g., by the TPM manufacturer Can be deleted (revoked) and re-generated by a TPM user Revocation must be enabled during creation of the EK Deletion must be authorized by a secret defined during EK creation EK-recreation invalidates Endorsement Credential (EC) Readable from TPM via TPM_ReadPubek (command disabled after taking ownership of the TPM) TPM_OwnerReadInternalPub (requires owner authentication secret set during taking ownership) EK

Endorsement Credential Digital certificate stating that EK has been properly created and embedded into a TPM Issued by the entity who generated the EK e.g., the TPM manufacturer Includes TPM manufacturer name TPM model number TPM version Public EK (privacy sensitive) Endorsement pk EK EK

Platform Identity Platform identity is equivalent to TPM identity (EK) EK is unique identifier for a TPM A TPM must be bound to only one platform Either physical binding (e.g., soldered to the platform s motherboard) or logical binding (e.g., by using cryptography) Common implementation: TPM soldered to the platform s motherboard Therefore an EK uniquely identifies a platform Platform Credential asserts that a TPM has been correctly integrated into a platform

Platform Credential Digital certificate stating that an individual platform contains the TPM described in the Endorsement Credential (EC) Issued by the platform manufacturer e.g., system or motherboard manufacturer Includes Platform manufacturer name Platform model and version number References to (digests of) the corresponding Endorsement and Conformance Credential Conformance Credential asserts that a platform type fulfills the evaluation guidelines defined by the TCG Endorsement pk EK Platform Hash(EK) ConfCred Conformance

TPM Credentials on PC Platform TPM credentials may be distributed in the following ways On platform's distribution CD (impractical: every platform requires individual CD) On a partition on the platform's hard disk Over TPM or platform manufacturer s web site In non-volatile storage area of TPM (most commonly used) Current situation: Only one TPM manufacturer is known to provide an Endorsement Credential There is no known TPM that comes with a Platform or Conformance Credential Distribution via non-volatile storage Reserved address space in non-volatile storage of TPM for TPM credentials Access to these credentials only allowed after TPM owner authentication Distribution via manufacturer s website Requires identification of the TPM, e.g., via EK: TSS establishes secure channel (authenticated, confidential) with TPM manufacturer TSS reads public EC pkek from TPM and sends hash(pkek) to TPM manufacturer TPM manufacturer looks up corresponding credentials and sends them to TSS TSS stores received credentials (e.g., on hard disk or in TPM s non-volatile storage)

Roadmap: TPM Introduction to TPM TCG Terminology and assumptions Identities and keys TPM identity and platform identity TPM keys and their properties TPM key types Authentication and Ownership

Migratable and Non-Migratable Keys Migratable keys Can be migrated to other TPMs/platforms Third parties have no assurance that such keys have been generated by a TPM Third parties may not trust migratable keys Non-migratable keys Cannot be migrated to other TPMs/platforms Guaranteed to only reside in TPM-protected locations TPM can generate certificate stating that a key is non-migratable

Storage Root Key (SRK) TPM contains Root of Trust for Storage (RTS) Secure data storage implemented as a hierarchy of keys Storage Root Key (SRK) is root of this key hierarchy Storage Root Key (SRK) represents RTS RSA en-/decryption key pair Must at least have 2048-bit key length Private SRK must not leave TPM Generated by TPM during process of installing TPM Owner Deleted when the TPM Owner is deleted This makes key hierarchy inaccessible and thus destroys all data encrypted with keys in that hierarchy

A B means A encrypts B A is called parent key of B TPM Key Hierarchy TPM EK External Storage e.g., hard disk Bind K Migr K StorK File SymK AIK StorK SigK File StorK AIK SigK SRK SymK File AIK StorK Bind K Depth of hierarchy and number of TPM-protected keys only limited by size of external storage Storage keys (StorK) protect all other key types Attestation ID keys (AIK) Signing keys (SigK) Binding keys (BindK) Migration Keys (MigrK) Symmetric keys (SymK) Transitive protection SRK indirectly protects arbitrary data (e.g., files)

Roadmap: TPM Introduction to TPM TCG Terminology and assumptions Identities and keys TPM identity and platform identity TPM keys and their properties TPM key types Authentication and Ownership

TPM Key Types TPM provides 9 different types of keys 3 special TPM key types Endorsement Key, Storage Root Key, Attestation Identity Keys 6 general key types Storage, signing, binding, migration, legacy and authchange keys Most important key types explained in following slides Each key may have additional properties, the most important ones are Migratable, non-migratable, certified migratable e.g., whether the key is allowed to be migrated to another TPM Whether the key is allowed only to be used when the platform is in a specific (potentially secure) configuration

Attestation Identity Keys (AIK) Purpose Used to attest to current platform configuration e.g., authentically report the current hard- and software environment to a remote party (see attestation) Alias for TPM/platform identity (Endorsement Key) Use of AIKs should prevent tracking of TPMs/platforms e.g., the transactions of a platform can be traced if the EK is used in various protocol runs with different colluding service providers Properties AIKs are non-migratable signing keys (e.g., 2048-bit RSA) Generated by the TPM Owner TPM/platform may have multiple AIKs e.g., one for online-banking, one for e-mail, etc.

Certification of AIKs AIK requires certification that it comes from a TPM TCG specifies two possibilities (details later) Certification by Trusted Third Party (Privacy CA in TCG Terminology) Privacy problems: Privacy CA can link transactions of a TPM Certification via DAA (Direct Anonymous Attestation) Achieves unlinkability of TPM transactions No Privacy CA needed Zero-knowledge proof of knowledge of possession of a valid certificate

Storage Keys Purpose: Protection of keys outside the TPM e.g., a storage key can be used to encrypt other keys, which can be stored on a hard disk Storage Root Key (SRK) is a special storage key Protection based system configuration/properties (sealing) e.g., encryption of secrets, which can only be recovered if the platform has a defined hard-/software environment Properties Typically 2048-bit RSA en-/decryption key pair Generally allowed to be migrated to other TPMs are not allowed to be non-migratable if one of their parent keys is migratable must be non-migratable if used for sealing

Binding Keys Purpose Protection of arbitrary data outside the TPM Binding is equivalent to traditional asymmetric encryption Properties Typically RSA 2048-bit en-/decryption key pair Other asymmetric encryption schemes may be supported by the TPM Can only be used with binding commands Migratable to other TPMs/platforms Are not allowed to be non-migratable if one of their parent keys is migratable

Signing Keys Purpose Message authentication of arbitrary data external to TPM e.g., to ensure integrity of arbitrary files stored on the platform or protocol messages sent by the platform and their origin Authentic report of TPM-internal information e.g., for auditing TPM commands or reporting TPM capabilities Properties Typically 2048-bit RSA signing/verification key pair Other signing algorithms may be supported by the TPM Signing keys may be migrated to other TPMs/platforms Are not allowed to be non-migratable if one of their parent keys is migratable

Migration Keys Purpose Enable TPM to act as migration authority Used to encrypt migratable keys for secure transport from one TPM to another Properties 2048-bit RSA en-/decryption key pair Are allowed to be migrated to another TPM

Roadmap: TPM Introduction to TPM TCG Terminology and assumptions Identities and keys Authentication and Ownership Authentication to the TPM TPM owner, taking ownership, deleting ownership

Authentication to the TPM Access to protected entities requires authentication Two ways to authenticate to the TPM Asserting Physical Presence Proof to the TPM that one has physical access to the platform via a hardware switch or BIOS setting (usually the latter is implemented) Can only be used with a limited set of TPM commands Enabling/disabling and activating/deactivating TPM Resetting TPM to default settings, delete TPM Owner and keys Security critical commands (TPM firmware update, deletion of EK) Authentication Protocols (AP) Proof to the TPM that one knows authentication secret e.g., authentication secret = hash digest of a passphrase Authentication secrets set by TPM users e.g., when creating a key, the user sets a passphrase that is required to later authorize the use of the key. The TPM stores the passphrase together with the key in a shielded location. Common way to authenticate to the TPM

Asserting Physical Presence via BIOS Changing this option executes the TPM_ForceClear() command, which resets the TPM to its default settings and deletes the current TPM Owner and all keys (except EK) A remote adversary cannot access the BIOS A local adversary with access to the BIOS is able to disable the TPM and even to delete the TPM Owner without the need to know any secret!

TPM Authentication Protocols (AP) Authentication of commands and their parameters Provide assurance that the command, its parameters and the corresponding response of the TPM have not been modified during their transmission to or from the TPM TPM basically supports 2 authentication protocols OSAP (Object Specific Authentication Protocol) OIAP (Object Independent Authentication Protocol) TPM must support at least two parallel authentication protocol sessions Some TPM commands require two authentications e.g., command for unsealing data (see sealing)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback