Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing. Hermann Härtig Technische Universität Dresden Summer Semester 2009

Similar documents
Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing

Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing. Hermann Härtig Technische Universität Dresden Summer Semester 2007

Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

Lecture Embedded System Security Trusted Platform Module

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD

Terra: A Virtual Machine-Based Platform for Trusted Computing by Garfinkel et al. (Some slides taken from Jason Franklin s 712 lecture, Fall 2006)

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD

CSE543 - Computer and Network Security Module: Trusted Computing

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

TRUSTED COMPUTING TRUSTED COMPUTING. Overview. Why trusted computing?

Atmel Trusted Platform Module June, 2014

TPM v.s. Embedded Board. James Y

An Introduction to Trusted Platform Technology

Trusted Computing: Introduction & Applications

Lecture Embedded System Security Introduction to Trusted Computing

Lecture Embedded System Security Introduction to Trusted Computing

Systems View -- Current. Trustworthy Computing. TC Advantages. Systems View -- Target. Bootstrapping a typical PC. Boot Guarantees

Hypervisor Security First Published On: Last Updated On:

Flicker: An Execution Infrastructure for TCB Minimization

Embedded System Security Mobile Hardware Platform Security

Embedded System Security Mobile Hardware Platform Security

TCG TPM2 Software Stack & Embedded Linux. Philip Tricca

OVAL + The Trusted Platform Module

Crypto Background & Concepts SGX Software Attestation

CIS 4360 Secure Computer Systems Secured System Boot

Old, New, Borrowed, Blue: A Perspective on the Evolution of Mobile Platform Security Architectures

EXTERNALLY VERIFIABLE CODE EXECUTION

Unicorn: Two- Factor Attestation for Data Security

Computer Security CS 426 Lecture 17

A TRUSTED STORAGE SYSTEM FOR THE CLOUD

How to create a trust anchor with coreboot.

CIS 4360 Secure Computer Systems. Trusted Platform Module

UNIT - IV Cryptographic Hash Function 31.1

INF3510 Information Security Spring Lecture 4 Computer Security. University of Oslo Audun Jøsang

A Proposed Standard for Entity Attestation draft-mandyam-eat-00. Laurence Lundblade. November 2018

Offline dictionary attack on TCG TPM authorisation data

Lecture Embedded System Security Introduction to Trusted Computing

Security and Privacy in Cloud Computing

Trusted Computing. William A. Arbaugh Department of Computer Science University of Maryland cs.umd.edu

TERRA. Boneh. A virtual machine-based platform for trusted computing. Presented by: David Rager November 10, 2004

Trusted Computing in Drives and Other Peripherals Michael Willett TCG and Seagate 12 Sept TCG Track: SEC 502 1

Intelligent Terminal System Based on Trusted Platform Module

Mobile Platform Security Architectures A perspective on their evolution

A Robust Integrity Reporting Protocol for Remote Attestation

Applications of Attestation:

Preliminary analysis of a trusted platform module (TPM) initialization process

Sealing and Attestation in Intel Software Guard Extensions (SGX)

Trusted Computing Group

TRUSTED SUPPLY CHAIN & REMOTE PROVISIONING WITH THE TRUSTED PLATFORM MODULE

Master s Thesis. End-To-End Application Security Using Trusted Computing. Michiel Broekman. August 18, 2005

Bootstrapping Trust in Commodity Computers

Lecture 3 MOBILE PLATFORM SECURITY

Trusted Computing and O/S Security. Aggelos Kiayias Justin Neumann

Trusted Computing: Introduction & Applications

Building on existing security

Platform Configuration Registers

CIS 4360 Secure Computer Systems. Trusted Platform Module

TCG Guidance for Securing Resource- Constrained Devices. Version 1.0 Revision 22 March 13, Contact:

Design and Analysis of Fair-Exchange Protocols based on TPMs

Dawn Song

6.857 L17. Secure Processors. Srini Devadas

TCG. TCG Specification Architecture Overview. Specification Revision nd August Contact:

Using existing security infrastructures

Message authentication. Why message authentication. Authentication primitives. and secure hashing. To prevent against:

Demonstration Lecture: Cyber Security (MIT Department) Trusted cloud hardware and advanced cryptographic solutions. Andrei Costin

Binding keys to programs using Intel SGX remote attestation

Security of Cloud Computing

Trusted Computing and O/S Security

Past, Present, and Future Justin Johnson Senior Principal Firmware Engineer

INF3510 Information Security. Lecture 6: Computer Security. Universitetet i Oslo Audun Jøsang

BCM58100B0 Series: BCM58101B0, BCM58102B0, BCM58103B0 Cryptographic Module VC0 Non-Proprietary Security Policy Document Version 0.

From TPM 1.2 to 2.0 and some more. Federico Mancini AFSecurity Seminar,

IEEE Std and IEEE Std 1363a Ashley Butterworth Apple Inc.

Secure, Trusted and Trustworthy Computing

Kurose & Ross, Chapters (5 th ed.)

Certifying Program Execution with Secure Processors. Benjie Chen Robert Morris Laboratory for Computer Science Massachusetts Institute of Technology

RISCV with Sanctum Enclaves. Victor Costan, Ilia Lebedev, Srini Devadas

Trusted Virtual Domains: Towards Trustworthy Distributed Services. Ahmad-Reza Sadeghi System Security Lab Ruhr-Universität Bochum

On-board Credentials. N. Asokan Kari Kostiainen. Joint work with Jan-Erik Ekberg, Pekka Laitinen, Aarne Rantala (VTT)

Public-key Cryptography: Theory and Practice

OS Security IV: Virtualization and Trusted Computing

Jonathan M. McCune. Carnegie Mellon University. March 27, Bryan Parno, Arvind Seshadri Adrian Perrig, Michael Reiter

INF3510 Information Security University of Oslo Spring Lecture 3 Key Management and PKI. Audun Jøsang

CS 425 / ECE 428 Distributed Systems Fall 2017

Refresher: Applied Cryptography

Getting to Grips with Public Key Infrastructure (PKI)

Distributed ID-based Signature Using Tamper-Resistant Module

I Don't Want to Sleep Tonight:

Trusted Computing: Security and Applications

Intel s s Security Vision for Xen

Trusted Mobile Platform Technology for Secure Terminals

Enforcing Trust in Pervasive Computing. Trusted Computing Technology.

An Execution Infrastructure for TCB Minimization

PKI Credentialing Handbook

TPM Entities. Permanent Entities. Chapter 8. Persistent Hierarchies

Sanctum: Minimal HW Extensions for Strong SW Isolation

Policy-Sealed Data: A New Abstraction for Building Trusted Cloud Services

Transcription:

Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing Hermann Härtig Technische Universität Dresden Summer Semester 2009

Goals Understand principles of: authenticated booting the difference to (closed) secure booting remote attestation sealed memory Non-Goal: lots of TPM, TCG-Spec details read the documents once needed Distributed OS SS 2009 Authenticated Booting, 2

Some terms Secure Booting Authenticated Booting (Remote) Attestation Sealed Memory Late launch / dynamic root of trust Trusted Computing Trusted Computing Base Attention: terminology has changed... Distributed OS SS 2009 Authenticated Booting, 3

Trusted Computing (Base) Trusted Computing Base (TCB) The set of all components, hardware, software, procedures, that must be relied upon to enforce a security policy Trusted Computing (TC) A particular technology comprised of authenticated booting, remote attestation and sealed memory Distributed OS SS 2009 Authenticated Booting, 4

TC key problems Can running certain SW be prevented? Which computer system do I communicate with? Which stack of Software is running? in front of me? on my server somewhere? Can I restrict access to certain secrets (keys) to certain programs? Distributed OS SS 2009 Authenticated Booting, 5

Trusted Computing Terminology Measuring process of obtaining metrics of platform characteristics Example for metric: Hash- Codes of SW Attestation vouching for accuracy of information Sealed Memory binding information to a configuration Distributed OS SS 2009 Authenticated Booting, 6

DRM: Trust./. No Trust in end user Internet {Digital Content}K Decoder TV Distributed OS SS 2009 Authenticated Booting, 7 K

An Example Application: DRM Digital Content is encrypted using symmetric key Smart- Card contains key authenticates device delivers key only after successful authentication Assumptions Smart Card can protect the key allowed OS can protect the key OS cannot be exchanged Distributed OS SS 2009 Authenticated Booting, 8

Secure Booting / Authenticated Booting A ppl DRM X11 Linux GUI Mini OS Hardware Distributed OS SS 2009 Authenticated Booting, 9

Notation SK priv Sk pub Asymmetric key pair of some entity S { M }Sk priv Digital Signature for message M using the private key of signer S { M }Sk pub Message encrypted using public concellation key of S H(M) Collision-Resistant Hash Function Certificate by authority Ca: { ID, SK pub, other properties } CaK priv Distributed OS SS 2009 Authenticated Booting, 10

Notation Note: { M }Sk priv Digital Signature is short for: encrypt(h(m),sk priv ) { M }Sk pub Message concealed... does not necessarily imply public key encryption for all of M (rather a combination of symmetric and asymmetric methods Distributed OS SS 2009 Authenticated Booting, 11

Identification of Software Program vendor: Foosoft FS Two ways to identify Software: H(Program) {Program, ID- Program}FSK priv use FSK pub to check the signature must be made available, e.g. shipped with the Program The ID of SW must be made available somehow. Distributed OS SS 2009 Authenticated Booting, 12

Tamperresistant black box (TRB) CPU Memory Non-Volatile Memory: Platform Configuration Registers: Distributed OS SS 2009 Authenticated Booting, 13

Ways to burn in the OS or secure booting Read- Only Memory Allowed H(OS) in NV memory preset by manufacturer load OS- Code compare H(loaded OS code) to preset H(OS) abort if different Preset FSK pub in NV memory preset by manufacturer load OS- Code check signature of loaded OS-Code using FSK pub abort if check fails Distributed OS SS 2009 Authenticated Booting, 14

Authenticated Booting (AB) Phases: Preparation by Manufacturers (TRB and OS) Booting & Measuring Remote attestation Distributed OS SS 2009 Authenticated Booting, 15

Authenticated Booting (AB) CPU Memory Non-Volatile Memory: Endorsement Key EK preset by Manufacturer Platform Configuration Registers: Hash-Code obtained during boot Distributed OS SS 2009 Authenticated Booting, 16

Vendors of TRB and OS TRB generates key pair: Endorsement Key (EK) stores in TRB NV Memory: emits: EK priv EK pub TRB vendor certifies: { a valid EK, EK pub }TVK priv OS-Vendor certifies:{ a valid OS, H(OS)}OSVK priv serve as identifiers: EK pub and H(OS) Distributed OS SS 2009 Authenticated Booting, 17

Booting & Attestation Booting: TRB measures OS- Code (computes H(OS-Code)) stores in PCR no other way to write PCR Attestation: Challenge: nonce TRB generates Response: {PCR, nonce' }EK priv Distributed OS SS 2009 Authenticated Booting, 18

Remaining problems Now we know identities: H(loaded-OS) and EK pub Problems to solve: OS versioning Remote attestation on each message (what about reboot?) not only OS on platform (SW stacks or trees) Privacy: remote attestation always reveals EK pub Black box to big Sealed memory Distributed OS SS 2009 Authenticated Booting, 19

AB (Variant 2, allow OS versions) CPU Memory Non-Volatile Memory: Endorsement Key EK preset by Manufacturer Platform Configuration Registers: OSK pub used to check OS Distributed OS SS 2009 Authenticated Booting, 20

Vendors of TRB and OS TRB generates key pair: stores in TRB NV Memory: emits: EK priv EK pub TRB vendor certifies: { a valid EK, EK pub }TVK priv OS-Vendor certifies:{ a valid OS, OSK pub }OSVK priv and signs OS-Code: {OS-Code}OSK priv serve as identifiers: EK pub and OSK pub Distributed OS SS 2009 Authenticated Booting, 21

Booting & Attestation (Variant 2) Booting: TRB checks OS- Code using some OSK pub stores OSK pub in PCR no other way to write PCR Attestation: Challenge: nonce TRB generates Response: {PCR, nonce' }EK priv Distributed OS SS 2009 Authenticated Booting, 22

AB (Variant 3, check for reboot) attestation required at each request: {PCR, nonce' }EK priv PCR: H(OS) bzw. OSK pub always requires access to and usage of EK race condition! Instead: create new keypair on every reboot: OSrunningAuthK priv OSrunningAuthK pub Distributed OS SS 2009 Authenticated Booting, 23

Booting (Variant 3) Booting: TRB checks OS- Code using some OSK pub stores OSK pub in PCR creates OSrunningAuthK keypair certifies: { OSrunningAuthK pub, H(OS)}EK priv Distributed OS SS 2009 Authenticated Booting, 24

Attestation (Variant 3) Attestation: Challenge: nonce OS generates response: { OSrunningAuthK pub, H(OS)}EK priv {nonce} OsrunningAuthK priv Distributed OS SS 2009 Authenticated Booting, 25

Establish Secure Channel to OSRunning Booting: TRB checks OS- Code using some OSK pub stores OSK pub in PCR creates OSrunningAuthK keypair creates OSrunningConsK keypair certifies: { OSrunningAuthK pub, OSrunningConsKpub, H(OS)}EK priv Secure Channel: { message } OSrunningConsK pub Distributed OS SS 2009 Authenticated Booting, 26

Assumptions TRB can protect: EK, PCR OS can protect: OSrunningK priv Rebooting destroys content of PCR and Memory Holding OSrunningK priv Distributed OS SS 2009 Authenticated Booting, 27

Software stacks and trees Application Application Application GUI GUI GUI OS Code OS Code OS Loader OS Loader ROOT ROOT Distributed OS SS 2009 Authenticated Booting, 28

Software stacks and trees Extend Operation stack: PCR n = H(PCR n-1 next-component ) tree: difficult (unpublished?) Key pairs: OS controls applications -> generate key pair per application OS certifies { Application 1, App1K pub } OSrunningK priv { Application 2, App2K pub } OSrunningK priv Distributed OS SS 2009 Authenticated Booting, 29

Remote Attestation and Privacy Remote attestation reveals platform identity: EK pub add intermediate step: Attestation Identity Key (AIK) Trusted third party as anonymizer (TTP) Distributed OS SS 2009 Authenticated Booting, 30

Remote Attestation and Privacy CPU Memory Non-Volatile Memory: EK preset by Manufacturer AIK signed by third party Platform Configuration Registers: Distributed OS SS 2009 Authenticated Booting, 31

Remote Attestation and Privacy Generate AIK in TRB send { AIK } EK priv to trusted third party third party certifies: {AIK, good ID } TTPK priv AIK used instead of EK during remote attestation, response: {AIK, good ID } TTPK priv { OSrunningK pub, H(OS)}AIK priv {nonce} OSrunningK priv Distributed OS SS 2009 Authenticated Booting, 32

Late Launch Use arbitrary SW to start system and load all SW provide specific instruction to enter secure mode - set HW in specific state (stop all processors, IO,...) - Measure root of trust SW - store measurement in PCR AMD: skinit (Hash) arbitrary root of trust Intel: senter (must be signed by chip set manufacturer) Distributed OS SS 2009 Authenticated Booting, 33

Sealed Memory Bind sensitive information to specific configuration (for example: keys to specific machine, specific OS) Provide information using secure channels How to store information in the absence of communication channels? Distributed OS SS 2009 Authenticated Booting, 34

Tamperresistant black box (TRB) CPU Memory Non-Volatile Memory: storage key Platform Configuration Registers: SW-CONFIG Distributed OS SS 2009 Authenticated Booting, 35

Sealed Memory Tamperresistant black box add/delete entry read write Microsoft PCR: H(OS) SUSE MyOwn Distributed OS SS 2009 Authenticated Booting, 36

Sealed Memory Seal(PCR, message): encrypt( PCR, message, Storage-Key) Seal(SW config, message): encrypt( SW config, message, Storage-Key) Unseal(sealed message): decrypt( sealed message, Storage-Key) -> SW config, message If SW config == PCR then emit message else abort Distributed OS SS 2009 Authenticated Booting, 37

Migration? How to transfer information form one TRB to another for example: key for decryption of videos Send information to third party Destroy information locally and prove to third party Thirds party provides information to another entity Distributed OS SS 2009 Authenticated Booting, 38

Tamper Resistant Box? Ideally, includes CPU, Memory, In practise: very rarely, for example IBM 4758... In practise: separate Trusted Platform Modules replacing BIOS breaks TRB Distributed OS SS 2009 Authenticated Booting, 39

TCG PC Platforms CPU memory FSB PCI LPC BIOS TPM Distributed OS SS 2009 Authenticated Booting, 40

TPM NV Store PCR EK AIK Internal Program IO SHA-1 RSA Key gen Random number gen Distributed OS SS 2009 Authenticated Booting, 41

Usage Scenarios and Technical Risks * DRM Bank Game Operating System Distributed OS SS 2009 Authenticated Booting, 42

Technical Risks Hardware: Authenticity, Integrity, Tamper-Resistance Protection of CPU-priv Integrity of RKey-OS-pub Operating System Protection of keys (OSRunning,...), Content,... Isolation Applications Assurance Side Channels! Distributed OS SS 2009 Authenticated Booting, 43

References Specifications: https://www.trustedcomputinggroup.org/ groups/tcg_1_3_architecture_overview.pdf Important Foundational Paper: Authentication in distributed systems: theory and practice Butler Lampson, Martin Abadi, Michael Burrows, Edward Wobber ACM Transactions on Computer Systems (TOCS) Distributed OS SS 2009 Authenticated Booting, 44

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback