TPM: Trusted Platform Module Sumeet Bajaj [email protected] 9 Feb 2011 CSE 408 Introduction verification request verification data Verifier Attestation of Remote Platform • Identify specific platform • Verify software stack on remote platform Platform Use Case Corporate Network Connect Verify user system TPM Trusted Platform Module • Secure crypto-processor Uses • Remote Attestation • Binding, Sealing : Data encryption Applications • Platform Integrity • Disk Encryption • Password Protection • Digital Rights Management • Software Licenses verification request verification data Verifier Platform TPM deployed on remote platform TPM Specification TPM Specification Design Structure Commands No TPMS China, Russia, Belarus, Kazakhstan TPM Chips TPM Example 300 Million PCs have shipped with a chip called the Trusted Platform Module (TPM) TPM Specification v1.1 (184 pages) • FIPS 140-2 certification. • Commands for all operations, e.g. Key generation, PCR extension • Processes for Key generation & management • Cryptographic processes e.g. Random number generation • TPM Architecture • TPM operation including initialization, self-test modes, startup, enabling, disabling etc FIPS 140-2 Level 1 The lowest, imposes very limited requirements; loosely, all components must be "production-grade" FIPS 140-2 Level 2 Adds requirements for physical tamper-evidence and role-based authentication. FIPS 140-2 Level 3 Adds requirements for physical tamper-resistance (making it difficult for attackers to gain access to sensitive information contained in the module) and identity-based authentication, and for a physical or logical separation between the interfaces by which "critical security parameters" enter and leave the module, and its other interfaces. FIPS 140-2 Level 4 Makes the physical security requirements more stringent, and requires robustness against environmental attacks. FIPS: Federal Information Processing Standard TPM Architecture PCR (Platform Configuration Register) PCR 160 bits • Minimum of 16 PCRs • Store integrity metrics • Avoid overwriting PCRi New = HASH ( PCRi Old value || value to add) • Unlimited number of measurements • Measurements are ordered • If disable extending PCR still works, but return 0s Problem! Scale, collusion TCG Boot Process Application Operating System MBR/OS Loader BIOS BIOS Boot Block Platform PCR_Extend(n, <APP CODE>) PCR4 = H(PCR3 || <APP Code>) PCR_Extend(n, <OS CODE>) PCR3 = H(PCR2 || <OS Code>) PCR_Extend(n, <MBR CODE>) PCR2 = H(PCR1 || <MBRCode>) PCR_Extend(n, <BIOS CODE>) PCR1 = H(PCR0 || <BIOS Code>) PCR0 = 0 H : SHA-1 Root of Trust Root of Trust in Integrity Measurement BIOS Boot Block BIOS MBR/OS Loader Operating System Application Measuring Extending PCS Root of Trust in Integrity Reporting Simple Attestation Method Platform 4) Cert{PKAIK} SKTPM , {PCR}SKAIK Application A Verifier (PKTPM) generates PKA & SKA 1) Read_PCR TPM 3) Cert{PKAIK}SKTPM {PCR}SKAIK 7) ... 5) verifies the signature 6) looks up #A in DB Lookup PCR “ok” 2) {PCR} SKAIK PKTPM & SKTPM (Endorsement key) DB PKAIK & SKAIK (Attestation Identity Key) EK is one-time unique per TPM AIK can be used anew for each attestation Problem! Does not protect user privacy Solution : Single key pair for all TPMs TPM SKTPM Manufacturer PKTPM & SKTPM TPM SKTPM …….. TPM SKTPM Problem! Identify legitimate TPMs from fake Verifier Solution : Certificate Authority (TPM v1.1) TPM PKTPM & SKTPM (Endorsement key) PKAIK & SKAIK (Attestation key) 1. Cert{PKAIK } SKTPM Privacy Certification Authority (CA) PKTPM1 & SKTPM1 PKTPM2 & SKTPM2 ……….. PKTPMn & SKTPMn 3. Cert{PKAIK } SKCA 4. Verification Request 5. Cert{PKAIK } SKCA Problem! Scale, collusion 2. Searches PKTPM Verifier Remove rogue TPM key from list Direct Anonymous Attestation (DAA) – TPM Spec 1.2 • Ernie Brickell (Intel), Jan Camenisch (IBM), Liqun Chen (HP) • Based on Camenisch-Lysyanskaya anonymous credential system Direct Anonymous Attestation : Without a TTP : Does not reveal signer’s identity : claim from a TPM DAA{SKAIK1} TPM SKAIK1 SKAIK2 Can tell SKAIK1 is from a TPM But not which one Verifier1 Cannot tell if SKAIK1 & SKAIK12 Are from the same TPM DAA{SKAIK2} Can tell SKAIK2 is from a TPM But not which one Verifier2 Direct Anonymous Attestation (Join) TPM Commit to Issuer Proves that Signature on DAA certificate Secret Public Derive from issuer’s name by TPM Direct Anonymous Attestation (Verification) Zero knowledge proof protocol TPM TPM proves it knows TPM Proves the exponent is related • Used for blacklisting • Used for linking transactions from the same TPM Verifier1 Secure Storage SKENC TPM_Seal(Blob, PCR’) Stores Blob’ TPM_UnSeal(Blob’) Blob’ = {Blob || PCR’} SKENC Checks if Current PCR = PCR’ in Blob If true Blob = Decrypt{Blob’} SKENC If false return failure • OS & Apps sealed with MBR’s PCR • Seal Web Server’s SSL Key • Microsoft BitLocker • Blob size is 256 bytes DRM – E.g. using TPM counters Application : Media Player SKENC, COUNTER = 0 TPM_Seal(Blob, PCR’) Stores Blob’ TPM_UnSeal(Blob’) Blob’ = {Blob || PCR’} SKENC Checks if Current PCR = PCR’ in Blob If true Blob = Decrypt{Blob’} SKENC && COUNTER < N COUNTER++ If false return failure • Music can be played for 30 days only Trusted Software Stack (TSS) • Standard API for accessing functions of the TPM • OS Agnostic http://www.trustedcomputinggroup.org/resources/tcg_software_stack_tss_specification Trusted Hardware : Introduction 6000 PCI 4764/65 SafeXcel Trusted by the clients Performs or aids query processing DATABASE Can provide Tamper Proofing / Detection Supports Cryptographic functions (software or hardware based) SERVER TRUSTED HW Commonly used as accelerators 21 Trusted Hardware : Benefits & Limitations Processor Memory Crypto H/W engines 233 MHz PowerPC 32 MB AES256, DES, TDES, DSS, SHA-1, MD5, RSA Function Context (OpenSSL 0.9.7f) RSA signature 1024 bits 2048 bits RSA verification 1024 bits 2048 bits SHA-1 1 KB 64 KB 1 MB 3 DES 1 KB 64 KB 1 MB AES 128 1 KB DMA xfer end-to-end IBM 4764 (per second) 848 316 – 470 1157 – 1242 976-1087 1.42 MB 18.6 MB 21 – 24 MB 1.08 MB 7.73 MB 8.56 MB 14+ MB 75 – 90 MB P4 @ 3.4 GHz (per second) 261 43 5324 1613 80 MB 120 + MB 18 MB 17 MB 15 MB 100+ MB 1+ GB IBM 4764 Tamper resistant and responsive design, FIPS level 4 certified Limited resources Synchronous communication channel with host Hardware crypto engine 22 Outbound Authentication [Smith et. al] 1. Request CLIENT TrustedDB – Layer 3 2. OA Certificate PKCMAN KDATA PKTDB SKTDB KDATA OS – Layer 2 3. OA Certificate PKOS SKOS Miniboot 1 – Layer 1 PKTDB H(L3CODE) SKOS PKDEV SKDEV PKOS H(L2CODE) PKDEV H(L1CODE) PKMAN H(L0CODE) SKDEV SKMAN SKCMAN Outbound Authentication Certificate SIGMOD 2011 : TrustedDB Miniboot 0 – Layer 0 PKMAN SKMAN SCPU - 4764 PKA : Public Key of A SKA : Private Key of A H(M) : Hash of message M 23 Thankyou Sumeet Bajaj [email protected] 9 Feb 2011 CSE 408
© Copyright 2026 Paperzz