Combining Trusted Computing and Smart Cards for Trustworthy VPN Access Bachelor Thesis - Final Presentation Michael Dorner Chair for Network Architectures and Services Department of Computer Science Technical University of Munich 24.04.2013 Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 1
Agenda Introduction 1 System design 2 Evaluation 3 Conclusion 4 Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 2
The Real World Problem “Chinese hackers believed to have government links have been conducting wide-ranging electronic surveillance of [US] media companies..” - Wall Street Journal (31.01.2013) “Facebook hacked in ’sophisticated attack”’ - The Guardian (16.02.2013) “Microsoft hacked by same cyberattack as Apple and Facebook” - The Telegraph (23.02.2013) Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 3
Technical Issue Computer security mechanisms not tightly integrated, but applied on top of the OS → fairly easy to circumvent once in control of the Host Networks not designed to support containment of an infection Approach: link host- and network-security Requires integrity-defining state to be created in a secure and attestable to make it usable for access decisions Lying endpoint problem: hosts may lie about their actual state to manipulate the access decision Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 4
Trusted Platform Module Used to counter lying endpoint problem Local deputy - hardware security module with passive host-independent capabilities Provides protected state storage (PCR) and capabilities Protected capabilities include attestation (cryptographic proof) of protected storage contents to remote parties Core Root of Trust for Measurement(CRTM): protected TPM storage used to store state measurements from the very first boot stage, the trusted CRTM (not part of the TPM) Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 5
Integrity measurements: Chain of Trust Userspace TPM Applications Kernel: IMA Stage 2 Stage1.5 Store Measurments Stage 1: MBR BIOS Measure, then Load CRTM Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 6 Figure: Chain of Trust
Integrity Measurement Architecture - IMA Kernel-module, Relies on CRTM-functionality Continues chain of trust after kernel has been loaded - what is measured is defined by policy Creates Integrity Measurement List (IML), which stores these measurements Integrity of the list protected by check-value (hash) in protected TPM-storage Allows attestation of the measurement list Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 7
State of the Art: Secure Boot States of a host during boot are predefined Deviation will force the host to stop booting, since subsequent stages cannot be loaded Authenticating parties make implicit assumption that any booted host is clean Compatible with post-boot techniques like IMA Problem: no attestable state may be abused to lock users out (DoS) needs additional post-boot techniques to continue protection can place serious restrictions on the systems that can be booted Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 8
State of the Art 2: TNC Trusted Network Connect: AAA-server queries state of a host, tracks and evaluates it Access point queries TNC-server via EAP Access decision based on EAP-response Problems: centralized → vulnerable to DoS may violate privacy implicitly demands integrity of the AAA-server Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 9
Proposal: Smart card based Solution Attestation from the host to a smart card, which acts as local trustworthy verifier Smart card checks integrity-state, certifies it with a token, if acceptable Host presents token to Authenticating Party Authenticating Party checks token against policy, makes access decision Goal: decentralized, privacy conserving, inherently secure Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 10
Smart Cards Functionality ranges from simple key storage to execution capabilities Strong hardware-protection and full security-evaluation possible due to simplicity of the card JavaCard: Implements reduced set of Java on smart cards JavaCard connected extends classic JavaCards with networking(HTTP/HTTPS) Connected cards have more powerful hardware Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 11
Access to a Company-VPN Access Point (VPN-AP) must enforce that only “clean” hosts can join Clean: policy defined set of states, which are considered to represent a trustworthy host Host is the personal device of an organization member, which accesses the VPN over an untrusted network Host attests state to a smart card, obtains token, presents token to VPN-AP Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 12
Next 1 Introduction 2 System design 3 Evaluation Conclusion 4 Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 13
System Requirements R1: Strong proof of integrity and strong authentication R2: System must be fast enough to be used in connection-establishment (comparable to regular IKE) R3: Allow for access decision based on host security R4: Preserve user privacy and general freedom to execute arbitrary code Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 14
Topology of the proposed solution AIK TPM SC-ID TA Smart Card Linux Host with IMA Authenticating Party Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 15 Figure: System Topology of the central entities
Host State Attestation and Evaluation Host TPM SC Initiate Connection Attestation Accept, Nonce Card GetAttestation(Check-Value, Nonce) Sig AIK (Check-Value, Nonce) Transmit Attestation Verify Attestation IMA Request IML Transmit IML Verify IML-entries Verify IML Create Token Return Token Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 16 Figure: Verification Process of a Platform Verification Certificate (PVC)
Host State Verification (details) Card has a database of known good hashes (whitelist, KGDB) Lookup entry in the database; if matching extend entry into own check v Repeat until no more values are received or built-in limit is reached (usually limited by whitelist-size) Compare final check value to attested check value If matching, state verification successful, otherwise state undefined Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 17
Platform Verification Certificate (PVC) Attestation Attestation Type Database Version Timestamp Version Smart card ID-key pub Host AIK pub Token Authority Signature Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 18 Figure: Platform Verification Certificate (PVC)
Modified IKE with PVC-integration Host TPM SC AP HDR, KE Host , SA Host , Nonce Host HDR, KE AP , SA AP , Nonce AP , PVCREQ StoreToPCR(AUTH-Info) RequestAttestation(Nonce AP ) Sig AIK (AUTH-Info, Nonce AP ) SigningRequest(Attestation) Sig SC-ID (Attestation, Timestamp SC ), Timestamp SC PVCAUTH = Attestation, Sig SC-ID , Timestamp HDR, SK(ID Host , PVC, [CERTREQ/PVCREQ], [ID AP ], PVCAUTH, SA Host2 , TS Host , TS AP ) Verify PVCAUTH HDR, SK(IDHost, [PVC/CERT], [PVC]AUTH, SA AP2 , TS Host , TS AP ) Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 19 Figure: Verification Process of a Platform Verification Certificate (PVC)
PVC Evaluation at the Access Point Verify the PVC’s integrity and origin (i.e. check signature) Make sure the PVC and the identities in the PVC are valid i.e. deal with revocation Policy check : attestation type, version and database allowed for this user(SC-ID) and platform(AIK)? Verify PVCAUTH: challenged party is in control of the platform and identity in the PVC Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 20
Technical Limitations Trusted Software Stacks (TrouSerS, jTSS) do not support all operations correctly yet Communicating TPM-information to platforms without TSS (e.g. JavaCards) is hard to implement Java card connected not available yet, prototype not usable Simulator and card-proxy used to simulate JavaCard Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 21
Next 1 Introduction 2 System design 3 Evaluation Conclusion 4 Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 22
Recommend
More recommend