Trusted Platform Module Dries Schellekens COSIC, KU Leuven
Nomenclature Trusted versus trustworthy
RFC 4949 (Internet Security Glossary) • Trust : A feeling of certainty (sometimes based on inconclusive evidence) either (a) that the system will not fail or (b) that the system meets its specifications (i.e., that system does what it claims to do and does not perform unwanted functions). • Trusted system : A system that operates as expected according to design and policy, doing what is required – despite environmental disruption, human user and operator errors, and attacks by hostile parties – and not doing other things. • Trustworthy system : A system that not only is trusted, but also warrants that trust because the system’s behavior can be validated in some convincing way, such as through formal analysis or code review. Trusted Platform Module, Dries Schellekens, COSIC Slide 3
Alternative definitions • NSA definition o Trusted : System or component whose failure can break the security policy. (TCB = Trusted Computing Base) o Trustworthy : System or component that will not fail with respect to the security policy. • TCG definition o “An entity can be trusted if it always behaves in the expected manner for the intended purpose.” • Some people now regret the name Trusted Computing o Trustworthy Computing or maybe Trustable Computing could be a better title, but it is too late to change. Trusted Platform Module, Dries Schellekens, COSIC Slide 4
Motivation Establish trustworthiness in distributed IT systems
Classic attacks on online banking • Attack on network communication transfer €50 transfer €10000 to Pela to Criminal • Impersonation attack transfer €10000 to Criminal Trusted Platform Module, Dries Schellekens, COSIC Slide 6
Modern attacks on online banking • Phishing attack transfer €50 transfer €1000 to Bob to Criminal • Man-in-the-browser attack transfer €50 transfer €1000 to Bob to Criminal Trusted Platform Module, Dries Schellekens, COSIC Slide 7
Trusted Computing to the rescue • Trusted computing platforms support o Verification of software executing on remote platform o Binding of data to specific platform state • Applications o Online banking o Multiplayer game o Remote access to corporate network o Digital/Enterprise rights management o … Trusted Platform Module, Dries Schellekens, COSIC Slide 8
Milestones of Trusted Computing 1999 Trusted Computing Platform Alliance (TCPA) founded by Feb. 2002 Trusted Platform Module (TPM) 1.1b specification published April 2003 (TCG) formed as successor for TCPA Oct. 2003 TPM 1.2 specification published 2006 20+ million TPMs sold Jan. 2007 TPM supported by BitLocker drive encryption in June 2007 Mobile Trusted Module (MTM) 1.0 specification published May 2009 TPM 1.2 specification adopted as ISO/IEC 11889 standard 2011 500+ million TPMs sold Oct. 2012 Improved TPM support in March 2013 TPM 2.0 library specification published Trusted Platform Module, Dries Schellekens, COSIC Slide 9
Technical overview
TCG components • Core Root of Trust for Measurement (CRTM) o Immutable software component that executes upon a host platform reset o Platform dependent: BIOS for PC and EFI for Server • Trusted Platform Module (TPM) o Hardware component that provides a set of fixed cryptographic and security functions o (Originally) intended to be platform agnostic • Trusted Software Stack (TSS) o Issues low-level TPM commands and receives low-level TPM responses on behalf of high-level applications Trusted Platform Module, Dries Schellekens, COSIC Slide 11
Core Root of Trust for Measurement • Immutable portion of the host platform’s initialization code that is executed upon a host platform reset • Trust in measurement of platform configuration is based on the integrity of the CRTM • On PC platform o CRTM = BIOS boot block • Rest of BIOS is measured in authenticated boot process o CRTM = Entire BIOS • BIOS Flash memory must be protected against unauthorized reprogramming • TCG has specifications for o Conventional BIOS o EFI (Extensible Firmware Interface) BIOS Trusted Platform Module, Dries Schellekens, COSIC Slide 12
Trusted Platform Module • Design goals: Simple, thus cheap (< $1) and hopefully free of bugs o Low performance (no crypto accelerator) o • Smartcard like cryptographic coprocessor Small set of cryptographic functions o • Key generation, signing, encryption (RSA), hashing (SHA-1), HMAC Hardware random number generator (RNG) o • Additional features Authenticated boot (integrity measurement) o Remote attestation (integrity reporting) o Sealed storage o • Securely bound to the rest of the platform • 500+ million TPMs (mainly 1.2) sold today Trusted Platform Module, Dries Schellekens, COSIC Slide 13
TPM hardware architecture EEPROM SRAM ROM µ C RSA Chip layout of Infineon TPM 1.2 Christopher Tarnovsky (Black Hat 2010) Trusted Platform Module, Dries Schellekens, COSIC Slide 14
TPM hardware architecture Microcontroller ( µ C) with RSA coprocessor and RNG • • ROM: Firmware for microcontroller SHA-1 and HMAC typically in software o • SRAM: Volatile memory Key slots: load external keys o Platform Configuration Registers (PCR): store integrity o measurements (24 x 160 bit) • EEPROM: Non-volatile memory Endorsement Key (EK) uniquely identifies TPM o Storage Root Key (SRK) encrypts other keys maintained by TPM o Owner’s authorization data (password) o Monotonic counters (4 x 32 bit) o NVRAM: small amount of freely programmable memory o • I/O interface PC Client: Low-Pin Count (LPC) bus o Embedded: I2C or System Management Bus (SMBus) o Trusted Platform Module, Dries Schellekens, COSIC Slide 15
Integration of TPM into PC platform Parallel Port Serial Port Hard Disk Interface Network Floppy PS/2 Graphics Controller Graphics I/O Central LPC Memory FSB Controller Processing Super I/O Controller Hub Unit Hub (ICH) (CPU) (GMCH) System Expansion TPM Devices Memory Cards USB LPC = Low Pin Count BIOS Flash FSB = Front Side Bus Trusted Platform Module, Dries Schellekens, COSIC Slide 16
TCG functionality • Authenticated boot o Logging of boot sequence • Remote attestation o Report boot sequence to third party • User management o Balance the interest of different parties (user, owner, …) • Key management o Maintain cryptographic keys and control usage/access o Sealed storage: restrict access based on specific boot sequence • Other features o RNG, clock, monotonic counter, … Trusted Platform Module, Dries Schellekens, COSIC Slide 17
Authenticated boot • Synonym: measured boot or trusted boot • Transitive chain of trust 1 Boot Operating CRTM BIOS Application Loader System 4 2 3 TPM 1. “Measure” integrity of next component SML M X = Hash(X) PCR 65 98 12 49 0 M BIOS 2. Store measurement value M X in SML M BL 3. Extend measurement value M X in PCR PCR new = Hash(PCR old , M X ) M OS 4. Execute/pass control to next component M App PCR = Platform Configuration Register SML = Stored Measurement Log Trusted Platform Module, Dries Schellekens, COSIC Slide 18
Difference with secure boot • Secure boot Boot process is halted when untrusted software is loaded o Only execute code that is signed by the device manufacturer o or a certified software vendor Examples: game consoles, smart phones, TV settop box o • Authenticated boot TPM is passive and only records the boot process o Platform can still load arbitrary software, like with a traditional o open platform (e.g., PC) Enforcement of “good” configurations has to be done o separately • Remote attestation is used to grant/deny access to network service • Sealed storage is used to grant/deny access to locally stored secret • Warning: UEFI Secure Boot is coming to PC with Windows 8 Trusted Platform Module, Dries Schellekens, COSIC Slide 19
Remote attestation • Remote attestation: challenge-response protocol nonce cert AIK , Sign AIK (nonce, PCR), SML Verifier • TPM identities Endorsement Key (EK): uniquely identifies TPM o Attestation Identity Key (AIK): pseudonym o Cert EK , AIK Enc EK (cert AIK ) Privacy CA Trusted Platform Module, Dries Schellekens, COSIC Slide 20
Direct anonymous attestation (DAA) • TPM may have multiple AIKs Best case: different AIK for every service provider o • Practical issues with Privacy CA Trusted third party is hard to find and expensive to maintain o Evidence: no commercial privacy CA at the moment o Privacy CA can link pseudonyms o • TPM 1.2 defines alternative solution to certify AIKs Direct Anonymous Attestation: zero knowledge protocol o • Unlinkability of TPM transactions • No privacy CA needed TPMs can only be recognized if o • Their internal DAA secrets are exposed • They try to identify too often in a short period Trusted Platform Module, Dries Schellekens, COSIC Slide 21
Recommend
More recommend