Trusted Platform Module (TPM)

Trusted Platform Module (TPM)

• 1.
  TRUSTED PLATFORM MODULE
• 2.
  INTRODUCTION • The TrustedPlatform Module (TPM) is an international standard for a secure crypto-processor. • The TPM technical specification was written by a computer industry consortium called the Trusted Computing Group (TCG). • The International Organization for Standardization (ISO) and the International Electro-technical Commission (IEC) standardized the specification as ISO/IEC 11889 in 2009. 2 of 36
• 3.
  ABBREVIATIONS • • • • • • • • • • • • • • • • TPM – TrustedPlatform Module TCG – Trusted Computing Group TCB - Trusted Computing Base BIOS – Basic Input-Output System EK – Endorsement Key SRK – Storage Root Key PCR – Platform Configuration Register AIK – Attestation Identity Key ROT – Root of Trust CRTM – Core Root of Trust RTM – Root of Trust for Measurement RTR – Root of Trust for Reporting RTS – Root of Trust for Storage MBR – Master Boot Record GRUB – Grand Unified Boot Loader DRM – Digital Rights Management 3 of 36
• 4.
  TRUSTED COMPUTING GROUP •The Trusted Computing Group (2003), successor to the Trusted Computing Platform Alliance (TCPA) • An initiative started by AMD, Cisco, Hewlett-Packard, IBM, Intel, Microsoft and Wave Systems Corp. • TCG is a non-profit organization formed to develop, define, and promote open standards for hardware-enabled trusted computing and security technologies, including hardware building blocks and software interfaces across multiple platforms • Promoters + Contributors + Adopters = 108 4 of 36
• 5.
  TRUSTED COMPUTING BASE TrustedComputing Base Trusted Computing Environment Applications 5 of 36
• 6.
  TRUSTED COMPUTING • Thecomputer will consistently behave in expected ways, and those behaviors will be enforced by computer hardware and software • Enforcing this behavior is achieved by loading the hardware with a unique encryption key inaccessible to the rest of the system • TC is controversial as the hardware is not only secured for its owner, but also secured against its owner 6 of 36
• 7.
  FUNDAMENTAL TRUSTED COMPUTING FUNCTIONALITY •A mechanism is required to record (measure) what software is/was running • • • • Requires to monitor the boot process Needs an anchor to start the measurement from a Root of Trust Nobody should be able to modify or forge these measurements Some shielded location for the measurements is required 7 of 36
• 8.
  FUNDAMENTAL TRUSTED COMPUTING FUNCTIONALITY •Now you know that your platform is in a defined state • Why should someone else believe this claim? • A mechanism to securely report the measurements to a 3rd party is required • Secure storage • Allow access to data only if system is in a known state • Cost efficient implementation and production 8 of 36
• 9.
  TPM SPECIFICATION Design Principles TPMStructures TPM Specifications for 1.2 TPM Commands Compliance 9 of 36
• 10.
  TCG Doc. ROADMAP 10of 36
• 11.
  TPM • The TPMis a platform component • NOT a platform all by itself • TPM becomes a permanent component of the platform • The TPM is NOT an active component, always a responder to a request and never initiates an interrupt or other such operation • TPM cannot alter execution flow of system (e.g. booting, execution of applications) 11 of 36
• 12.
  TPM: CHANGES TOPC • Extra hardware • TPM • Single 33 MHz clock • Software changes • BIOS • OS & Apps 12 of 36
• 13.
  TPM COMPONENTS 13 of36
• 14.
  PLATFORM CONFIGURATION REGISTERS •There are at least 16 PCRs in a TPM. • They store platform configuration measurements. • These measurements are normally hash values (SHA-1) of entities (applications) running on the platform. • PCRs can not be written directly; data is stored by a process called extending the PCR. • PCR = SHA-1(PCR + measurement) • PCR extends are not commutative • PCRs initialized to default value (e.g. 0) at boot time • After boot, PCRs contain hash chain of booted software 14 of 36
• 15.
  INTEGRITY MEASUREMENT WITHTPM • A measures entity B (could be executable or other files ...). Result is a B's "fingerprint". • This fingerprint is stored in a Stored Measurement Log (SML) which resides in the hard drive (outside, and not protected by a TPM). • A then inserts B's fingerprint into a PCR (via the PCR's extend operation). • Control is passed to B. 15 of 36
• 16.
  TRUSTED BOOT 16 of36
• 17.
  ROOTS OF TRUST •Root of Trust is a hardware or software mechanism that one implicitly trusts • Root of Trust for Measurement (RTM) • Uses Platform Configuration Registers (PCR) to record the state of a system • Static entity like the PC BIOS • Root of Trust for Reporting (RTR) • Entity trusted to report information accurately and correctly • Uses PCR and RSA signatures to report the platform state to external parties in an unforgettable way • Root of Trust for Storage (RTS) • Entity trusted to store information without interference leakage • Uses PCR and RSA encryption to protect data and ensure that data can only be accessed if platform is in a known state 17 of 36
• 18.
  ROOT OF TRUSTFOR MEASUREMENT • Involved steps: • Measure (compute the hash value of) the next entity: e.g. the BIOS measures the OS loader • The measurement is extended into one of the TPM PCR • Control is passed to the measured entity • This process is continued for all components of a system up to user level applications • Measurements change with system updates and patches 18 of 36
• 19.
  ROOT OF TRUSTFOR REPORTING • Endorsement Key (EK) forms the RTR • Private part never leaves the TPM (only exists in shielded location) • EK is unique for every TPM and therefore uniquely identifies a TPM • The EK is backed by an EK certificate typically issued by the TPM manufacturer • The EK certificate guarantees that the key actually is an EK and is protected by a genuine TPM 19 of 36
• 20.
  ROOT OF TRUSTFOR STORAGE • Two approaches • Without using PCR: bind/unbind • With using PCR: seal/unseal • Binding • Happens outside of the TPM • Encrypt data with the public part of a TPM key • Only the TPM that the key pair belongs to can decrypt the data and private key can only be used inside the TPM • Binding to a specific TPM, use a non-migratable binding key (migratable keys can also be used) • Unbinding • Decryption of bound data inside the TPM using the private key 20 of 36
• 21.
  TPM KEYS • StorageRoot Key (SRK) • • • • 2048 bit RSA key Is top level element of TPM key hierarchy Created during take ownership Non-migratable, store inside the chip, can be removed • Storage Keys • RSA keys used to wrap (encrypt) other elements in the TPM key hierarchy • Created during user initialization • Signature Keys • RSA keys used for signing operations • Must be a leaf in the TPM key hierarchy 21 of 36
• 22.
  KEY CONCEPTS • Endorsementkey • Secure input and output • Memory curtaining / protected execution • Sealed storage • Remote attestation 22 of 36
• 23.
  ENDORSEMENT KEY • Theendorsement key is a 2048-bit RSA public and private key pair • Created randomly on the chip at manufacture time • Non-migratable, store inside the chip, cannot be removed • It is never used for encryption or signing 23 of 36
• 24.
  SECURE INPUT ANDOUTPUT • Secure I/O provides a secure hardware path from the keyboard to an application • From the application back to the screen. • No other software running on the same PC will be able to determine what the user typed, or how the application responded. 24 of 36
• 25.
  MEMORY CURTAINING • Memorycurtaining extends common memory protection techniques to provide full isolation of sensitive areas of memory • Even the operating system does not have full access to curtained memory • The exact implementation details are vendor specific 25 of 36
• 26.
  SEALED STORAGE • Sealedstorage protects private information by binding it to platform configuration information including the software and hardware being used • Data can be released only to a particular combination of software and hardware • Embedding PCR values in blob ensures that only certain apps can decrypt data • Messing with MBR or OS kernel will change PCR values 26 of 36
• 27.
  SEALED STORAGE • Encryptdata using RSA key on TPM • TPM_Seal • • • • (some) Arguments: keyhandle: which TPM key to encrypt with KeyAuth: Password for using key `keyhandle’ PcrValues: PCRs to embed in encrypted blob data block: at most 256 bytes (2048 bits) • Used to encrypt symmetric key (e.g. AES) • Returns encrypted blob. • Blob can only be decrypted with TPM_Unseal when: • PCR-reg-vals = PCR-vals in blob. • TPM_Unseal will fail otherwise 27 of 36
• 28.
  REMOTE ATTESTATION • Remoteattestation allows changes to the user's computer to be detected by authorized parties • Good applications: • Bank allows money transfer only if customer’s machine runs “up-to-date” OS patches. • Enterprise allows laptop to connect to its network only if laptop runs “authorized” software • Quake players can join a Quake network only if their Quake client is unmodified. • DRM: • Music Stores sell content for authorized players only. 28 of 36
• 29.
  REMOTE ATTESTATION- HOWIT WORKS • Recall: EK private key on TPM. • Cert for EK public-key issued by TPM vendor. • Step 1: Create Attestation Identity Key (AIK) • AIK Private key known only to TPM • AIK public cert issued only if EK cert is valid 29 of 36
• 30.
  REMOTE ATTESTATION- HOWIT WORKS • Step 2: sign PCR values (after boot) • Call TPM_Quote (some) Arguments: • keyhandle: which AIK key to sign with • KeyAuth: Password for using key `keyhandle’ • PCR List: Which PCRs to sign. • Challenge: 20-byte challenge from remote server • Prevents replay of old signatures. • Userdata: additional data to include in sig. • Returns signed data and signature. 30 of 36
• 31.
  MISCONCEPTIONS CLARIFIED • TheTPM does not measure, monitor or control anything • The TPM is a passive device in the system • The TPM has no way of knowing what was measured • Measurements are made by host software and sent to the TPM • TPM does not perform bulk encryption • (e.g. File and Folder encryption or Full Disk encryption) • Digital Right Management (DRM) is not a goal of TCG specifications • All technical aspects of DRM are not inherent in the TPM • TPM can work with any operating systems or application software • The specification is open and the API is defined, no TCG secrets 31 of 36
• 32.
  BENEFITS • • • • • • • Enhance confidence inplatform Proof that a platform is a Trusted Platform Binding of data to a particular platform Sealing data to a trusted system state/configuration Owner privacy and control Secure boot Low cost exportable technology 32 of 36
• 33.
  CRITICISM • • • • • • Digital rights management Usersunable to modify software Users have no control over data Users unable to exercise legal rights Users vulnerable to vendor withdrawal of service Users unable to override 33 of 36
• 34.
  STANDARDIZATION • JTC1, ajoint committee of the International Organization for Standardization, or ISO, and IEC, the International Electro-technical Commission, has accepted and published the Trusted Computing Group Trusted Platform Module specification Version 1.2 as ISO/IEC standard 11889. • Abstract • ISO/IEC 11889 defines the Trusted Platform Module (TPM), a device that enables trust in computing platforms in general. ISO/IEC 11889-1:2009 is an overview of the TPM. It describes the TPM and how it fits into the trusted platform. ISO/IEC 11889-1:2009 describes trusted platform concepts such as the trust boundary, transitive trust, integrity measurement, and integrity reporting. 34 of 36
• 35.
  35 of 36
• 36.
  THANK YOU 36 of36