Trusted computing platform alliance
Download
1 / 24

Trusted Computing Platform Alliance - PowerPoint PPT Presentation


  • 128 Views
  • Uploaded on

Trusted Computing Platform Alliance. David Grawrock Security Architect Desktop Architecture Labs Intel Corporation 17 November 2014. Trusted Computing Platform Alliance. Agenda. Background Attestation Specification What Is Next. Background. TCPA History. Established in spring 1999

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Trusted Computing Platform Alliance' - hall-cobb


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Trusted computing platform alliance

Trusted Computing Platform Alliance

David Grawrock

Security Architect

Desktop Architecture Labs

Intel Corporation

17 November 2014


Agenda

Trusted Computing Platform Alliance

Agenda

  • Background

  • Attestation

  • Specification

  • What Is Next


Tcpa history

Background

TCPA History

  • Established in spring 1999

  • Promoters are:

    • Compaq, IBM, Intel, HP and Microsoft

  • Membership over 160 companies

  • Web site

    • http://www.trustedpc.org/


Tcpa technical challenge

Background

TCPA Technical Challenge

To maintain the privacy of the platform owner while providing a ubiquitous interoperable mechanism to validate the identity and integrity of a computing platform

TCPA provides the base for reporting identity and integrity


Are you a dog

On the Internet no one knows you are a dog

On the Internet no one knows if you have a proper configuration

Attestation

Are You A Dog?


Attestation definition

“To affirm to be true, correct or genuine”1

Cryptographic proof of information regarding the platform

Information that could be attested to includes:

HW on platform

BIOS

Configuration options

And much more

Attestation

Attestation Definition

1 American Heritage Dictionary


Attestation promise

Attestation

Attestation Promise

  • TCPA never lies about the state of measured information

  • This requires

    • Accurate measurement

    • Protected storage

    • Provable reporting of measurement

TCPA defines an attestation device


Specifications available

Main specification defines Trusted Platform Module (TPM)

Definition is platform neutral

All command to TPM are defined

PC Specific specification defines how to implement on a PC platform

These specs are available on the web site

TPM

Specification

Specifications Available


Tpm components

Specification

TPM Components

TPM

  • Generate and use RSA keys

  • Provide long-term protected storage of RSA root key

  • Store measurements in PCR

  • Use anonymous identities to report PCR status

Non-Volatile

Storage

Key

Generation

Anonymous

Identities

RNG

PCR

RSA

Opt-In

TPM definition is complete


Summary

Trusted Computing Platform Alliance

Summary

  • TCPA provides the base for reporting identity and integrity

  • TCPA defines an attestation device

  • TPM definition is complete


What next

Trusted Computing Platform Alliance

What Next?

  • Design platforms and applications for TPM use

  • Extend the trust and integrity of platforms




Non volatile storage

The storage is to hold secure the endorsement key (EK)

Each TPM has a unique EK

The endorsement key must be protected from both exposure and improper use

In addition to the EK there are some flags that are kept in non-volatile storage

TPM

Non-Volatile

Storage

Key

Generation

Anonymous

Identities

RNG

PCR

RSA

Opt-In

Functionality

Non-volatile Storage


Key generation

The TPM can generate RSA keys

Default size 2048 bits

Other algorithms possible

The keys can be used for signing / verification or encryption / decryption

Use of key must be specified at creation time

There is no speed requirement on how long or how short a time generation will take

Functionality

Key Generation

TPM

Non-Volatile

Storage

Key

Generation

Anonymous

Identities

RNG

PCR

RSA

Opt-In


Anonymous identities

All operations attesting to the TPM use an anonymous identity rather than the EK

An anonymous identity certifies that the key came from A TPM not WHICH TPM

Devil is in the details see the main spec

Functionality

Anonymous Identities

TPM

Non-Volatile

Storage

Key

Generation

Anonymous

Identities

RNG

PCR

RSA

Opt-In


Random number generator

All TPM’s must have a RNG identity rather than the EK

Implementation is manufacturer specific

The specification asks for, but does not require, FIPS evaluation of the RNG

The RNG output is used both internally by the TPM and is offered to outside consumers of randomness

Functionality

Random Number Generator

TPM

Non-Volatile

Storage

Key

Generation

Anonymous

Identities

RNG

PCR

RSA

Opt-In


Pcr registers

The TPM has a minimum of 16 Platform Configuration Registers (PCR)

The PCR registers uses the EXTEND operation to store measurements regarding the platform

PCR value = SHA(new value, old value)

Functionality

PCR Registers

TPM

Non-Volatile

Storage

Key

Generation

Anonymous

Identities

RNG

PCR

RSA

Opt-In


Rsa engine

The TPM can encrypt and decrypt using RSA keys (PCR)

The use of keys is segregated into signing or encryption uses

The TPM must handle RSA keys of 2048 bits in size

Functionality

RSA Engine

TPM

Non-Volatile

Storage

Key

Generation

Anonymous

Identities

RNG

PCR

RSA

Opt-In


Opt in

The TPM has mechanisms that make the use of the TPM a complete Opt-In system

The Opt-in selections are maintained across power cycles and the TPM can be deactivated

Functionality

Opt-In

TPM

Non-Volatile

Storage

Key

Generation

Anonymous

Identities

RNG

PCR

RSA

Opt-In


Version 1 0 tcpa functional layout

Requests complete Opt-In system

TPS

TPM

Version 1.0TCPA Functional Layout

  • TPS – Trusted Platform Subsystem

    • BIOS

    • Drivers

    • ALL operations come through TPS

  • TPM – Trusted Platform Module

    • Hardware

    • Microcode

    • Protected functionality

    • Shielded locations


Version 1 0 tcpa system architecture

Application complete Opt-In system

OS / Driver

OS Present TPS Security API

Ring 0 Library

Middleware

OS Present

Ring 3 Library

TCPA Security Driver

BIOS

OS Absent

OS Absent TPS Security API

OS Absent Library

Hard-ware

TPM Hardware and Microcode

Version 1.0TCPA System Architecture


Version 1 0 tcpa software architecture

Application complete Opt-In system

Application

Application

Application

Applications

CDSA

Existing Infrastructure

CSSM

CAPI

Other API

Modified Infrastructure

CSP

DL

CSP

CSP

TPS

TPS Interface

TPM

TPM Interface

Version 1.0TCPA Software Architecture


Version 1 0 possible tpm placement

CPU complete Opt-In system

System

Memory

MCH

System

Flash

ICH

LPC

TPM

Version 1.0Possible TPM Placement

  • TPM connecting on LPC bus

    • TPM has low transaction volume so speed of bus not issue

  • Connection of TPM is vendor specific and not specified in specification

Specification provides robust set of features


ad