Trusted Computing Chandana Praneeth Wanigasekera
PII • You can still retain control • Expiration • Remote destruction with little effort by the corporation who has the data • Force privacy policies
Descartes (1641) • Meditations on First Philosophy • Can we trust our senses? • What if everything we experience is a delusion created by an evil demon bent on deceiving us?
Interest • This is a question that has been weighing on Several computer companies • How do you know that your computer is actually what it seems? • Hackers and imitative programs • Sensitive information, keystrokes and complete control
Trust in other software • How can one program running on your computer trust another one? • What if the operating system has been subverted • Anti Virus • How would you warn the user?
Trust in you • Movie studios, recording companies, Health care providers [ legitimate right ] • Some information is given based on trust in you • Do you have control? • Real issues • Viruses • Trojans • Spyware • P2P networks
Implications • Implications for a P3P client • Alterations of policy • Lack of enforcement • Advantages of a trusted client and a trusted website component • Many implications on privacy of sensitive information
Trusted Computing Initiatives • Trusted Computing Platform Alliance • Trusted Computing Group • Microsoft, Intel, IBM, HP, AMD • Hardware + Software • Attempt to build a trusted platform
Foundation of Trust • Descartes • “A secure reliable bootstrap architecture” (1997) • Bill Arbaugh, Dave Farber, Jonathan Smith • Booting a machine into a known state • Early PC’s – ROM BIOS and no HDD • Digital Rights Management OS Patent by Microsoft • Paul England (Secure PC team leader)
Foundation of Trust • Ultimate aim is to end up in a known state • Need for a core root of trust module Known State Post boot Pre boot Core Root of Trust
Trusted Computing Platform Alliance • Mission“Through the collaboration of HW, SW, communications, and technology vendors, drive and implement TCPA specifications for an enhanced HW and OS based trusted computing platform that implements trust into client, server, networking, and communication platforms.” • Replaced by Trusted Computing Group, but the TCPA specification was adopted by TCG as their specification. • Patent licensing policy of TCG, all new work • Compaq, HP, IBM, Intel, Microsoft
Trusted Platform Module (TPM) v1.1 • The TPM is a collection of hardware, firmware and/or software that support the following protocols and algorithms: Algorithms: RSA, SHA-1, HMAC Random number generation Key generation Self Tests • The TPM provides storage for an unlimited number of private keys or other data using RSA
Secure storage in TPM • Seal and Unseal which are simply front-ends to RSA encrypt and decrypt • But sealing encrypts the platform configuration register (PCR) values with the data. Unique identifier tpmProof. • Conditions for unsealing data • Appropriate key is available • TPM PCR’s must contain the same values as during sealing (implicit key in PCR’s) • tpmProof must be the same as during encryption • Allows software to state the future configuration the platform must be for unsealing.
Additional operation: Unbind • Unbind decrypts a “blob” created outside the TPM where the private key is stored inside the TPM. • A blob is data + header information encrypted. • Seal jet Blue customer data • Can only be decrypted on the same platform • Removes the possibility of data being accessed by different machines
Types of keys • Storage Root Key – one for each TPM created at the request of the owner, migratable, unmigratable data • Signing keys – leaves of the storage root key hierarchy • Storage keys – used for the protected storage hierarchy only and Binding keys • Identity keys – used for TPM identity • Endorsement key pair – asymmetric key pair generated by or inserted in the TPM as proof that it is genuine. • One to one relationship between TPM and endorsement key • One to one relationship between TPM and platform • Endorsement key and platform
Encryption Algorithms • RSA algorithm (must) • RSA key sizes of 512, 1024, and 2048 bits. • The RSA public exponent must be e, where e = 216+1 • TPM storage keys must be equivalent to a 2048 bit RSA key • Secure Hash Algorithm (SHA) -1 hash algorithm(160 bits) – used in the early stages of the boot process (more complicated later?) • RSA for signature and verification • RNG capabilities -> only accessible to TPM commands • Key generation capabilities -> protected by a private key held in a shielded location
Self tests • Checks RNG • Checks Integrity Registers • Checks integrity of endorsement key pair by making it sign and verify a known value • Self checks the TPM microcode • Checks Tamper-resistance markers • On failure the part that failed enters shut down mode
Target of evaluation (TOE) • The new version of TCG will have TPM as a monitoring module and doesn’t actually control the boot process • Hardware, software and firmware that comprise the TPM • Identifies threats to the TOE: T.Attack, T.Bypass, T.Imperson, T.Malfunction etc…. • Each threat is explained and the objective is explained in the specification, eg. O.Attack • An example
T.Export • Threat description: A user or an attacker may export data without security attributes or with unsecure security attributes, causing the data exported to be erroneous and unusable, to allow erroneous data to be added or substituted for the original data, and/or to reveal secrets. • Objective (O.Export): When data are exported outside the TPM, the TOE shall ensure that the data security attributes being exported are unambiguously associated with the data. • Interesting use of “user or an attacker” here
T.Replay • Threat description: An unauthorized individual may gain access to the system and sensitive data through a “replay” or “man-in-the-middle” attack that allows the individual to capture identification and authentication data. • T.Replay is countered by O.Single_Auth, which states: The TOE shall provide a single use authentication mechanism and require re-authentication to prevent “replay” and “man-in-the-middle” attacks.
Software • Palladium - After the mythological statue that defended ancient Athens against invaders • Microsoft has discontinued use of the code name "Palladium." The new components being developed for the Microsoft® Windows® Operating System, are now referred to as the Next-Generation Secure Computing Base for Windows (NGSCB).
NGSCB • Seal and Unseal explained • Nexus Computing Agents(NCA)
Microsoft on applications • Bryan Willman: Suppose you run a pharmacy company. When you test a new drug, of course it's bad if someone has a bad reaction to the drug, but it's much worse if someone tampers with that data so that your results are skewed. That means it's critical that all test data is entered accurately and no one tampers with it. NGSCB ensures that those files can't be breached or modified in any way. • Here's another example. If you and your doctor and your pharmacist are communicating about a medical condition you have, you want to be sure that the information you exchange is confidential and true. Today you probably wouldn't want to do that online from your home computer because with all that software that you and your kids have loaded onto it, somewhere along they way it may have picked up a virus or two, so there's no way to know for sure how safe your information is. With NGSCB you use the right-hand side, and no matter what is happening on the left-hand side, you can be sure that the data passed between you and your doctor and your pharmacist hasn't been tampered with. • Microsoft has a separate research area called Trustworthy Computing which is more towards what we define as “trust”
Features described by Microsoft • Memory Curtaining • Secure Input and Output • Sealed Storage • Remote Attestation <- the scariest
Memory Curtaining • Strong hardware enforced memory isolation • Programs are not able to read or write each others memory • Not even the OS • Intruders have no access • Implementation in hardware permits the greatest backward compatibility with existing software, which is a goal
Secure I/O • Key loggers, screen grabbers • Music and movie industry would like this a lot • It will allow programs to determine if the input came from a user or from a different program • Would take out the case of a virus taking over the output from Anti Virus software • Good for privacy of data
Secure Storage • Similar to what we saw in the TCG specification • Addresses the failure of PC’s to store keys securely • No more .pwl’s • How can they be stored so that it’s only accessible to legitimate users? • Generates the key based on the software requesting the key and the platform that its running on at the time • No need to store the key, as the key can simply be recreated when it is needed • Imposes that sealed data can only be decrypted on one particular user platform + software combination • Is this a good thing?
Do you have control? • Moving files from your computer • What if you don’t like Excel anymore • Exporting Data to a different application is very hard • Adversary is the owner • License fee’s • Upgrades/Downgrades • Do you have a choice?
Remote Attestation • Most revolutionary of the features • Aims to allow detection of unauthorized changes to Software • Others need to be able to tell if your system is “compromised” • Protect a computer against it’s owner • A cryptographic certificate of the software running • Remote party can say if the version of software has been altered • Windows XP, Warcraft • No more cheating in Network Games
Advantages • Each feature can be used to prevent or mitigate real attacks on computers • Coding flaws in one application will not result in private data being accessed by a different application • P2P client + MS Word • Does not stop you from running harmful programs, just contains the area it runs in • NGSCB itself will not inherently prevent a user from using a particular operating system or hardware • Spyware will become extinct (No more Gator!)
Problems • Risks of anti-competitive or anti-consumer behavior • Deliberate manufacturer mistakes in implementation – handled by open source? • Threat model supports that the owner is a threat • Attestation cannot differentiate between changes to software with owner’s consent and changes in software by unauthorized intruders • No legal backing to this, users have a legitimate right to reverse-engineer for improvement of a program • Third parties can compel you to choices which you wouldn’t have made otherwise
More problems • Websites that demand attestation • The user cant give an attestation that he’s using IE if he’s using Mozilla instead • MSN not serving webpages to non Microsoft browsers • Can be used to subject you to advertising (“approved client”) • Web servers/File servers that demand fees from client developers • Greatly increases costs of switching to rival software • Samba -> interoperable file system created through reverse engineering (Microsoft could permanently lock out Samba from Windows File servers)
Interoperability • Current issues with third party MSN Messenger Clients • General “lock-in” problem • Sealed storage + Attestation
Digital Rights Management • Microsoft and the TCG have made several attempts to say that Trusted Computing is not designed to enforce DRM • Easy for DRM enforcers to enforce policies on users • Trusted Computing maintains the rights of the owner of the document at all costs • Destroying documents (court order?) • Privacy issues, back to the days when books could be burned • Attestation causes problems
Links between DRM and NGSCB • Curtaining prevents information in decrypted form from being copied • Secure output (no screen grabbing) • Sealed storage allows files to be stored so that only the DRM client that stored them can access them • Remote attestation makes sure only the above DRM client is run • Easy to implement DRM over NGSCB • Microsoft filed a patent for a DRM OS -> possible link here (same individuals involved)
Computer User as Adversary • Seth Schoen of the Electronic Frontier Foundation • A possible solution: Owner override • The owner can attest anything • Takes away some of the advantages but we still have a free world! • Will opt-in be real? • Trusted computing aims to enable others to trust your computer • Is this relavent? • Movies released with remote attestation
Troubling implications • Just a way for Microsoft to make sure pirated software wont run? • Switch off all the computers in China? • Remote control • Deleting pirated music • Digital objects created under TC remain under ownership of the author, even if legal control has been handed to the user • Media Control
Related Legislation • Fritz Hollings (a) SHORT TITLE. -- This Act may be cited as the "Consumer Broadband and Digital Television Promotion Act". SEC. 2. FINDINGS. The Congress finds: (1) The lack of high quality digital content continues to hinder consumer adoption of broadband Internet service and digital television products. (2) Owners of digital programming and content are increasingly reluctant to transmit their products unless digital media devices incorporate technologies that recognize and respond to content security measures designed to prevent theft. (3) Because digital content can be copied quickly, easily, and without degradation, digital programming and content owners face an exponentially increasing piracy threat in a digital age. ….
Hollings Bill (18) Piracy poses a substantial economic threat to America's content industries. (19) A solution to this problem is technologically feasible but will require government action, including a mandate to ensure its swift and ubiquitous adoption. (20) Providing a secure, protected environment for digital content should be accompanied by a preservation of legitimate consumer expectations regarding use of digital content in the home. (21) Secure technological protections should enable owners to disseminate digital content over the Internet without frustrating consumers' legitimate expectations to use that content in a legal manner. (22) Technologies used to protect digital content should facilitate legitimate home use of digital content. (23) Technologies used to protect digital content should facilitate individuals' ability to engage in legitimate use of digital content for educational or research purposes. Basic idea -> Digital Rights Management enforced! TCPA Mandated? Thankfully this Bill was not passed
Related Legislation • Feinstein wanted DRM • “This is Napster times 10” • Shrek • Paul Boutin – A little knowledge is a dangerous thing (in regard to the hollings bill) • The decision to play or not to play must be made by the content, not the player, DRM experts warn. It's tricky, but they'll get to it -- if the industry isn't forced to accept a compromise standard first.
Why TCG? • Controversial • All the manufactures involved in the process would profit greatly if the computer is accepted as a general entertainment platform for the home • Microsoft has been trying • The patents on DRM OS are remarkably similar to the current work on TCG • Implications on the GNU Public License (GPL)
Importance of Open Source • User Invention • Right to reverse engineering • Controversial DMCA • Are after purchase restrictions legal? • Cell phones that drain generic batteries • Printers that refuse to accept cartridges that have been refilled • Trusted Computing could add a few for computers here… • Sony would want our computers to behave like closed DVD players… do we want that?
Will it work for us? • jetBlue, enforcing P3P • Yes. • Customers can even revoke information they submitted and that would be destroyed from the jetBlue database • The trusted computing base will make it impossible to just copy data from one place to another • Is this a good corporate solution?
Limiting the Scope • If we can limit the scope of the initiative to personally identifiable information instead of programs in general…. • We have a good solution for the problem of sensitive information in a wired world • People can submit data with policy’s so that they will be destroyed on a later date • Should not be applied generally • Enron…