1 / 17

vpn-info

vpn-info.com. Introduction to Trusted Platform Module. Trusted computing Is specified by trusted Computing group (TCG). From Trusted computing group, NTRU Cryptosystems. Motivating examples for using TPM. How do I Store a key securely, so a user can access it with a password?

marty
Download Presentation

vpn-info

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. vpn-info.com

  2. Introduction to Trusted Platform Module

  3. Trusted computing Is specified by trusted Computing group (TCG) From Trusted computing group, NTRU Cryptosystems

  4. Motivating examples for using TPM • How do I • Store a key securely, so a user can access it with a password? • Ensure that I am communicating with a particular user with access to a particular machine? • Make sure my software only runs on a specific machine? • Make sure my software runs only on machines in a specific state? • TPM uses tamper-resistant hardware to ensure system integrity • Systems containing TPM chips: • Lenovo (IBM) Thinkpads and desktops • Fujitsu lifebook • HP desktop and notebooks • TPM Chip vendors: (small inexpensive) • Atmel, Infineon, National, STMicro • Intel D875GRH motherboard

  5. Boot-time checking App/lib invokes OS Boot loader BIOS (FLASH) BIOS (ROM) invokes invokes invokes A well-defined sequence of software modules get executed at boot time. OS Boot loader BIOS (FLASH) BIOS (ROM) Checks & invokes Checks & invokes Checks & invokes Checks & invokes App/lib Each element in the boot sequence checks the integrity of the next before invoking it Need to know the verification process succeeded Trusted boot or secure boot

  6. TPM architecture From wikipedia TPM stores secret keys and releases them depending on the state info at PCRs

  7. Platform configuration registers (PCRs) • PCRs are used to securely measure software (by computing hash) during boot • Each PCR can contain an SHA-1 hash value (20byte) • At least 16 PCRs • PCRs are reset to 0 at boot time • Write to a PCR # n by extending it – hash extension TPM_Extend(n,D): PCR[n]  SHA-1 ( PCR[n] || D ) For example OS OS computes h3 = SHA-1(module3); stores SHA-1(0,h3) -> PCR[3] Attacker substitutes module3 with module3’, h3’=SHA-1(module3’) Checks & invokes PCR[3] then contains SHA-1(0, h3’) Attacker cannot find v such that SHA-1(SHA-1(0, h3’), v) = SHA-1(0, h3) App/lib

  8. At power-up PCR[n] initialized to 0 • BIOS boot block executes • Calls PCR_Extend( n, <BIOS code> ) • Then loads and runs BIOS post boot code • BIOS executes: • Calls PCR_Extend( n, <MBR code> ) • Then runs MBR (master boot record). • MBR executes: • Calls PCR_Extend( n, <OS loader code, config params> ) • Then runs OS loader Which PCRs to use is defined by specifications

  9. Using PCR values after boot • Application 1: encrypted (a.k.a sealed) storage. • Step 1: TPM_TakeOwnership( OwnerPassword, … ) • Creates 2048-bit RSA Storage Root Key (SRK) on TPM • Cannot run TPM_TakeOwnership again: • Ownership Enabled flag  False • Done once by IT department or computer owner. • (optional) Step 2: TPM_CreateWrapKey • Create more RSA keys on TPM certified by SRK • Each key identified by 32-bit keyhandle

  10. Protected Storage • Main Step: Encrypt data using RSA key on TPM • TPM_Seal (some)Arguments: • keyhandle: which TPM key to encrypt with • KeyAuth: Password for using key `keyhandle’ • PcrValues: PCRs to embed in encrypted blob • data block: at most 256 bytes (2048 bits) • Used to encrypt symmetric key (e.g. AES) • Returns encrypted blob. • Main point: blob can only be decrypted with TPM_Unseal when PCR-reg-vals = PCR-vals in blob. • TPM_Unseal will fail otherwise

  11. Protected Storage • Embedding PCR values in blob ensures that only certain apps can decrypt data. • e.g.: Messing with MBR or OS kernel will change PCR values. • Why can’t attacker disable TPM until after boot, then extend PCRs with whatever he wants? • Root of trust: BIOS boot block.

  12. PCR and attestation • Tie a secret to a list of PCR values • TPM will use or reveal a stored secret only if PCRs have specific values • PCRs reflect system configuration and state • Application: Attestation – to prove to a remote party the legitimate version of software is running on a host • E.g., a company allows computers to connect to its network only if they run “authorized” software • E.g., content providers sell digital media only to authorized versions of players -- DRM

  13. Endorsement key (EK) and attestation identity key (AIK) • Every TPM has a unique EK • EK is the root of trust for identification • EK is generated by manufacture, never leaves TPM • Cert for EK public-key issued by TPM vendor, generated by a trusted CA • For attestation, user first generates an attestation identity key • Multiple AIKs may be generated • Cert for AIK public key issued only if EK cert is valid • AIK private key is only known to TPM

  14. Attestation • Local host answers challenges from a remote party by signing PCR values with AIK private key (after boot) • Local host runs function TPM_Quote with inputs • keyhandle: which AIK key to sign with • KeyAuth: Password for using key `keyhandle’ • PCR List: Which PCRs to sign. • Challenge nonce: 20-byte challenge from remote server • Prevents replay of old signatures. • TPM_Quote returns signed data and signature. • Remote party verifies the signature with AIK public key, verifies cert issuer, verifies PCR values in the signature

  15. Attestation Request (20-byte challenge) • Validate: • Certissuer, • PCR valsin cert (SSL) Key Exchange using Cert Communicate with app using SSL tunnel Attestation: how it works • Generate pub/priv key pair • TPM_Quote(AIK, PcrList, chal, pub-key) • Obtain cert App OS TPM RemoteServer PC

  16. Some open questions relating to TPM • TPM provides the guarantee of load-time code integrity. • It does not provide detection ability for run-time compromises such as buffer overflow attack • Can the remote party attest to the current state of a running system? • Active research on this topic, e.g., Flicker • Suppose malicious music file exploits bug in Windows Media Player. • Music file is encrypted. • TCG prevents anyone from getting music file in the clear. • Can anti-virus companies block virus without ever seeing its code in the clear? Example from Dan Boneh

  17. Slides credits • Dan Boneh • Danfeng Yao • Sean Smith

More Related