Combining Trusted Computing and Smart Cards for Trustworthy VPN - - PowerPoint PPT Presentation

Combining Trusted Computing and Smart Cards for Trustworthy VPN Access

Bachelor Thesis - Final Presentation Michael Dorner

Chair for Network Architectures and Services Department of Computer Science Technical University of Munich

24.04.2013

Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 1

Agenda

1

Introduction

2

System design

3

Evaluation

4

Conclusion

Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 2

The Real World Problem

“Chinese hackers believed to have government links have been conducting wide-ranging electronic surveillance of [US] media companies..” - Wall Street Journal (31.01.2013) “Facebook hacked in ’sophisticated attack”’ - The Guardian (16.02.2013) “Microsoft hacked by same cyberattack as Apple and Facebook” - The Telegraph (23.02.2013)

Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 3

Technical Issue

Computer security mechanisms not tightly integrated, but applied on top of the OS → fairly easy to circumvent once in control of the Host Networks not designed to support containment of an infection Approach:

link host- and network-security Requires integrity-defining state to be created in a secure and attestable to make it usable for access decisions Lying endpoint problem: hosts may lie about their actual state to manipulate the access decision

Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 4

Trusted Platform Module

Used to counter lying endpoint problem Local deputy - hardware security module with passive host-independent capabilities Provides protected state storage (PCR) and capabilities Protected capabilities include attestation (cryptographic proof)

• f protected storage contents to remote parties

Core Root of Trust for Measurement(CRTM): protected TPM storage used to store state measurements from the very first boot stage, the trusted CRTM (not part of the TPM)

Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 5

Integrity measurements: Chain of Trust

TPM CRTM BIOS Stage 1: MBR Stage1.5 Stage 2 Kernel: IMA Userspace Applications Measure, then Load Store Measurments

Figure: Chain of Trust

Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 6

Integrity Measurement Architecture - IMA

Kernel-module, Relies on CRTM-functionality Continues chain of trust after kernel has been loaded - what is measured is defined by policy Creates Integrity Measurement List (IML), which stores these measurements Integrity of the list protected by check-value (hash) in protected TPM-storage Allows attestation of the measurement list

Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 7

State of the Art: Secure Boot

States of a host during boot are predefined Deviation will force the host to stop booting, since subsequent stages cannot be loaded Authenticating parties make implicit assumption that any booted host is clean Compatible with post-boot techniques like IMA Problem:

no attestable state may be abused to lock users out (DoS) needs additional post-boot techniques to continue protection can place serious restrictions on the systems that can be booted

Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 8

State of the Art 2: TNC

Trusted Network Connect: AAA-server queries state of a host, tracks and evaluates it Access point queries TNC-server via EAP Access decision based on EAP-response Problems:

centralized → vulnerable to DoS may violate privacy implicitly demands integrity of the AAA-server

Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 9

Proposal: Smart card based Solution

Attestation from the host to a smart card, which acts as local trustworthy verifier Smart card checks integrity-state, certifies it with a token, if acceptable Host presents token to Authenticating Party Authenticating Party checks token against policy, makes access decision Goal: decentralized, privacy conserving, inherently secure

Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 10

Smart Cards

Functionality ranges from simple key storage to execution capabilities Strong hardware-protection and full security-evaluation possible due to simplicity of the card JavaCard:

Implements reduced set of Java on smart cards JavaCard connected extends classic JavaCards with networking(HTTP/HTTPS) Connected cards have more powerful hardware

Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 11

Access to a Company-VPN

Access Point (VPN-AP) must enforce that only “clean” hosts can join Clean: policy defined set of states, which are considered to represent a trustworthy host Host is the personal device of an organization member, which accesses the VPN over an untrusted network Host attests state to a smart card, obtains token, presents token to VPN-AP

Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 12

Next

1

Introduction

2

System design

3

Evaluation

4

Conclusion

Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 13

System Requirements

R1: Strong proof of integrity and strong authentication R2: System must be fast enough to be used in connection-establishment (comparable to regular IKE) R3: Allow for access decision based on host security R4: Preserve user privacy and general freedom to execute arbitrary code

Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 14

Topology of the proposed solution

Linux Host with IMA Authenticating Party Smart Card TPM

AIK

SC-ID

TA

Figure: System Topology of the central entities

Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 15

Host State Attestation and Evaluation

TPM Host SC

Initiate Connection Accept, NonceCard GetAttestation(Check-Value, Nonce) SigAIK(Check-Value, Nonce) Transmit Attestation Verify Attestation Request IML Transmit IML Verify IML-entries Verify IML Create Token Return Token

IMA Attestation

Figure: Verification Process of a Platform Verification Certificate (PVC)

Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 16

Host State Verification (details)

Card has a database of known good hashes (whitelist, KGDB) Lookup entry in the database; if matching extend entry into

• wn check v

Repeat until no more values are received or built-in limit is reached (usually limited by whitelist-size) Compare final check value to attested check value If matching, state verification successful, otherwise state undefined

Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 17

Platform Verification Certificate (PVC)

Attestation Type Smart card ID-keypub Host AIKpub Attestation Version Database Version Timestamp Token Authority Signature

Figure: Platform Verification Certificate (PVC)

Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 18

Modified IKE with PVC-integration

Host SC TPM AP

HDR, KEHost, SAHost, NonceHost HDR, KEAP, SAAP, NonceAP, PVCREQ StoreToPCR(AUTH-Info) RequestAttestation(NonceAP) SigAIK(AUTH-Info, NonceAP) SigningRequest(Attestation) SigSC-ID(Attestation, TimestampSC), TimestampSC HDR, SK(IDHost, PVC, [CERTREQ/PVCREQ], [IDAP], PVCAUTH, SAHost2, TSHost, TSAP) HDR, SK(IDHost, [PVC/CERT], [PVC]AUTH, SAAP2, TSHost, TSAP) PVCAUTH = Attestation, SigSC-ID, Timestamp Verify PVCAUTH

Figure: Verification Process of a Platform Verification Certificate (PVC)

Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 19

PVC Evaluation at the Access Point

Verify the PVC’s integrity and origin (i.e. check signature) Make sure the PVC and the identities in the PVC are valid i.e. deal with revocation Policy check : attestation type, version and database allowed for this user(SC-ID) and platform(AIK)? Verify PVCAUTH: challenged party is in control of the platform and identity in the PVC

Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 20

Technical Limitations

Trusted Software Stacks (TrouSerS, jTSS) do not support all

• perations correctly yet

Communicating TPM-information to platforms without TSS (e.g. JavaCards) is hard to implement Java card connected not available yet, prototype not usable Simulator and card-proxy used to simulate JavaCard

Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 21

Next

1

Introduction

2

System design

3

Evaluation

4

Conclusion

Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 22

System Requirements - Evaluation (1)

R1: Strong proof of integrity and strong authentication E1: IMA and TPM grant trust in initial measurements, trustworthiness of the smart card creates trustworthy state-evaluation R2: System must be fast enough to be used in connection-establishment (comparable to regular IKE) E2: Simulator runs at host-CPU’s frequency, i.e. not direct evaluation possible, estimate based on other researchers measurement amounts to 5 seconds for access protocol, time for verification cannot be estimated

Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 23

System Requirements - Evaluation (2)

R3: Allow for access decision based on host security E3: Token allows AP to make a decision based on host- and user-identity plus additional qualification (e.g. state) R4: Preserve user privacy and general freedom to execute arbitrary code E4: Evaluation on card keeps initial measurements secret, execution not impaired by any means

Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 24

Comparison

TNC Secure Boot SC-based Availability

• +

Privacy

• ++

+ State freshness ++

• +

Operation effort

• +
• Deployment effort
• +
• Software limitations

no yes no Environment Organization Any Any

Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 25

Next

1

Introduction

2

System design

3

Evaluation

4

Conclusion

Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 26

Conclusion

Coupling host- and network-security can offer significantly improved security State of the art solutions are either privacy nightmares or offer insufficient security Smart card as trusted local verifier offers good privacy and high security Available hardware/software complicates implementation of the system

Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 27

End

Thank you for your attention

Questions?

Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 28

Anonymous Card Distribution

Manufacturer creates cards, loads key(s) onto them Retailer puts large quantity of cards on a shelf/rummage table Customer randomly picks a card from the shelf Customer registers public key on account creation / adds key to existing account Anonymity depends on number of cards the customer can pick from

Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 29

Cryptographic Issues

PCR10 (IMA-IVV) does not reflect a single state: possibleIVVs >> 2160 SHA-1 functionality of the TPM not affected by SHA-1 weaknesses (DoD investigated) SHA-1 functionality of IMA very likely affected IMA does: SHA-1(measurement ||′\0′-padded file name) and extends this “template” into PCR 10 TPM v 2.0 supports more (new) algorithms

Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 30

Local PVCs

PVC with included state, i.e. IML-aggregate up to the point of attestation Can be used to create a checkpoint, from which the host can resume Can be used to move an inactive session off the card to make memory available for other sessions (other hosts/devices) Expectation: Restoring from a PVC will drastically reduce the time for verification

Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 31

Card Usage Model

Card issuer loads card applet and creates SC-ID(s) and TA-key Applet can use TA-Key internally to provide protected services to the user User cannot load applets onto card, cannot modify existing applets User can use SC-ID for signing etc., but can never use the TA-key directly

Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 32

Lazy attestation

Continue submission of measurements after initial attestation On new attestation, card tells host the current state If host thinks card is async, reset it with local PVC, resume normally from that state Otherwise attest current and transmit remaining new measurements

Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 33

On-request attestation

Challenging AP transmits a nonce to the challenged host Host asks for a dedicated PVC, which includes this nonce Card additionally creates the requested PVC with nonce after new attestation Advantage: more secure Disadvantage: takes longer, unfeasible for smart cards without lazy method

Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 34

Ethernet Emulation Model - EEM

Treats USB as (reliable) layer 1 protocol Transmits Ethernet frames without FCS over USB Receiver treats USB-link as Ethernet link, expects usual protocol stack on top of Ethernet

Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 35

Present weakness

Token can be reused across two boots Prevention would require unique boot-identifier included into token Initial plan: use TPM monotonic counters and transport sessions Problem: Monotonic counter must be incremented by BIOS/Bootloader, which is not supported

Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 36

Transport Session

Encapsulates a set of TPM commands In-/Out-operands and executed commands extended into hash Transport session can be signed with AIK when closed Allows to attest execution of arbitrary commands Not supported in jTSS, not correctly implemented in TrouSerS

Michael Dorner (TU Munich) Combining Trusted Computing and Smart Cards for Trustworthy VPN Access 37