Direct Anonymous Attestation (DAA) Liqun Chen Trusted Systems - - PowerPoint PPT Presentation

Direct Anonymous Attestation (DAA)

Liqun Chen Trusted Systems Laboratory Hewlett Packard Laboratories, Bristol

12 October 2005

The slides presented here were made for a DAA seminar last year

page 2 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

• utline
• utline
• what is DAA?
• what is DAA for?
• why DAA?
• how does DAA work?

page 3 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

• utline
• what is DAA?
• what is DAA for?
• why DAA?
• how does DAA work?

page 4 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

DAA is a signature scheme

• DAA is a signature scheme designed for TCG

– signer: TPM (trusted platform module) – verifier: an external partner

• the name of DAA is from

–

Direct proof – without a TTP involvement

–

Anonymous – do not disclose the identity of the signer

–

Attestation – statement/claim from a TPM

• DAA was adopted by TCG and specified in TCG TPM

Specification Version 1.2, available at www.trustcomputinggroup.org

• designers: Ernie Brickell of Intel, Jan Camenisch of IBM and

Liqun Chen of HP

page 5 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

category of signature schemes – from a verifier’s point of view

• 1–out–1 signatures: ordinary signatures

– a verifier is given an authenticated public key of a

signer

• 1–out–n signatures: ring signatures, designated-

verifier signatures, concurrent signatures, ……

– a verifier is given authenticated public keys of all

potential signers

• 1–out–group signatures: group signatures, DAA

– a verifier is given an authenticated group public key

page 6 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

group signatures and DAA

• a group signature has fixed-traceability and unlinkability

– a group member certificate indicates an identity-disclosure

authority

– the authority can recover the identity of the real signer

from a group signature

• a DAA signature has flexible-traceability and flexible-

linkability

– there is no identity-disclosure authority (a DAA signature

cannot be opened by any TTP)

– a DAA signature provides the user-control link that can be

used to link some selected signatures from the same signer for the same verifier

page 7 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

• utline
• what is DAA?
• what is DAA for? – for TCG
• why DAA?
• how does DAA work?

page 8 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

goals of the TCG architecture

protect protect user user’ ’s s information information protect user protect user’ ’s s computing computing environment environment protect protect user user’ ’s s privacy privacy ensure user ensure user’ ’s s choice on use of choice on use of security security mechanism mechanism

page 9 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

• bstacle to achieving

the goals of the TCG architecture

security might be fundamentally incompatible with privacy

page 10 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

• bstacle to achieving

the goals of the TCG architecture

security might be fundamentally incompatible with privacy

high security & low privacy

page 11 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

• bstacle to achieving

the goals of the TCG architecture

security might be fundamentally incompatible with privacy

high security & low privacy high privacy & low security

page 12 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

• bstacle to achieving

the goals of the TCG architecture

security might be fundamentally incompatible with privacy

high security & low privacy high privacy & low security what we want: deliver security and provide user control of privacy

page 13 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

TPM (trusted platform module)

the TPM is the root of trust for reporting -

– it offers smartcard-like security capability embedded into the

platform

– it is trusted to operate as expected (conforms to the TCG spec) – it is uniquely bound to a single platform – its functions and storage are isolated from all other components

• f the platform (e.g., the CPU)

page 14 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

TPM (trusted platform module)

the TPM is the root of trust for reporting -

– it offers smartcard-like security capability embedded into the

platform

– it is trusted to operate as expected (conforms to the TCG spec) – it is uniquely bound to a single platform – its functions and storage are isolated from all other components

• f the platform (e.g., the CPU)

random num ber generation N

• n-volatile

M em

• ry

Processor M em

• ry

asym m etric key generation signing and encryption pow er detection clock/tim er I/O H M AC hash

page 15 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

platform attestation

• TCG requires a TPM to have an embedded “endorsement

key (EK)”, to prove that a TPM is a particular genuine TPM

• EK is not a platform identity
• TCG lets a TPM control “multiple pseudonymous attestation

identities” by using “attestation identity key (AIK)”

• AIK is a platform identity, to attest to platform properties

we need a link between EK and AIK

page 16 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

privacy issue

I want to know that AIK came from a TPM

AIK an external partner

I don’t want to disclose which TPM the AIK is from

TPM – trusted platform module EK – endorsement key AIK – attestation identity key

a user

page 17 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

privacy issue

I want to know that AIK came from a TPM

AIK an external partner

I don’t want to disclose which TPM the AIK is from

TPM – trusted platform module EK – endorsement key AIK – attestation identity key

a user we seek a solution to convince an external party that an AIK is held in a TPM without identifying the TPM

page 18 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

• utline
• what is DAA?
• what is DAA for?
• why DAA?
• how does DAA work?

page 19 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

previous solution is not good enough

the previous solution (before TCG TPM spec. v1.2) -

• involves a TTP to issue certificates
• allows choice of any (different) certification authorities

(privacy-CA) to certify each TPM identity

• can help prevent correlation, however

anonymity is dependent upon the private-CA

page 20 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

• ur goal and solution
• our goal: a solution provides

– anonymity without a TTP – authentication without a certificate

• our solution:

– direct anonymous attestation (DAA)

direct proof replaces the TTP

page 21 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

a simple picture of DAA

TPM

AIK #1 AIK #2 EK DAA

page 22 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

a simple picture of DAA

stock broker verifier medical clinic verifier TPM

AIK #1 AIK #2 EK DAA

page 23 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

a simple picture of DAA

stock broker verifier

a DAA signature of AIK #1

medical clinic verifier

a DAA signature of AIK #2

TPM

AIK #1 AIK #2 EK DAA

page 24 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

a simple picture of DAA

stock broker verifier

a DAA signature of AIK #1

I know that AIK #1 came from a TPM, but I don’t know which one. medical clinic verifier

a DAA signature of AIK #2

I know that AIK #2 came from a TPM, but I don’t know which one. TPM

AIK #1 AIK #2 EK DAA

page 25 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

a simple picture of DAA

stock broker verifier

a DAA signature of AIK #1

I know that AIK #1 came from a TPM, but I don’t know which one. medical clinic verifier

a DAA signature of AIK #2

I know that AIK #2 came from a TPM, but I don’t know which one.

We can’t tell if Key #1 and Key #2 came from the same TPM or not. we can’t tell if AIK #1 and AIK #2 came from the same TPM or not.

TPM

AIK #1 AIK #2 EK DAA

page 26 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

a simple picture of DAA

stock broker verifier

a DAA signature of AIK #1

I know that AIK #1 came from a TPM, but I don’t know which one. medical clinic verifier

a DAA signature of AIK #2

I know that AIK #2 came from a TPM, but I don’t know which one.

We can’t tell if Key #1 and Key #2 came from the same TPM or not. we can’t tell if AIK #1 and AIK #2 came from the same TPM or not.

but

if the client behaves badly, I can stop him to use my service

TPM

AIK #1 AIK #2 EK DAA

page 27 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

• utline
• what is DAA?
• what is DAA for?
• why DAA?
• how does DAA work?

page 28 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

the DAA scheme outline

• entities

– DAA issuer: a DAA certificate issuer (e.g., a manufacturer

• f TCG platforms)

– DAA signer: a trusted platform module (TPM) with help

from a host platform

– DAA verifier: an external partner (e.g.,a service provider)

• primitives

– system and issuer setup – join protocol – signing algorithm – verifying algorithm – solution of restricted link – solution of revocation

page 29 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

setup

• Issuer public key: PKI = (hk, n, g’, g, h, S, Z, R0, R1, γ, Γ, ρ)

– RSA parameters with

n – an RSA modulus g’ ∈ QRn g, h ∈ 〈g’ 〉 S, Z ∈ 〈h 〉 R0, R1 ∈ 〈S 〉

– a group of prime order with

Γ - modulus (prime) ρ - order (prime, s.t. ρ|Γ - 1) γ - generator (γ ρ = 1 mod Γ )

– a hash function

Hhk - a hash function of length hk

• private key: factorisation of n

a non-interactive proof of correctness of key generation (using the Fiat- Shamir heuristic)

page 30 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

join

entities: TPM, Host and Issuer

• DAA signing key (created by TPM):

– f0, f1 (104-bit)

• DAA certificate (created with Issuer):

– v (2536-bit) – A (2048-bit) – e (prime ∈R [2367, 2367 + 2119])

values R0, R1, S, Z, n are part of PKI

• TPM stores f0, f1, v, H(A||e||PKI)
• Host stores A and e

) (mod

1

1

n Z A S R R

e v f f

=

page 31 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

join join

entities: TPM, Host and Issuer

• DAA signing key (created by TPM):

– f0, f1 (104-bit)

• DAA certificate (created with Issuer):

– v (2536-bit) – A (2048-bit) – e (prime ∈R [2367, 2367 + 2119])

values R0, R1, S, Z, n are part of PKI

• TPM stores f0, f1, v, H(A||e||PKI)
• Host stores A and e

) (mod

1

1

n Z A S R R

e v f f

=

an authentic channel between TPM and Issuer using the endorsement key (EK)

• f TPM

v is contributed by both TPM and Issuer TPM proves to Issuer knowledge of f0, f1 and its contribution on v Issuer proves to Host correctness of certificate generation

page 32 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

join

entities: TPM, Host and Issuer

• DAA signing key (created by TPM):

– f0, f1 (104-bit)

• DAA certificate (created with Issuer):

– v (2536-bit) – A (2048-bit) – e (prime ∈R [2367, 2367 + 2119])

values R0, R1, S, Z, n are part of PKI

• TPM stores f0, f1, v, H(A||e||PKI)
• Host stores A and e

) (mod

1

1

n Z A S R R

e v f f

=

an authentic channel between TPM and Issuer using the endorsement key (EK)

• f TPM

v is contributed by both TPM and Issuer TPM proves to Issuer knowledge of f0, f1 and its contribution on v Issuer proves to Host correctness of certificate generation

TPM Issuer

R1

f0R2 f1Sv1

A, e, v2

with message authentication and correctness checking

page 33 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

join

entities: TPM, Host and Issuer

• DAA signing key (created by TPM):

– f0, f1 (104-bit)

• DAA certificate (created with Issuer):

– v (2536-bit) – A (2048-bit) – e (prime ∈R [2367, 2367 + 2119])

values R0, R1, S, Z, n are part of PKI

• TPM stores f0, f1, v, H(A||e||PKI)
• Host stores A and e

) (mod

1

1

n Z A S R R

e v f f

=

an authentic channel between TPM and Issuer using the endorsement key (EK)

• f TPM

v is contributed by both TPM and Issuer TPM proves to Issuer knowledge of f0, f1 and its contribution on v Issuer proves to Host correctness of certificate generation

TPM Issuer

R1

f0R2 f1Sv1

A, e, v2

with message authentication and correctness checking

the Camenisch- Lysyanskaya signature scheme and based on the strong RSA problem given n and z find a and e s.t. ae = z (mod n)

page 34 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

sign

signature ) (mod ) (mod ) ' ( ) (mod name base the } 1 , { , commitment ) , , , , , , , , , ' , , ( : key public ) (mod satisfying : e certificat : key private

104 1 1

2 2 1 1 1

Γ = = = − ∈ Γ = =

+f f v r e w w l R I e v f f

N n g h g T n Ah T r w Z S R R h g g n hk PK n Z A S R R v,A,e, , f f ζ ζ ρ γ

Schnorr signature

private/public key (x, y = gx) signature msg - message r ∈R {0,1}l t = g r c = H(t||msg) s = r + xc σ = (c, s) verification c ≡ H(gsy-c||msg)

DAA signature

msg, r, t, c, s, σ

page 35 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

sign

a DAA signature is presented by

msg, r, t, c, s, σ

page 36 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

sign

DAA signature msg = b||m b ∈ {0,1} m ∈ {AIK, other string} if b = 0, m = AIK - RSA key if b = 1 m = other string

msg, r, t, c, s, σ

page 37 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

sign

DAA signature msg = b||m b ∈ {0,1} m ∈ {AIK, other string} if b = 0, m = AIK - RSA key if b = 1 m = other string

Host by chosen are , , , , , TPM by chosen are , , , } , , , , , , , , , {

1 2 1 1 2 1

er ew r w ee e f f v v er ew r w ee e f f v v

r r r r r r r r r r r r r r r r r r r r r =

msg, r, t, c, s, σ

page 38 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

sign

DAA signature msg = b||m b ∈ {0,1} m ∈ {AIK, other string} if b = 0, m = AIK - RSA key if b = 1 m = other string

Host by chosen are , , , , , TPM by chosen are , , , } , , , , , , , , , {

1 2 1 1 2 1

er ew r w ee e f f v v er ew r w ee e f f v v

r r r r r r r r r r r r r r r r r r r r r =

• thers

computes Host ~ and computes TPM ) (mod ~ ) (mod ' ' ~ ), (mod ' ~ ) (mod ~ } ~ , ' ~ , ~ , ~ {

2 1 1 104 1 2 1 1

1 2 2 2 2 1 1 1 2 2 1 v r r r r r r v r r r r r r r r r r r r r v

N S S R R N n g h g T T n g h g T n h T S S R R T N T T T t

v v f f f f er ee ew e r e w ew e v v f f

Γ = = = = =

+ − −

ζ

msg, r, t, c, s, σ

page 39 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

sign

DAA signature msg = b||m b ∈ {0,1} m ∈ {AIK, other string} if b = 0, m = AIK - RSA key if b = 1 m = other string

Host by chosen are , , , , , TPM by chosen are , , , } , , , , , , , , , {

1 2 1 1 2 1

er ew r w ee e f f v v er ew r w ee e f f v v

r r r r r r r r r r r r r r r r r r r r r =

• thers

computes Host ~ and computes TPM ) (mod ~ ) (mod ' ' ~ ), (mod ' ~ ) (mod ~ } ~ , ' ~ , ~ , ~ {

2 1 1 104 1 2 1 1

1 2 2 2 2 1 1 1 2 2 1 v r r r r r r v r r r r r r r r r r r r r v

N S S R R N n g h g T T n g h g T n h T S S R R T N T T T t

v v f f f f er ee ew e r e w ew e v v f f

Γ = = = = =

+ − −

ζ

c = {PKI||ζ|| commitment|| t||nv||nt||msg} where nv and nt are nonce chosen by verifier & TPM respectively

msg, r, t, c, s, σ

page 40 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

sign

DAA signature msg = b||m b ∈ {0,1} m ∈ {AIK, other string} if b = 0, m = AIK - RSA key if b = 1 m = other string

Host by chosen are , , , , , TPM by chosen are , , , } , , , , , , , , , {

1 2 1 1 2 1

er ew r w ee e f f v v er ew r w ee e f f v v

r r r r r r r r r r r r r r r r r r r r r =

• thers

computes Host ~ and computes TPM ) (mod ~ ) (mod ' ' ~ ), (mod ' ~ ) (mod ~ } ~ , ' ~ , ~ , ~ {

2 1 1 104 1 2 1 1

1 2 2 2 2 1 1 1 2 2 1 v r r r r r r v r r r r r r r r r r r r r v

N S S R R N n g h g T T n g h g T n h T S S R R T N T T T t

v v f f f f er ee ew e r e w ew e v v f f

Γ = = = = =

+ − −

ζ

c = {PKI||ζ|| commitment|| t||nv||nt||msg} where nv and nt are nonce chosen by verifier & TPM respectively

cer r s cr r s cew r s c r s ce r s e c r s cv r s cf r s cf r s

er er r r ew ew w w w ee ee e e v v f f f f

+ = + = + = + = + = − + = + = + = + =

2 367 1

) 2 (

1 1

msg, r, t, c, s, σ

page 41 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

sign

DAA signature msg = b||m b ∈ {0,1} m ∈ {AIK, other string} if b = 0, m = AIK - RSA key if b = 1 m = other string

Host by chosen are , , , , , TPM by chosen are , , , } , , , , , , , , , {

1 2 1 1 2 1

er ew r w ee e f f v v er ew r w ee e f f v v

r r r r r r r r r r r r r r r r r r r r r =

• thers

computes Host ~ and computes TPM ) (mod ~ ) (mod ' ' ~ ), (mod ' ~ ) (mod ~ } ~ , ' ~ , ~ , ~ {

2 1 1 104 1 2 1 1

1 2 2 2 2 1 1 1 2 2 1 v r r r r r r v r r r r r r r r r r r r r v

N S S R R N n g h g T T n g h g T n h T S S R R T N T T T t

v v f f f f er ee ew e r e w ew e v v f f

Γ = = = = =

+ − −

ζ

c = {PKI||ζ|| commitment|| t||nv||nt||msg} where nv and nt are nonce chosen by verifier & TPM respectively

cer r s cr r s cew r s c r s ce r s e c r s cv r s cf r s cf r s

er er r r ew ew w w w ee ee e e v v f f f f

+ = + = + = + = + = − + = + = + = + =

2 367 1

) 2 (

1 1

) , , , , , , , , , , , , , , ( ) , , , commitment , ( : signature

1

2 1 er r ew w ee e f f v t v t

s s s s s s s s s n c N T T s n c ζ ζ σ = =

msg, r, t, c, s, σ

page 42 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

verify

361 345 / ) 1 ( 2 2 1 2 1 2 ) 2 ( 2 2 2 2 2 1 2 1 1 1 2 1

} 1 , { } 1 , { , ) (mod )) || 1 ( ( , ) || || || || ˆ || ' ˆ || ˆ || ˆ || || || || || (

• verify

) (mod ˆ ) (mod ) ' ( ' ˆ ) (mod ) ' ( ˆ ) (mod ˆ

• compute

) , , , , , , , , ' , , , ( ) , , , , , , , , , , , , , , ( , || Issuer

• f

key public and signature message,

• input

1 104 1 367 367 1 367 1

∈ ∈ Γ = ∈ ≡ Γ = = = = Γ = =

− Γ Γ + − + − + − − + − e f f R v v t v v I hk s s c v v s s s c s s c s s c s s s s c s c I er r ew w ee e f f v t v

s s s bsn H N m b n n N T T T N T T PK H c N N n g h g T T n g h g T T n h S R R T Z T Z S R R h g g n hk PK s s s s s s s s s n c N T T m b

f f er ee ew e r e w ew v f f e

ρ

ζ γ ζ ζ ζ ρ γ ζ σ

page 43 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

restricted link for a verifier – named/random base in a DAA signature

security sensitivity low security & high privacy high security & low privacy privacy sensitivity

page 44 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

restricted link for a verifier – named/random base in a DAA signature

named base combined base random base

security sensitivity low security & high privacy high security & low privacy privacy sensitivity

page 45 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

restricted link for a verifier – named/random base in a DAA signature

named base combined base random base

security sensitivity low security & high privacy high security & low privacy privacy sensitivity

a base: ζ∈R 〈γ〉 or ζ = (H(1||bsn))(Γ-1)/ρ (mod Γ)

named base – verifier can link two signatures from the same TPM signed for the verifier random base – no link

) (mod

104 1

2

Γ =

+f f v

N ζ

page 46 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

revoking a certificate

• if f0 and f1 are known

– put f0 and f1 on a certificate revocation list and check

the list in each verification process

• if f0 and f1 are not known

– the name base solution can help a verifier to create

his own certificate revocation list with

ζ = (H(1||bsn))(Γ-1)/ρ (mod Γ)

) (mod

104 1

2

Γ =

+f f v

N ζ

page 47 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

security proof

• we prove the above DAA scheme is secure in the random oracle

model under

– the strong RSA assumption – the DDH assumption in QRn and – the DDH assumption in 〈γ〉

• By “the scheme is secure”, we mean

– there exists no adversary that can adaptively run the join

protocol, ask for signature by other (i.e., honest) members, and then output a signature containing a value Nv such that for all f0 and f1 extracted from the adversary in the join protocol Nv does not match

) (mod

104 1

2

Γ =

+f f v

N ζ

page 48 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

summary

DAA -

§ is a signature scheme § offers a zero knowledge proof of a key certificate § provides a variety of balances between security and

privacy by choosing

• random base – for privacy sensitive cases
• named base – for non privacy-sensitive cases
• combinations

§ has a security proof in the random oracle model based on:

• the strong RSA assumption
• the DDH assumption

page 49 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

future work

• more flexible privacy solutions
• more flexible revocation solutions

page 50 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

further information

• TCG initiatives:

http://www.trustedcomputing.org

• E. Brickell, J. Camenisch and L. Chen. Direct

anonymous attestation. In Proc. 11th ACM Conference

• n Computer and Communications Security, pages

132-145, ACM press, 2004

• B. Balacheff, L. Chen, S. Pearson, D. Plaquin and G.

Proudler, Trusted Computing Platforms: TCPA technology in context, Prentice Hall PTR, 2003

page 51 12/10/2005 Direct anonymous attestation – a signature scheme for TCG

HP logo