TPM: Trusted Platform Module Sumeet Bajaj sbajaj@cs.stonybrook.edu - - PowerPoint PPT Presentation

tpm trusted platform module
SMART_READER_LITE
LIVE PREVIEW

TPM: Trusted Platform Module Sumeet Bajaj sbajaj@cs.stonybrook.edu - - PowerPoint PPT Presentation

Nov 19, 2022 380 likes •634 views

TPM: Trusted Platform Module Sumeet Bajaj sbajaj@cs.stonybrook.edu 9 Feb 2011 CSE 408 Introduction verification request verification data Verifier Platform Attestation of Remote Platform Identify specific platform Verify software

slide-1
SLIDE 1

TPM: Trusted Platform Module

Sumeet Bajaj sbajaj@cs.stonybrook.edu

9 Feb 2011 CSE 408

slide-2
SLIDE 2

Introduction

Verifier Platform

Attestation of Remote Platform

  • Identify specific platform
  • Verify software stack on remote platform

verification request verification data

slide-3
SLIDE 3

Use Case

Verify user system

Corporate Network

Connect

slide-4
SLIDE 4

TPM

Trusted Platform Module

  • Secure crypto-processor

Uses

  • Remote Attestation
  • Binding, Sealing : Data encryption

Applications

  • Platform Integrity
  • Disk Encryption
  • Password Protection
  • Digital Rights Management
  • Software Licenses

Verifier Platform

verification data verification request

TPM deployed

  • n remote

platform

slide-5
SLIDE 5

TPM Specification

TPM Specification Design Structure Commands TPM Chips No TPMS China, Russia, Belarus, Kazakhstan

slide-6
SLIDE 6

TPM Example

300 Million PCs have shipped with a chip called the Trusted Platform Module (TPM)

slide-7
SLIDE 7

TPM Specification v1.1 (184 pages)

  • FIPS 140-2 certification.
  • Commands for all operations, e.g. Key generation, PCR extension
  • Processes for Key generation & management
  • Cryptographic processes e.g. Random number generation
  • TPM Architecture
  • TPM operation including initialization, self-test modes, startup, enabling, disabling etc

FIPS 140-2 Level 1 The lowest, imposes very limited requirements; loosely, all components must be "production-grade" FIPS 140-2 Level 2 Adds requirements for physical tamper-evidence and role-based authentication. FIPS 140-2 Level 3 Adds requirements for physical tamper-resistance (making it difficult for attackers to gain access to sensitive information contained in the module) and identity-based authentication, and for a physical or logical separation between the interfaces by which "critical security parameters" enter and leave the module, and its other interfaces. FIPS 140-2 Level 4 Makes the physical security requirements more stringent, and requires robustness against environmental attacks.

FIPS: Federal Information Processing Standard

slide-8
SLIDE 8

TPM Architecture

slide-9
SLIDE 9

PCR (Platform Configuration Register)

Problem! Scale, collusion

PCR

160 bits

PCRi New = HASH ( PCRi Old value || value to add)

  • Minimum of 16 PCRs
  • Store integrity metrics
  • Avoid overwriting
  • Unlimited number of measurements
  • Measurements are ordered
  • If disable extending PCR still works, but return 0s
slide-10
SLIDE 10

Platform

TCG Boot Process

BIOS Boot Block BIOS MBR/OS Loader Operating System PCR_Extend(n, <BIOS CODE>) PCR0 = 0 PCR1 = H(PCR0 || <BIOS Code>) PCR_Extend(n, <MBR CODE>) PCR2 = H(PCR1 || <MBRCode>) PCR_Extend(n, <OS CODE>) PCR3 = H(PCR2 || <OS Code>) Application PCR_Extend(n, <APP CODE>) PCR4 = H(PCR3 || <APP Code>)

H : SHA-1

slide-11
SLIDE 11

Root of Trust

BIOS Boot Block BIOS MBR/OS Loader Operating System Application Root of Trust in Integrity Measurement

Measuring Extending PCS

Root of Trust in Integrity Reporting

slide-12
SLIDE 12

Simple Attestation Method

Platform TPM Verifier (PKTPM) Application A

generates PKA & SKA 2) {PCR} SKAIK

3) Cert{PKAIK}SKTPM {PCR}SKAIK

6) looks up #A in DB 5) verifies the signature 7) ... PKTPM & SKTPM (Endorsement key)

1) Read_PCR

DB

Lookup PCR “ok”

PKAIK & SKAIK (Attestation Identity Key)

Problem! Does not protect user privacy EK is one-time unique per TPM AIK can be used anew for each attestation 4) Cert{PKAIK} SKTPM , {PCR}SKAIK

slide-13
SLIDE 13

Solution : Single key pair for all TPMs

TPM

SKTPM

Manufacturer

PKTPM & SKTPM

TPM

SKTPM

TPM

SKTPM

……..

Verifier

Problem! Identify legitimate TPMs from fake

slide-14
SLIDE 14

Solution : Certificate Authority (TPM v1.1)

Problem! Scale, collusion

TPM

PKTPM & SKTPM (Endorsement key)

Privacy Certification Authority (CA) PKTPM1 & SKTPM1 PKTPM2 & SKTPM2 ……….. PKTPMn & SKTPMn

PKAIK & SKAIK (Attestation key)

Verifier

  • 1. Cert{PKAIK } SKTPM
  • 2. Searches PKTPM
  • 3. Cert{PKAIK } SKCA
  • 4. Verification Request
  • 5. Cert{PKAIK } SKCA

Remove rogue TPM key from list

slide-15
SLIDE 15

Direct Anonymous Attestation (DAA) – TPM Spec 1.2

  • Ernie Brickell (Intel), Jan Camenisch (IBM), Liqun Chen (HP)
  • Based on Camenisch-Lysyanskaya anonymous credential system

Direct : Without a TTP Anonymous : Does not reveal signer’s identity Attestation : claim from a TPM

TPM

Verifier1

SKAIK1 SKAIK2

Verifier2

DAA{SKAIK1} DAA{SKAIK2}

Can tell SKAIK1 is from a TPM But not which one Can tell SKAIK2 is from a TPM But not which one Cannot tell if SKAIK1 & SKAIK12 Are from the same TPM

slide-16
SLIDE 16

Direct Anonymous Attestation (Join)

TPM

Issuer

Commit to Derive from issuer’s name by TPM Proves that Signature on Secret Public DAA certificate

slide-17
SLIDE 17

Direct Anonymous Attestation (Verification)

TPM

Verifier1

Zero knowledge proof protocol TPM proves it knows TPM Proves the exponent is related

  • Used for blacklisting
  • Used for linking transactions from the same TPM
slide-18
SLIDE 18

Secure Storage

TPM_Seal(Blob, PCR’)

SKENC

Blob’ = {Blob || PCR’} SKENC Stores Blob’ TPM_UnSeal(Blob’) Checks if Current PCR = PCR’ in Blob If true Blob = Decrypt{Blob’} SKENC If false return failure

  • OS & Apps sealed with MBR’s PCR
  • Seal Web Server’s SSL Key
  • Microsoft BitLocker
  • Blob size is 256 bytes
slide-19
SLIDE 19

DRM – E.g. using TPM counters

TPM_Seal(Blob, PCR’)

SKENC, COUNTER = 0

Blob’ = {Blob || PCR’} SKENC Stores Blob’ TPM_UnSeal(Blob’) Checks if Current PCR = PCR’ in Blob If true Blob = Decrypt{Blob’} SKENC && COUNTER < N COUNTER++ If false return failure

  • Music can be played for 30 days only

Application : Media Player

slide-20
SLIDE 20

Trusted Software Stack (TSS)

  • Standard API for accessing functions of the TPM
  • OS Agnostic

http://www.trustedcomputinggroup.org/resources/tcg_software_stack_tss_specification

slide-21
SLIDE 21

DATABASE

SERVER TRUSTED HW

6000 PCI 4764/65 SafeXcel

Trusted by the clients Performs or aids query processing Can provide Tamper Proofing / Detection Supports Cryptographic functions (software or hardware based) Commonly used as accelerators

Trusted Hardware : Introduction

21

slide-22
SLIDE 22

IBM 4764

Function (OpenSSL 0.9.7f) Context IBM 4764 (per second) P4 @ 3.4 GHz (per second) RSA signature 1024 bits 848 261 2048 bits 316 – 470 43 RSA verification 1024 bits 1157 – 1242 5324 2048 bits 976-1087 1613 SHA-1 1 KB 1.42 MB 80 MB 64 KB 18.6 MB 120 + MB 1 MB 21 – 24 MB 3 DES 1 KB 1.08 MB 18 MB 64 KB 7.73 MB 17 MB 1 MB 8.56 MB 15 MB AES 128 1 KB 14+ MB 100+ MB DMA xfer end-to-end 75 – 90 MB 1+ GB Processor 233 MHz PowerPC Memory 32 MB Crypto H/W engines AES256, DES, TDES, DSS, SHA-1, MD5, RSA

Tamper resistant and responsive design, FIPS level 4 certified Limited resources Synchronous communication channel with host Hardware crypto engine

Trusted Hardware : Benefits & Limitations

22

slide-23
SLIDE 23

SCPU - 4764 TrustedDB – Layer 3 PKTDB SKTDB KDATA OS – Layer 2 PKOS SKOS Miniboot 1 – Layer 1 PKDEV SKDEV Miniboot 0 – Layer 0 PKMAN SKMAN CLIENT

PKCMAN KDATA

  • 1. Request
  • 2. OA Certificate
  • 3. OA Certificate

PKTDB H(L3CODE)

SKOS

PKOS H(L2CODE) PKDEV H(L1CODE)

SKMAN

PKMAN H(L0CODE)

SKDEV SKCMAN

Outbound Authentication Certificate

PKA : Public Key of A SKA : Private Key of A H(M) : Hash of message M

Outbound Authentication [Smith et. al]

23 SIGMOD 2011 : TrustedDB

slide-24
SLIDE 24

Thankyou

Sumeet Bajaj sbajaj@cs.stonybrook.edu

9 Feb 2011 CSE 408