TPM: Trusted Platform Module Sumeet Bajaj sbajaj@cs.stonybrook.edu - PowerPoint PPT Presentation

TPM: Trusted Platform Module Sumeet Bajaj sbajaj@cs.stonybrook.edu 9 Feb 2011 CSE 408

Introduction verification request verification data Verifier Platform Attestation of Remote Platform • Identify specific platform • Verify software stack on remote platform

Use Case Corporate Network Connect Verify user system

TPM Trusted Platform Module • Secure crypto-processor Uses • Remote Attestation • Binding, Sealing : Data encryption Applications • Platform Integrity • Disk Encryption • Password Protection • Digital Rights Management • Software Licenses verification request verification data TPM deployed Platform Verifier on remote platform

TPM Specification TPM Specification Design Structure Commands No TPMS China, Russia, Belarus, Kazakhstan TPM Chips

TPM Example 300 Million PCs have shipped with a chip called the Trusted Platform Module (TPM)

TPM Specification v1.1 (184 pages) • FIPS 140-2 certification. • Commands for all operations, e.g. Key generation, PCR extension • Processes for Key generation & management • Cryptographic processes e.g. Random number generation • TPM Architecture • TPM operation including initialization, self-test modes, startup, enabling, disabling etc FIPS 140-2 Level 1 The lowest, imposes very limited requirements; loosely, all components must be "production-grade" FIPS 140-2 Level 2 Adds requirements for physical tamper-evidence and role-based authentication. FIPS 140-2 Level 3 Adds requirements for physical tamper-resistance (making it difficult for attackers to gain access to sensitive information contained in the module) and identity-based authentication, and for a physical or logical separation between the interfaces by which "critical security parameters" enter and leave the module, and its other interfaces. FIPS 140-2 Level 4 Makes the physical security requirements more stringent, and requires robustness against environmental attacks. FIPS: Federal Information Processing Standard

TPM Architecture

PCR (Platform Configuration Register) PCR 160 bits • Minimum of 16 PCRs • Store integrity metrics • Avoid overwriting PCRi New = HASH ( PCRi Old value || value to add) • Unlimited number of measurements • Measurements are ordered • If disable extending PCR still works, but return 0s Problem! Scale, collusion

TCG Boot Process Platform Application Operating PCR_Extend(n, <APP CODE>) PCR4 = H(PCR3 || <APP Code>) System MBR/OS Loader PCR_Extend(n, <OS CODE>) PCR3 = H(PCR2 || <OS Code>) BIOS PCR_Extend(n, <MBR CODE>) PCR2 = H(PCR1 || <MBRCode>) BIOS Boot Block PCR1 = H(PCR0 || <BIOS Code>) PCR_Extend(n, <BIOS CODE>) PCR0 = 0 H : SHA-1

Root of Trust Root of Trust in Integrity Measurement BIOS Boot MBR/OS Operating BIOS Application Block Loader System Measuring Extending PCS Root of Trust in Integrity Reporting

Simple Attestation Method Platform 4) Cert{PK AIK } SK TPM , {PCR}SK AIK Application A Verifier (PK TPM ) generates PK A & SK A 5) verifies the signature 6) looks up #A in DB 7) 3) Cert{PK AIK }SK TPM 1) Read_PCR ... {PCR}SK AIK Lookup PCR “ok” TPM 2) {PCR} SK AIK PK TPM & SK TPM DB (Endorsement key) PK AIK & SK AIK (Attestation Identity Key) Problem! EK is one-time unique per TPM Does not protect user privacy AIK can be used anew for each attestation

Solution : Single key pair for all TPMs TPM SK TPM Manufacturer TPM Verifier SK TPM PK TPM & SK TPM …….. TPM SK TPM Problem! Identify legitimate TPMs from fake

Solution : Certificate Authority (TPM v1.1) Privacy Certification 2. Searches PK TPM Authority (CA) PK TPM1 & SK TPM1 PK TPM2 & SK TPM2 ……….. 1. Cert{PK AIK } SK TPM PK TPMn & SK TPMn TPM Remove rogue TPM key from list PK TPM & SK TPM 3. Cert{PK AIK } SK CA (Endorsement key) PK AIK & SK AIK Verifier 4. Verification Request (Attestation key) 5. Cert{PK AIK } SK CA Problem! Scale, collusion

Direct Anonymous Attestation (DAA) – TPM Spec 1.2 • Ernie Brickell (Intel), Jan Camenisch (IBM), Liqun Chen (HP) • Based on Camenisch-Lysyanskaya anonymous credential system Direct : Without a TTP Anonymous : Does not reveal signer’s identity Can tell SK AIK1 is from a TPM Attestation : claim from a TPM But not which one Verifier1 DAA{SK AIK1 } TPM Cannot tell if SK AIK1 & SK AIK12 Are from the same TPM SK AIK1 Can tell SK AIK2 is from a TPM But not which one SK AIK2 Verifier2 DAA{SK AIK2 }

Direct Anonymous Attestation (Join) TPM Issuer Commit to Proves that Signature on DAA certificate Secret Public Derive from issuer’s name by TPM

Direct Anonymous Attestation (Verification) Zero knowledge proof protocol TPM proves it knows Verifier1 TPM TPM Proves the exponent is related • Used for blacklisting • Used for linking transactions from the same TPM

Secure Storage SK ENC TPM_Seal (Blob, PCR’) Stores Blob’ Blob’ = {Blob || PCR’} SK ENC TPM_UnSeal (Blob’) Checks if Current PCR = PCR’ in Blob If true Blob = Decrypt{Blob’} SK ENC If false return failure • OS & Apps sealed with MBR’s PCR • Seal Web Server’s SSL Key • Microsoft BitLocker • Blob size is 256 bytes

DRM – E.g. using TPM counters Application : Media Player SK ENC, COUNTER = 0 TPM_Seal (Blob, PCR’) Stores Blob’ Blob’ = {Blob || PCR’} SK ENC TPM_UnSeal (Blob’) Checks if Current PCR = PCR’ in Blob If true Blob = Decrypt{Blob’} SK ENC && COUNTER < N COUNTER++ If false return failure • Music can be played for 30 days only

Trusted Software Stack (TSS) • Standard API for accessing functions of the TPM • OS Agnostic http://www.trustedcomputinggroup.org/resources/tcg_software_stack_tss_specification

Trusted Hardware : Introduction 6000 PCI 4764/65 SafeXcel Trusted by the clients Performs or aids query processing DATABASE Can provide Tamper Proofing / Detection Supports Cryptographic functions (software or hardware based) SERVER TRUSTED HW Commonly used as accelerators 21

Trusted Hardware : Benefits & Limitations Processor 233 MHz PowerPC Memory 32 MB Crypto H/W AES256, DES, TDES, DSS, SHA-1, engines MD5, RSA IBM 4764 Function Context IBM 4764 P4 @ 3.4 GHz (OpenSSL 0.9.7f) (per second) (per second) Tamper resistant and RSA signature 1024 bits 848 261 2048 bits 316 – 470 43 responsive design, FIPS level 4 RSA verification 1024 bits 1157 – 1242 5324 certified 2048 bits 976-1087 1613 SHA-1 1 KB 1.42 MB 80 MB Limited resources 64 KB 18.6 MB 120 + MB 1 MB 21 – 24 MB 3 DES 1 KB 1.08 MB 18 MB Synchronous communication 64 KB 7.73 MB 17 MB channel with host 1 MB 8.56 MB 15 MB AES 128 1 KB 14+ MB 100+ MB Hardware crypto engine DMA xfer end-to-end 75 – 90 MB 1+ GB 22

Outbound Authentication [Smith et. al] 1. Request CLIENT TrustedDB – Layer 3 2. OA Certificate PK CMAN PK TDB SK TDB K DATA K DATA OS – Layer 2 3. OA Certificate PK OS SK OS Miniboot 1 – Layer 1 PK TDB H(L3 CODE ) SK OS PK DEV SK DEV PK OS H(L2 CODE ) SK DEV Miniboot 0 – Layer 0 PK DEV H(L1 CODE ) PK MAN SK MAN SK MAN PK MAN H(L0 CODE ) SCPU - 4764 SK CMAN PK A : Public Key of A SK A : Private Key of A Outbound Authentication Certificate H(M) : Hash of message M SIGMOD 2011 : TrustedDB 23

Thankyou Sumeet Bajaj sbajaj@cs.stonybrook.edu 9 Feb 2011 CSE 408