n. asokan nokia research center, helsinki · n. asokan nokia research center, helsinki ... msc...
TRANSCRIPT
![Page 1: N. Asokan Nokia Research Center, Helsinki · N. Asokan Nokia Research Center, Helsinki ... MSc thesis work: ObC on Maemo/TrustZone secure h/w (2009-2010) 23 Device specific ObC Database](https://reader031.vdocuments.us/reader031/viewer/2022022510/5ad8c82b7f8b9a9d5c8dbea6/html5/thumbnails/1.jpg)
On-board Credentials
N. Asokan
Nokia Research Center, Helsinki
Joint work with Jan-Erik Ekberg, Kari Kostiainen, Pekka Laitinen, Aarne Rantala (VTT)
Padova, July 2012
![Page 2: N. Asokan Nokia Research Center, Helsinki · N. Asokan Nokia Research Center, Helsinki ... MSc thesis work: ObC on Maemo/TrustZone secure h/w (2009-2010) 23 Device specific ObC Database](https://reader031.vdocuments.us/reader031/viewer/2022022510/5ad8c82b7f8b9a9d5c8dbea6/html5/thumbnails/2.jpg)
Outline
• On-board Credentials (ObCs): What and Why
• ObC Architecture
• Secure Provisioning of ObCs
• Instantiations of the Architecture
• Deployment Considerations
• ObCs in Action
• Status
© 2007-2012 Nokia, ObC-overview-public-for-researchers-jul2012 NA, JEE, KKo 2
![Page 3: N. Asokan Nokia Research Center, Helsinki · N. Asokan Nokia Research Center, Helsinki ... MSc thesis work: ObC on Maemo/TrustZone secure h/w (2009-2010) 23 Device specific ObC Database](https://reader031.vdocuments.us/reader031/viewer/2022022510/5ad8c82b7f8b9a9d5c8dbea6/html5/thumbnails/3.jpg)
On-board Credentials: What and Why
© 2007-2012 Nokia, ObC-overview-public-for-researchers-jul2012 NA, JEE, KKo 3
![Page 4: N. Asokan Nokia Research Center, Helsinki · N. Asokan Nokia Research Center, Helsinki ... MSc thesis work: ObC on Maemo/TrustZone secure h/w (2009-2010) 23 Device specific ObC Database](https://reader031.vdocuments.us/reader031/viewer/2022022510/5ad8c82b7f8b9a9d5c8dbea6/html5/thumbnails/4.jpg)
On-board Credentials (ObCs)
A credential platform that leverages on-board trusted execution environments
?
?
Secure yet inexpensive
open
√
n
© 2007-2012 Nokia, ObC-overview-public-for-researchers-jul2012 NA, JEE, KKo 4
![Page 5: N. Asokan Nokia Research Center, Helsinki · N. Asokan Nokia Research Center, Helsinki ... MSc thesis work: ObC on Maemo/TrustZone secure h/w (2009-2010) 23 Device specific ObC Database](https://reader031.vdocuments.us/reader031/viewer/2022022510/5ad8c82b7f8b9a9d5c8dbea6/html5/thumbnails/5.jpg)
On-board user credentials: what and why
© 2007-2012 Nokia, ObC-overview-public-for-researchers-jul2012 NA, JEE, KKo 5
SW-only credentials
• Easy, cheap, flexible
• Insecure
On-board Credentials
Dedicated HW credentials
• Secure, intuitive
• Expensive, inflexible, single-purpose
Like multi-application smartcards, but without issuer control.
![Page 6: N. Asokan Nokia Research Center, Helsinki · N. Asokan Nokia Research Center, Helsinki ... MSc thesis work: ObC on Maemo/TrustZone secure h/w (2009-2010) 23 Device specific ObC Database](https://reader031.vdocuments.us/reader031/viewer/2022022510/5ad8c82b7f8b9a9d5c8dbea6/html5/thumbnails/6.jpg)
On-board user credentials: design goals
• Credential programs can be executed securely
• Use a trusted execution environment (TEE)
• Credential secrets can be stored securely
• Use a device-specific secret in TEE for secure storage
• Anyone can create and use new credential types
• Need a security model to strongly isolate credential programs from one another
• Avoid the need for centralized certification of credential programs
• Anyone can provision credential secrets securely to a credential program
• Need a mechanism to create a secure channel to the credential program
• (certified) device keypair; unique identification for credential programs
• Protection of asymmetric credentials is attestable to anyone
• Anyone can verify that a private key is protected by the TEE
Credential = program + secret
6 © 2007-2012 Nokia, ObC-overview-public-for-researchers-jul2012 NA, JEE, KKo
![Page 7: N. Asokan Nokia Research Center, Helsinki · N. Asokan Nokia Research Center, Helsinki ... MSc thesis work: ObC on Maemo/TrustZone secure h/w (2009-2010) 23 Device specific ObC Database](https://reader031.vdocuments.us/reader031/viewer/2022022510/5ad8c82b7f8b9a9d5c8dbea6/html5/thumbnails/7.jpg)
ObC Architecture
© 2007-2012 Nokia, ObC-overview-public-for-researchers-jul2012 NA, JEE, KKo 7
![Page 8: N. Asokan Nokia Research Center, Helsinki · N. Asokan Nokia Research Center, Helsinki ... MSc thesis work: ObC on Maemo/TrustZone secure h/w (2009-2010) 23 Device specific ObC Database](https://reader031.vdocuments.us/reader031/viewer/2022022510/5ad8c82b7f8b9a9d5c8dbea6/html5/thumbnails/8.jpg)
On Trusted Execution Environments (TEEs) with
• Secure execution (within TEE)
• Secure storage (secret key OPK in TEE)
• Certified device keypair (PKdev/Skdev in TEE)
• Source of randomness
Device OS
ObC Architecture
© 2007-2012 Nokia, ObC-overview-public-for-researchers-jul2012 NA, JEE, KKo 8
TEE
OPK SKdev
Crypto Library
![Page 9: N. Asokan Nokia Research Center, Helsinki · N. Asokan Nokia Research Center, Helsinki ... MSc thesis work: ObC on Maemo/TrustZone secure h/w (2009-2010) 23 Device specific ObC Database](https://reader031.vdocuments.us/reader031/viewer/2022022510/5ad8c82b7f8b9a9d5c8dbea6/html5/thumbnails/9.jpg)
On Trusted Execution Environments (TEEs) with
• Secure execution within TEE
• Secure storage (at least a secret key OPK in TEE)
• Certified device keypair (PKdev/Skdev in TEE)
• Source of randomness
ObC Architecture
© 2007-2012 Nokia, ObC-overview-public-for-researchers-jul2012 NA, JEE, KKo 9
Credentials Manager
Credentials Database
Device OS
Client Applications
Interpreter
TEE
ObC program
OPK
ObC program
…
SKdev
Provisioning
Secure UI
Credentials Manager API
ObC Secrets
More in ACM ASIACCS ‘09 paper
Credential = program + secret
ObC Secrets
Device certification
Crypto Library
function main()
read_array(IO_PLAIN_RW, 0, data)
read_array(IO_SEALED_RW, 1, key)
aesenc(cipher, data, key)
write_array(IO_PLAIN_RW, 0, cipher)
return 0
end
![Page 10: N. Asokan Nokia Research Center, Helsinki · N. Asokan Nokia Research Center, Helsinki ... MSc thesis work: ObC on Maemo/TrustZone secure h/w (2009-2010) 23 Device specific ObC Database](https://reader031.vdocuments.us/reader031/viewer/2022022510/5ad8c82b7f8b9a9d5c8dbea6/html5/thumbnails/10.jpg)
Isolation of ObC Programs
Isolating the platform from programs
• Constraining the program counter, duration of execution, …
Isolating programs from one another
• Only one ObC program can execute at a time
• An ObC program can “seal” data for itself
• Sealing key is different for every independent ObC program
Sealing-key = KDF (OPK, program-hash)
• A program can invoke functions like “seal(data)” (unsealing happens automatically on program loading)
© 2007-2012 Nokia, ObC-overview-public-for-researchers-jul2012 NA, JEE, KKo 10
![Page 11: N. Asokan Nokia Research Center, Helsinki · N. Asokan Nokia Research Center, Helsinki ... MSc thesis work: ObC on Maemo/TrustZone secure h/w (2009-2010) 23 Device specific ObC Database](https://reader031.vdocuments.us/reader031/viewer/2022022510/5ad8c82b7f8b9a9d5c8dbea6/html5/thumbnails/11.jpg)
Secure Provisioning of ObCs
© 2007-2012 Nokia, ObC-overview-public-for-researchers-jul2012 NA, JEE, KKo 11
![Page 12: N. Asokan Nokia Research Center, Helsinki · N. Asokan Nokia Research Center, Helsinki ... MSc thesis work: ObC on Maemo/TrustZone secure h/w (2009-2010) 23 Device specific ObC Database](https://reader031.vdocuments.us/reader031/viewer/2022022510/5ad8c82b7f8b9a9d5c8dbea6/html5/thumbnails/12.jpg)
Requirements for Provisioning Credential Secrets
• Provisioning protocols typically focus on user authentication only
• CT-KIP, Open Mobile Alliance Device Management (OMA DM), …
• IETF keyprov working group is defining Dynamic Symmetric Key Provisioning Protocol (DSKPP)
• Allows device authentication as well
• We need more…
• provision a key so that it can be accessed by specific credential programs
• Subject to…
• “Anyone can provision credential secrets securely to a credential program”
• Support for multiple versions of credential programs
• Support for several co-operating credential programs
© 2007-2012 Nokia, ObC-overview-public-for-researchers-jul2012 NA, JEE, KKo 12
![Page 13: N. Asokan Nokia Research Center, Helsinki · N. Asokan Nokia Research Center, Helsinki ... MSc thesis work: ObC on Maemo/TrustZone secure h/w (2009-2010) 23 Device specific ObC Database](https://reader031.vdocuments.us/reader031/viewer/2022022510/5ad8c82b7f8b9a9d5c8dbea6/html5/thumbnails/13.jpg)
Provisioning credential secrets (1/4)
Basic Idea: the notion of a family of credential secrets and credential programs endorsed to use them
Family secrets Family programs
RK
© 2007-2012 Nokia, ObC-overview-public-for-researchers-jul2012 NA, JEE, KKo 13
![Page 14: N. Asokan Nokia Research Center, Helsinki · N. Asokan Nokia Research Center, Helsinki ... MSc thesis work: ObC on Maemo/TrustZone secure h/w (2009-2010) 23 Device specific ObC Database](https://reader031.vdocuments.us/reader031/viewer/2022022510/5ad8c82b7f8b9a9d5c8dbea6/html5/thumbnails/14.jpg)
Provisioning credential secrets (2/4)
PKDev
• Provision a family root key to the device
• using authentic device public key PKDev
• Transfer encrypted credential secrets
• using authenticated encryption (AES-EAX) with RK
• Endorse credential programs for family membership
• Program ID is a cryptographic hash of program text
• using authenticated encryption (AES-EAX) with RK
Family Root
Key RK
ObCP/Init
Credential
Secret data
RK
ObCP/Xfer
Credential
ProgramID
ObCP/Endorse
RK
© 2007-2012 Nokia, ObC-overview-public-for-researchers-jul2012 NA, JEE, KKo 14
![Page 15: N. Asokan Nokia Research Center, Helsinki · N. Asokan Nokia Research Center, Helsinki ... MSc thesis work: ObC on Maemo/TrustZone secure h/w (2009-2010) 23 Device specific ObC Database](https://reader031.vdocuments.us/reader031/viewer/2022022510/5ad8c82b7f8b9a9d5c8dbea6/html5/thumbnails/15.jpg)
Provisioning credential secrets (3/4)
• Anyone can define a family by provisioning a root key (“Same Origin” policy)
• Multiple credential secrets and programs can be added to a family
• Credential Programs can be encrypted as well
Secret
Program
RK’
ObCP/Xfer
© 2007-2012 Nokia, ObC-overview-public-for-researchers-jul2012 NA, JEE, KKo 15
![Page 16: N. Asokan Nokia Research Center, Helsinki · N. Asokan Nokia Research Center, Helsinki ... MSc thesis work: ObC on Maemo/TrustZone secure h/w (2009-2010) 23 Device specific ObC Database](https://reader031.vdocuments.us/reader031/viewer/2022022510/5ad8c82b7f8b9a9d5c8dbea6/html5/thumbnails/16.jpg)
Provisioning credential secrets (4/4)
TEE
OPK
ObC Interpreter
ObC Provisioning
SKD
Crypto Library
ObC Secret
Credential issuer
PKD, CertD
Verifies CertD, Creates new RK
Init = Enc(PKD, RK)
Xfer = AE(RK, secret)
Endorsement = AE(RK, hash(program))
ObC Secret ET
Init, Xfer, Endorsement
Device OS
PKD/SKD = device keypair
CertD = manufacturer certificate for PKD
RK = family root key
LFK = local family key
LEK = local endorsement key
ET = endorsement token
Enc = public key encryption
AE = authenticated encryption
KDF = key derivation function
LFK
LFK = KDF(RK, OPK)
LEK = KDF(OPK, hash(program))
ET = AE(LEK, LFK)
ObC Secret
RK LFK
ET
LFK
ObC program
ObC program
© 2007-2012 Nokia, ObC-overview-public-for-researchers-jul2012 NA, JEE, KKo 16 More in ACM ASIACCS ‘09 paper
Separating provisioning from use: No public key operations by the Interpreter during credential use
![Page 17: N. Asokan Nokia Research Center, Helsinki · N. Asokan Nokia Research Center, Helsinki ... MSc thesis work: ObC on Maemo/TrustZone secure h/w (2009-2010) 23 Device specific ObC Database](https://reader031.vdocuments.us/reader031/viewer/2022022510/5ad8c82b7f8b9a9d5c8dbea6/html5/thumbnails/17.jpg)
Asymmetric ObCs
Provisioning
Server E
Client
Application
Credential
Manager
CreateKeyPair (..)
credID
GetPK (credID)
PK
GetKeyPairAttestation (credID)
SKAE for PK
PK, SKAE, CertD
Cert = SigSKE(PK, …)
…
importCert(credID, Cert)
SignMessage(credID, msg, ..)
Sig
CertD (Device certificate) Certificate for PKD issued by manufacturer
SKAE (Subject Key Attestation Evidence) for PK: Signature on PK issued by SKD, attesting that SK is within the TEE
© 2007-2012 Nokia, ObC-overview-public-for-researchers-jul2012 NA, JEE, KKo 17 ”Key Attestation from Trusted Execution Environments”, Kostiainen et al, TRUST 2010
![Page 18: N. Asokan Nokia Research Center, Helsinki · N. Asokan Nokia Research Center, Helsinki ... MSc thesis work: ObC on Maemo/TrustZone secure h/w (2009-2010) 23 Device specific ObC Database](https://reader031.vdocuments.us/reader031/viewer/2022022510/5ad8c82b7f8b9a9d5c8dbea6/html5/thumbnails/18.jpg)
Instantiations of the Architecture
© 2007-2012 Nokia, ObC-overview-public-for-researchers-jul2012 NA, JEE, KKo 18
![Page 19: N. Asokan Nokia Research Center, Helsinki · N. Asokan Nokia Research Center, Helsinki ... MSc thesis work: ObC on Maemo/TrustZone secure h/w (2009-2010) 23 Device specific ObC Database](https://reader031.vdocuments.us/reader031/viewer/2022022510/5ad8c82b7f8b9a9d5c8dbea6/html5/thumbnails/19.jpg)
M-ShieldTM: Example hardware TEE #1
M-Shield provides
• Secure boot
• Chip-specific secret key (e-fuse)
• Secure execution of certified “Protected Applications” (PAs)
• On-chip RAM for PAs
• … (hardware RNG, crypto accelerators, …)
http://focus.ti.com/pdfs/wtbu/ti_mshield_whitepaper.pdf
© 2007-2012 Nokia, ObC-overview-public-for-researchers-jul2012 NA, JEE, KKo 19
![Page 20: N. Asokan Nokia Research Center, Helsinki · N. Asokan Nokia Research Center, Helsinki ... MSc thesis work: ObC on Maemo/TrustZone secure h/w (2009-2010) 23 Device specific ObC Database](https://reader031.vdocuments.us/reader031/viewer/2022022510/5ad8c82b7f8b9a9d5c8dbea6/html5/thumbnails/20.jpg)
ObC on Symbian/M-Shield secure h/w (2007-2009)
20
Interpreter PA
M-Shield TEE
ObC program
OPK
ObC program
…
SKdev
Crypto Library
Credentials Manager
ObC Database
Symbian OS
Client Applications
Credentials Manager API
NoPPA PA
© 2007-2012 Nokia, ObC-overview-public-for-researchers-jul2012 NA, JEE, KKo
Prov. PA, RSA PA, …
• M-Shield secure boot used for validation of OS
• Interpreter , Provisioning subsystem are PAs
• Use on-chip RAM
• OPK from chip-specific secret
• Device key pair
• generated by Prov. PA
• protected by chip-specific secret key
• [certified by manufacturer]
![Page 21: N. Asokan Nokia Research Center, Helsinki · N. Asokan Nokia Research Center, Helsinki ... MSc thesis work: ObC on Maemo/TrustZone secure h/w (2009-2010) 23 Device specific ObC Database](https://reader031.vdocuments.us/reader031/viewer/2022022510/5ad8c82b7f8b9a9d5c8dbea6/html5/thumbnails/21.jpg)
TPM: Example hardware TEE #2
TPM provides
• Authenticated boot
• Components during boot measured and recorded in Registers (PCRs) within TPM
• A set of PCR values = a “configuration”
• Secure storage for keys bound to a specific configuration
• Ability to seal arbitrary data bound to a specific configuration
• Secure execution of selected cryptographic operations
• … (remote attestation, …)
© 2007-2012 Nokia, ObC-overview-public-for-researchers-jul2012 NA, JEE, KKo 21
![Page 22: N. Asokan Nokia Research Center, Helsinki · N. Asokan Nokia Research Center, Helsinki ... MSc thesis work: ObC on Maemo/TrustZone secure h/w (2009-2010) 23 Device specific ObC Database](https://reader031.vdocuments.us/reader031/viewer/2022022510/5ad8c82b7f8b9a9d5c8dbea6/html5/thumbnails/22.jpg)
ObC using Linux/TPM (2006, 2009)
© 2007-2012 Nokia, ObC-overview-public-for-researchers-jul2012 NA, JEE, KKo 22
Credentials Manager
Credentials Database
Linux user space
Trusted Platform Module
OPK Interpreter
Linux kernel module / PAL
PCR PCR PCR Storage Key
InitRD
OPK
Key Initializer
creates
loads
sealed
protects
• Interpreter in kernel module on InitRD
• KeyInitializer in InitRD creates OPK on first use and seals for current configuration
• KeyInitializer unseals OPK on subsequent invocations.
• Security of execution improved using dynamic root of trust (2009): Flicker “PAL” instead of kernel module.
http://asokan.org/asokan/research/Aish-Thesis-final.pdf
Client Applications
Obc Program
Obc Program
Crypto Library
MSc thesis work:
![Page 23: N. Asokan Nokia Research Center, Helsinki · N. Asokan Nokia Research Center, Helsinki ... MSc thesis work: ObC on Maemo/TrustZone secure h/w (2009-2010) 23 Device specific ObC Database](https://reader031.vdocuments.us/reader031/viewer/2022022510/5ad8c82b7f8b9a9d5c8dbea6/html5/thumbnails/23.jpg)
ObC on Maemo/TrustZone secure h/w (2009-2010)
23
Device specific ObC Database
Linux user space
Linux kernel space
Client Application
BB5 Security Driver
Interpreter PA
TrustZone TEE
ObC program
OPK
ObC program
…
SKdev
Crypto Library
Credentials Manager API
NOPPA PA
ObC Daemon (obcsrv)
Low level C API (libacclib.so)
Qt API (libDeviceEngine.so, libKeyPairEngine.so) App specific
ObC Database
Process boundary
Client Application
….
Prov. PA, RSA PA, …
© 2007-2012 Nokia, ObC-overview-public-for-researchers-jul2012 NA, JEE, KKo
![Page 24: N. Asokan Nokia Research Center, Helsinki · N. Asokan Nokia Research Center, Helsinki ... MSc thesis work: ObC on Maemo/TrustZone secure h/w (2009-2010) 23 Device specific ObC Database](https://reader031.vdocuments.us/reader031/viewer/2022022510/5ad8c82b7f8b9a9d5c8dbea6/html5/thumbnails/24.jpg)
ObC for other platforms
• ObC for MeeGo Harmattan (N9) available in partially emulated mode (see later)
• Other platforms in the works...
© 2007-2012 Nokia, ObC-overview-public-for-researchers-jul2012 NA, JEE, KKo 24
![Page 25: N. Asokan Nokia Research Center, Helsinki · N. Asokan Nokia Research Center, Helsinki ... MSc thesis work: ObC on Maemo/TrustZone secure h/w (2009-2010) 23 Device specific ObC Database](https://reader031.vdocuments.us/reader031/viewer/2022022510/5ad8c82b7f8b9a9d5c8dbea6/html5/thumbnails/25.jpg)
Deployment considerations
Skip to “ObCs in action”
© 2007-2012 Nokia, ObC-overview-public-for-researchers-jul2012 NA, JEE, KKo 25
![Page 26: N. Asokan Nokia Research Center, Helsinki · N. Asokan Nokia Research Center, Helsinki ... MSc thesis work: ObC on Maemo/TrustZone secure h/w (2009-2010) 23 Device specific ObC Database](https://reader031.vdocuments.us/reader031/viewer/2022022510/5ad8c82b7f8b9a9d5c8dbea6/html5/thumbnails/26.jpg)
1. ObC: Full use of secure hardware
• ObC secret and algorithm (ObC program) protected by hw TEE
• PKDev to protect provisioning or attestation
• Secrets not accessible to OS
• Cannot be copied between devices
• Hardware attack typically destructive and device-specific
• Encrypted secret stored in Credentials Manager database
• Can be backed up
• Example: Recent off-the-shelf Symbian devices (N8 and newer, OS version Anna and later)
Credentials Manager
Client Application
ObC Program
OS
Interpreter
Provisioning subsystem
Crypto Lib
HW
OPK SKDEV
Provisioning server Authentication
server
DB
© 2007-2012 Nokia, ObC-overview-public-for-researchers-jul2012 NA, JEE, KKo 26
Process boundary (ring 0)
Provisioning/enrollment protocol
![Page 27: N. Asokan Nokia Research Center, Helsinki · N. Asokan Nokia Research Center, Helsinki ... MSc thesis work: ObC on Maemo/TrustZone secure h/w (2009-2010) 23 Device specific ObC Database](https://reader031.vdocuments.us/reader031/viewer/2022022510/5ad8c82b7f8b9a9d5c8dbea6/html5/thumbnails/27.jpg)
2. ObC: Partial use of secure hardware
• ObC PAs emulated in the Credential Manager (OS process)
• Secure HW used to enable secure storage and device authentication
• ObC program runtime execution protected by OS platform security
• Example: MeeGo Harmattan (N9)
DB
ObC Program
Interpreter
Provisioning subsystem
Crypto Lib
HW [Secure boot+] device authentication
SKDEV OPK
Encrypt/Decrypt
Credentials Manager
Client Application
Provisioning/enrollment protocol
Provisioning server Authentication
server
OS
© 2007-2012 Nokia, ObC-overview-public-for-researchers-jul2012 NA, JEE, KKo 27
Process boundary (ring 0)
![Page 28: N. Asokan Nokia Research Center, Helsinki · N. Asokan Nokia Research Center, Helsinki ... MSc thesis work: ObC on Maemo/TrustZone secure h/w (2009-2010) 23 Device specific ObC Database](https://reader031.vdocuments.us/reader031/viewer/2022022510/5ad8c82b7f8b9a9d5c8dbea6/html5/thumbnails/28.jpg)
3. ObC: Fully emulated
• ObC PAs emulated in the Credential Manager (OS process)
• Secure HW may be used for secure boot
• Storage ObC secrets and ObC program runtime execution protected by OS platform security
• No device authentication
• For debugging/development
ObC Program
Interpreter
Provisioning subsystem
HW [Secure boot]
SKDEV OPK
Credentials Manager
DB
Crypto Lib
Client Application
Provisioning server Authentication
server
OS
© 2007-2012 Nokia, ObC-overview-public-for-researchers-jul2012 NA, JEE, KKo 28
Process boundary (ring 0)
Provisioning/enrollment protocol
![Page 29: N. Asokan Nokia Research Center, Helsinki · N. Asokan Nokia Research Center, Helsinki ... MSc thesis work: ObC on Maemo/TrustZone secure h/w (2009-2010) 23 Device specific ObC Database](https://reader031.vdocuments.us/reader031/viewer/2022022510/5ad8c82b7f8b9a9d5c8dbea6/html5/thumbnails/29.jpg)
ObC implementation supports all 3 variants
• Implementation contains code for emulating TEE PAs (interpreter+provisioning+crypto)
• Same software package can be installed in any device of the same type
• automatically decides the variant to use
• (“PA” = “Protected Application” refers to code that runs in hardware TEE)
Try loading ObC PAs
Try using Crypto PA
3. Full use of h/w TEE
2. Partial use of h/wTEE
1. Fully Emulated
ok
ok
fail
fail
Start
29 © 2007-2012 Nokia, ObC-overview-public-for-researchers-jul2012 NA, JEE, KKo
![Page 30: N. Asokan Nokia Research Center, Helsinki · N. Asokan Nokia Research Center, Helsinki ... MSc thesis work: ObC on Maemo/TrustZone secure h/w (2009-2010) 23 Device specific ObC Database](https://reader031.vdocuments.us/reader031/viewer/2022022510/5ad8c82b7f8b9a9d5c8dbea6/html5/thumbnails/30.jpg)
ObCs in action
© 2007-2012 Nokia, ObC-overview-public-for-researchers-jul2012 NA, JEE, KKo 30
![Page 31: N. Asokan Nokia Research Center, Helsinki · N. Asokan Nokia Research Center, Helsinki ... MSc thesis work: ObC on Maemo/TrustZone secure h/w (2009-2010) 23 Device specific ObC Database](https://reader031.vdocuments.us/reader031/viewer/2022022510/5ad8c82b7f8b9a9d5c8dbea6/html5/thumbnails/31.jpg)
Benefits of ObC
• Systematic means to expose useful TEE features (e.g., device authentication) to applications
• Portable programming platform over different chipset technologies for TEE code
• Means for 3rd-party development of credentials for TEE-equipped platforms
© Nokia 2011 NA 31
![Page 32: N. Asokan Nokia Research Center, Helsinki · N. Asokan Nokia Research Center, Helsinki ... MSc thesis work: ObC on Maemo/TrustZone secure h/w (2009-2010) 23 Device specific ObC Database](https://reader031.vdocuments.us/reader031/viewer/2022022510/5ad8c82b7f8b9a9d5c8dbea6/html5/thumbnails/32.jpg)
ObC Features
32
Custom Credentials Secure key/code provisioning
Built-in Credentials Key attestation or Secure key Provisioning
Application Authentication
Content attestation
Device Certification Validate device platform
Device Authentication Platform authentication
Secure user credentials
© Nokia 2011 NA
![Page 33: N. Asokan Nokia Research Center, Helsinki · N. Asokan Nokia Research Center, Helsinki ... MSc thesis work: ObC on Maemo/TrustZone secure h/w (2009-2010) 23 Device specific ObC Database](https://reader031.vdocuments.us/reader031/viewer/2022022510/5ad8c82b7f8b9a9d5c8dbea6/html5/thumbnails/33.jpg)
Target usage scenarios: Platform Authentication
Prove to a third party (e.g., external server)
• Device authentication: identity of device
• E.g., CAPTCHA-avoidance, Comes-with-XYZ
• Application authentication: identity of application/process
• E.g., Extended Web Service APIs for trusted apps
• Content attestation: type of content
• E.g., Enforcing driver distraction rules in MirrorLink
© Nokia 2011 NA 33
![Page 34: N. Asokan Nokia Research Center, Helsinki · N. Asokan Nokia Research Center, Helsinki ... MSc thesis work: ObC on Maemo/TrustZone secure h/w (2009-2010) 23 Device specific ObC Database](https://reader031.vdocuments.us/reader031/viewer/2022022510/5ad8c82b7f8b9a9d5c8dbea6/html5/thumbnails/34.jpg)
Remote attestation problem
© 2011 Nokia Research Center 34
Attesting device Verifier
What kind of software you are running?
Here is a certified statement of my current configuration (~ “measurements”)
Access control decision
Example: MirrorLink system
Attesting properties, rather than configuration, is more useful
![Page 35: N. Asokan Nokia Research Center, Helsinki · N. Asokan Nokia Research Center, Helsinki ... MSc thesis work: ObC on Maemo/TrustZone secure h/w (2009-2010) 23 Device specific ObC Database](https://reader031.vdocuments.us/reader031/viewer/2022022510/5ad8c82b7f8b9a9d5c8dbea6/html5/thumbnails/35.jpg)
Traditional property-based attestation
© 2011 Nokia Research Center 35
Sadeghi and Stüble, Property-based attestation for computing platforms: caring about properties, not mechanisms. Workshop on New Security Paradigms, 2004.
Attesting device
Verifier Trusted Authority
Defines properties Defines mappings from measurements to properties
property certificates
Measure software configuration Store matching properties into registers Sign registers with certified key
signed properties, device certificate
Verify signature Check properties
list of properties
![Page 36: N. Asokan Nokia Research Center, Helsinki · N. Asokan Nokia Research Center, Helsinki ... MSc thesis work: ObC on Maemo/TrustZone secure h/w (2009-2010) 23 Device specific ObC Database](https://reader031.vdocuments.us/reader031/viewer/2022022510/5ad8c82b7f8b9a9d5c8dbea6/html5/thumbnails/36.jpg)
sig
Attestation protocol
© 2011 Nokia Research Center 36
TEE Attestation
service Attested
application
n
Verifier
Attest(n, p, PKA)
Attest(n, p || Hash(PKA))
sig, CertD p, sig, CertD, PKA
Check application identifier Verify property p
sig Sign(SKD, n || p || Hash(PKA))
Pick random nonce n
appData, appSig
Verify CertD and sig Check property p
Save PKA
appSig Sign(SKA, appData)
Verify appSig
Application Identifier
Property
App1 P1, P2
App2 P3
… …
Pick property p to attest
”Practical property-based attestation”, Kostiainen et al, TRUST 2011
![Page 37: N. Asokan Nokia Research Center, Helsinki · N. Asokan Nokia Research Center, Helsinki ... MSc thesis work: ObC on Maemo/TrustZone secure h/w (2009-2010) 23 Device specific ObC Database](https://reader031.vdocuments.us/reader031/viewer/2022022510/5ad8c82b7f8b9a9d5c8dbea6/html5/thumbnails/37.jpg)
Target usage scenarios: User Credentials
• Problem: provide the means to securely provision and store user credentials to user’s personal device
• User benefits:
• “no need to a bunch of different security tokens”;
• “digital credentials provisioned easily” (http, e-mail, …)
• Transport ticketing
• “Soft” tokens: embedded SIM, embedded SecurID
• Phone-as-smartcard: use device-resident credentials from legacy PC apps (e.g., browsers, Outlook, VPN clients)
• Physical access control (opening doors)
• …
© Nokia 2011 NA 37
![Page 38: N. Asokan Nokia Research Center, Helsinki · N. Asokan Nokia Research Center, Helsinki ... MSc thesis work: ObC on Maemo/TrustZone secure h/w (2009-2010) 23 Device specific ObC Database](https://reader031.vdocuments.us/reader031/viewer/2022022510/5ad8c82b7f8b9a9d5c8dbea6/html5/thumbnails/38.jpg)
An Example ObC: SecurID one-time password authentication
Joint research project with RSA security
© 2007-2012 Nokia, ObC-overview-public-for-researchers-jul2012 NA, JEE, KKo 38
![Page 39: N. Asokan Nokia Research Center, Helsinki · N. Asokan Nokia Research Center, Helsinki ... MSc thesis work: ObC on Maemo/TrustZone secure h/w (2009-2010) 23 Device specific ObC Database](https://reader031.vdocuments.us/reader031/viewer/2022022510/5ad8c82b7f8b9a9d5c8dbea6/html5/thumbnails/39.jpg)
Phone as smartcard (PASC)
• Applications use public key (PK) cryptography via standard frameworks
• Crypto API (windows), Cryptoki (Linux, Mac), Unified Key/cert store (Symbian)
• Agnostic to specific security tokens or how to communicate with them
Any PK-enabled smartcard can be used seamlessly with PK-aware applications!
What if mobile phone can present itself as a PK-enabled smart card?
© 2007-2012 Nokia, ObC-overview-public-for-researchers-jul2012 NA, JEE, KKo 39
”Can hand-held computers still be better smartcards?”, Tamrakar et al, INTRUST 2010
![Page 40: N. Asokan Nokia Research Center, Helsinki · N. Asokan Nokia Research Center, Helsinki ... MSc thesis work: ObC on Maemo/TrustZone secure h/w (2009-2010) 23 Device specific ObC Database](https://reader031.vdocuments.us/reader031/viewer/2022022510/5ad8c82b7f8b9a9d5c8dbea6/html5/thumbnails/40.jpg)
ObC Status
© 2007-2012 Nokia, ObC-overview-public-for-researchers-jul2012 NA, JEE, KKo 40
![Page 41: N. Asokan Nokia Research Center, Helsinki · N. Asokan Nokia Research Center, Helsinki ... MSc thesis work: ObC on Maemo/TrustZone secure h/w (2009-2010) 23 Device specific ObC Database](https://reader031.vdocuments.us/reader031/viewer/2022022510/5ad8c82b7f8b9a9d5c8dbea6/html5/thumbnails/41.jpg)
ObC Status (1/2)
• Available on off-the-shelf Symbian devices
• Development environment for ObC programs (Windows, Linux)
• Credential Manager and interfaces (native, javascript)
• Available under limited license agreement for research and testing
• Available as an installable software package for MeeGo (N9)
• Can be distributed as part of the same LLA
• Other platforms in the works
© 2007-2012 Nokia, ObC-overview-public-for-researchers-jul2012 NA, JEE, KKo 41
![Page 42: N. Asokan Nokia Research Center, Helsinki · N. Asokan Nokia Research Center, Helsinki ... MSc thesis work: ObC on Maemo/TrustZone secure h/w (2009-2010) 23 Device specific ObC Database](https://reader031.vdocuments.us/reader031/viewer/2022022510/5ad8c82b7f8b9a9d5c8dbea6/html5/thumbnails/42.jpg)
ObC Status (2/2)
• Related research
• Support for piece-wise execution, sub-routines etc. (Ekberg et al, STC 2009 paper)
• How to split up ObC programs into smaller pieces securely?
• Considerations of implementing crypto primitives (Ekberg et al, TRUST 2012 paper)
• Is authenticated encryption secure even in pipelined mode?
• Credential Migration, backup/restore (Kostiainen et al, ACNS 2011 paper)
• Balancing usability/security?
• Useful for several applications
• Device authentication, financial services, secure messaging, …
• Pragmatic means to solve otherwise hard privacy/security problems in distributed computing (e.g., secure multi-party computation)
© 2007-2012 Nokia, ObC-overview-public-for-researchers-jul2012 NA, JEE, KKo 42
![Page 43: N. Asokan Nokia Research Center, Helsinki · N. Asokan Nokia Research Center, Helsinki ... MSc thesis work: ObC on Maemo/TrustZone secure h/w (2009-2010) 23 Device specific ObC Database](https://reader031.vdocuments.us/reader031/viewer/2022022510/5ad8c82b7f8b9a9d5c8dbea6/html5/thumbnails/43.jpg)
Limitations
© 2012 Kari Kostiainen 43
• Open provisioning model
• Liability and risk management
• User interaction issues: e.g., Credential migration
• Certification and tamper resistance
• Not comparable to high-end smart cards
• Will open-provisioning emerge as an alternative to centralized provisioning?
![Page 44: N. Asokan Nokia Research Center, Helsinki · N. Asokan Nokia Research Center, Helsinki ... MSc thesis work: ObC on Maemo/TrustZone secure h/w (2009-2010) 23 Device specific ObC Database](https://reader031.vdocuments.us/reader031/viewer/2022022510/5ad8c82b7f8b9a9d5c8dbea6/html5/thumbnails/44.jpg)
Standing on the shoulders of giants
© 2012 Kari Kostiainen 44
1970
1980
1990
2000
2010
Cambridge CAP VAX/VMS
Protection rings
Reference monitor
Hardware-assisted secure boot
Trusted Platform Module (TPM)
Mobile hardware security architectures
Late launch
ARM TrustZone
TI M-Shield
Simple smart cards
On-board Credentials Mobile OS security architectures
MTM
PC security Mobile security Smart card systems
JavaCard platform
Java security architecture
![Page 45: N. Asokan Nokia Research Center, Helsinki · N. Asokan Nokia Research Center, Helsinki ... MSc thesis work: ObC on Maemo/TrustZone secure h/w (2009-2010) 23 Device specific ObC Database](https://reader031.vdocuments.us/reader031/viewer/2022022510/5ad8c82b7f8b9a9d5c8dbea6/html5/thumbnails/45.jpg)
Summary
• On-board Credentials platform
• inexpensive
• open
• secure
• Open provisioning systems can be a viable alternative to traditional closed systems
• Available for you to build on
• http://obc.nokiaresearch.com
• A step towards the vision of a personal trusted device
© 2007-2012 Nokia, ObC-overview-public-for-researchers-jul2012 NA, JEE, KKo 45
1. ” On-board Credentials: An Open Credential Platform for Mobile Devices”, Kari Kostiainen, Dr. Tech dissertation, Aalto University 2. Forthcoming Dr. Tech dissertation, Jan-Erik Ekberg, Aalto University
![Page 46: N. Asokan Nokia Research Center, Helsinki · N. Asokan Nokia Research Center, Helsinki ... MSc thesis work: ObC on Maemo/TrustZone secure h/w (2009-2010) 23 Device specific ObC Database](https://reader031.vdocuments.us/reader031/viewer/2022022510/5ad8c82b7f8b9a9d5c8dbea6/html5/thumbnails/46.jpg)
How to make it possible to build trustworthy information protection mechanisms that are simultaneously easy-to-use and inexpensive to deploy while still guaranteeing sufficient protection?
Usability Deployability/Cost
Security
© 2007-2012 Nokia, ObC-overview-public-for-researchers-jul2012 NA, JEE, KKo 46