tpm: trusted platform module
TRANSCRIPT
![Page 2: TPM: Trusted Platform Module](https://reader034.vdocuments.us/reader034/viewer/2022050720/589ed3e81a28abcc4a8bef81/html5/thumbnails/2.jpg)
Introduction
Verifier Platform
Attestation of Remote Platform • Identify specific platform • Verify software stack on remote platform
verification request
verification data
![Page 3: TPM: Trusted Platform Module](https://reader034.vdocuments.us/reader034/viewer/2022050720/589ed3e81a28abcc4a8bef81/html5/thumbnails/3.jpg)
Use Case
Verify user system
Corporate Network
Connect
![Page 4: TPM: Trusted Platform Module](https://reader034.vdocuments.us/reader034/viewer/2022050720/589ed3e81a28abcc4a8bef81/html5/thumbnails/4.jpg)
TPM
Trusted Platform Module • Secure crypto-processor
Uses • Remote Attestation • Binding, Sealing : Data encryption Applications • Platform Integrity • Disk Encryption • Password Protection • Digital Rights Management • Software Licenses
Verifier Platform
verification data
verification request
TPM deployed on remote platform
![Page 5: TPM: Trusted Platform Module](https://reader034.vdocuments.us/reader034/viewer/2022050720/589ed3e81a28abcc4a8bef81/html5/thumbnails/5.jpg)
TPM Specification
TPM Specification
Design Structure Commands
TPM Chips
No TPMS China, Russia, Belarus, Kazakhstan
![Page 6: TPM: Trusted Platform Module](https://reader034.vdocuments.us/reader034/viewer/2022050720/589ed3e81a28abcc4a8bef81/html5/thumbnails/6.jpg)
TPM Example
300 Million PCs have shipped with a chip called the Trusted Platform Module (TPM)
![Page 7: TPM: Trusted Platform Module](https://reader034.vdocuments.us/reader034/viewer/2022050720/589ed3e81a28abcc4a8bef81/html5/thumbnails/7.jpg)
TPM Specification v1.1 (184 pages)
• FIPS 140-2 certification. • Commands for all operations, e.g. Key generation, PCR extension • Processes for Key generation & management • Cryptographic processes e.g. Random number generation • TPM Architecture • TPM operation including initialization, self-test modes, startup, enabling, disabling etc
FIPS 140-2 Level 1 The lowest, imposes very limited requirements; loosely, all components must be "production-grade" FIPS 140-2 Level 2 Adds requirements for physical tamper-evidence and role-based authentication. FIPS 140-2 Level 3 Adds requirements for physical tamper-resistance (making it difficult for attackers to gain access to sensitive information contained in the module) and identity-based authentication, and for a physical or logical separation between the interfaces by which "critical security parameters" enter and leave the module, and its other interfaces. FIPS 140-2 Level 4 Makes the physical security requirements more stringent, and requires robustness against environmental attacks.
FIPS: Federal Information Processing Standard
![Page 8: TPM: Trusted Platform Module](https://reader034.vdocuments.us/reader034/viewer/2022050720/589ed3e81a28abcc4a8bef81/html5/thumbnails/8.jpg)
TPM Architecture
![Page 9: TPM: Trusted Platform Module](https://reader034.vdocuments.us/reader034/viewer/2022050720/589ed3e81a28abcc4a8bef81/html5/thumbnails/9.jpg)
PCR (Platform Configuration Register)
Problem! Scale, collusion
PCR
160 bits
PCRi New = HASH ( PCRi Old value || value to add)
• Minimum of 16 PCRs • Store integrity metrics • Avoid overwriting
• Unlimited number of measurements • Measurements are ordered • If disable extending PCR still works, but return 0s
![Page 10: TPM: Trusted Platform Module](https://reader034.vdocuments.us/reader034/viewer/2022050720/589ed3e81a28abcc4a8bef81/html5/thumbnails/10.jpg)
Platform
TCG Boot Process
BIOS Boot Block
BIOS
MBR/OS Loader
Operating System
PCR_Extend(n, <BIOS CODE>)
PCR0 = 0
PCR1 = H(PCR0 || <BIOS Code>)
PCR_Extend(n, <MBR CODE>) PCR2 = H(PCR1 || <MBRCode>)
PCR_Extend(n, <OS CODE>) PCR3 = H(PCR2 || <OS Code>)
Application
PCR_Extend(n, <APP CODE>) PCR4 = H(PCR3 || <APP Code>)
H : SHA-1
![Page 11: TPM: Trusted Platform Module](https://reader034.vdocuments.us/reader034/viewer/2022050720/589ed3e81a28abcc4a8bef81/html5/thumbnails/11.jpg)
Root of Trust
BIOS Boot Block
BIOS MBR/OS Loader
Operating System
Application
Root of Trust in Integrity Measurement
Measuring
Extending PCS
Root of Trust in Integrity Reporting
![Page 12: TPM: Trusted Platform Module](https://reader034.vdocuments.us/reader034/viewer/2022050720/589ed3e81a28abcc4a8bef81/html5/thumbnails/12.jpg)
Simple Attestation Method
Platform
TPM
Verifier (PKTPM) Application A generates PKA & SKA
2) {PCR} SKAIK
3) Cert{PKAIK}SKTPM {PCR}SKAIK
6) looks up #A in DB
5) verifies the signature
7) ...
PKTPM & SKTPM (Endorsement key)
1) Read_PCR
DB
Lookup PCR “ok”
PKAIK & SKAIK
(Attestation Identity Key)
Problem! Does not protect user privacy
EK is one-time unique per TPM AIK can be used anew for each attestation
4) Cert{PKAIK} SKTPM , {PCR}SKAIK
![Page 13: TPM: Trusted Platform Module](https://reader034.vdocuments.us/reader034/viewer/2022050720/589ed3e81a28abcc4a8bef81/html5/thumbnails/13.jpg)
Solution : Single key pair for all TPMs
TPM SKTPM
Manufacturer
PKTPM & SKTPM
TPM SKTPM
TPM SKTPM
……..
Verifier
Problem! Identify legitimate TPMs from fake
![Page 14: TPM: Trusted Platform Module](https://reader034.vdocuments.us/reader034/viewer/2022050720/589ed3e81a28abcc4a8bef81/html5/thumbnails/14.jpg)
Solution : Certificate Authority (TPM v1.1)
Problem! Scale, collusion
TPM
PKTPM & SKTPM (Endorsement key)
Privacy Certification Authority (CA) PKTPM1 & SKTPM1
PKTPM2 & SKTPM2 ……….. PKTPMn & SKTPMn
PKAIK & SKAIK (Attestation key)
Verifier
1. Cert{PKAIK } SKTPM
2. Searches PKTPM
3. Cert{PKAIK } SKCA
4. Verification Request
5. Cert{PKAIK } SKCA
Remove rogue TPM key from list
![Page 15: TPM: Trusted Platform Module](https://reader034.vdocuments.us/reader034/viewer/2022050720/589ed3e81a28abcc4a8bef81/html5/thumbnails/15.jpg)
Direct Anonymous Attestation (DAA) – TPM Spec 1.2
• Ernie Brickell (Intel), Jan Camenisch (IBM), Liqun Chen (HP) • Based on Camenisch-Lysyanskaya anonymous credential system
Direct : Without a TTP Anonymous : Does not reveal signer’s identity Attestation : claim from a TPM
TPM
Verifier1
SKAIK1
SKAIK2 Verifier2
DAA{SKAIK1}
DAA{SKAIK2}
Can tell SKAIK1 is from a TPM But not which one
Can tell SKAIK2 is from a TPM But not which one
Cannot tell if SKAIK1 & SKAIK12 Are from the same TPM
![Page 16: TPM: Trusted Platform Module](https://reader034.vdocuments.us/reader034/viewer/2022050720/589ed3e81a28abcc4a8bef81/html5/thumbnails/16.jpg)
Direct Anonymous Attestation (Join)
TPM Issuer Commit to
Derive from issuer’s name by TPM
Proves that
Signature on
Secret
Public
DAA certificate
![Page 17: TPM: Trusted Platform Module](https://reader034.vdocuments.us/reader034/viewer/2022050720/589ed3e81a28abcc4a8bef81/html5/thumbnails/17.jpg)
Direct Anonymous Attestation (Verification)
TPM Verifier1
Zero knowledge proof protocol
TPM proves it knows
TPM Proves the exponent is related
• Used for blacklisting • Used for linking transactions from the same TPM
![Page 18: TPM: Trusted Platform Module](https://reader034.vdocuments.us/reader034/viewer/2022050720/589ed3e81a28abcc4a8bef81/html5/thumbnails/18.jpg)
Secure Storage
TPM_Seal(Blob, PCR’)
SKENC
Blob’ = {Blob || PCR’} SKENC Stores Blob’
TPM_UnSeal(Blob’) Checks if Current PCR = PCR’ in Blob If true Blob = Decrypt{Blob’} SKENC
If false return failure
• OS & Apps sealed with MBR’s PCR • Seal Web Server’s SSL Key • Microsoft BitLocker • Blob size is 256 bytes
![Page 19: TPM: Trusted Platform Module](https://reader034.vdocuments.us/reader034/viewer/2022050720/589ed3e81a28abcc4a8bef81/html5/thumbnails/19.jpg)
DRM – E.g. using TPM counters
TPM_Seal(Blob, PCR’)
SKENC, COUNTER = 0
Blob’ = {Blob || PCR’} SKENC Stores Blob’
TPM_UnSeal(Blob’) Checks if Current PCR = PCR’ in Blob If true Blob = Decrypt{Blob’} SKENC
&& COUNTER < N COUNTER++ If false return failure
• Music can be played for 30 days only
Application : Media Player
![Page 20: TPM: Trusted Platform Module](https://reader034.vdocuments.us/reader034/viewer/2022050720/589ed3e81a28abcc4a8bef81/html5/thumbnails/20.jpg)
Trusted Software Stack (TSS)
• Standard API for accessing functions of the TPM • OS Agnostic
http://www.trustedcomputinggroup.org/resources/tcg_software_stack_tss_specification
![Page 21: TPM: Trusted Platform Module](https://reader034.vdocuments.us/reader034/viewer/2022050720/589ed3e81a28abcc4a8bef81/html5/thumbnails/21.jpg)
DATABASE
SERVER TRUSTED HW
6000 PCI 4764/65 SafeXcel
Trusted by the clients Performs or aids query processing Can provide Tamper Proofing / Detection Supports Cryptographic functions (software or hardware based) Commonly used as accelerators
Trusted Hardware : Introduction
21
![Page 22: TPM: Trusted Platform Module](https://reader034.vdocuments.us/reader034/viewer/2022050720/589ed3e81a28abcc4a8bef81/html5/thumbnails/22.jpg)
IBM 4764 Function (OpenSSL 0.9.7f)
Context IBM 4764 (per second)
P4 @ 3.4 GHz (per second)
RSA signature 1024 bits 848 261 2048 bits 316 – 470 43
RSA verification 1024 bits 1157 – 1242 5324 2048 bits 976-1087 1613
SHA-1 1 KB 1.42 MB 80 MB 64 KB 18.6 MB 120 + MB 1 MB 21 – 24 MB
3 DES 1 KB 1.08 MB 18 MB 64 KB 7.73 MB 17 MB 1 MB 8.56 MB 15 MB
AES 128 1 KB 14+ MB 100+ MB DMA xfer end-to-end 75 – 90 MB 1+ GB
Processor 233 MHz PowerPC Memory 32 MB Crypto H/W engines
AES256, DES, TDES, DSS, SHA-1, MD5, RSA
Tamper resistant and responsive design, FIPS level 4 certified Limited resources Synchronous communication channel with host Hardware crypto engine
Trusted Hardware : Benefits & Limitations
22
![Page 23: TPM: Trusted Platform Module](https://reader034.vdocuments.us/reader034/viewer/2022050720/589ed3e81a28abcc4a8bef81/html5/thumbnails/23.jpg)
SCPU - 4764
TrustedDB – Layer 3
PKTDB SKTDB KDATA
OS – Layer 2
PKOS SKOS
Miniboot 1 – Layer 1
PKDEV SKDEV
Miniboot 0 – Layer 0
PKMAN SKMAN
CLIENT
PKCMAN
KDATA
1. Request
2. OA Certificate
3. OA Certificate
PKTDB H(L3CODE) SKOS
PKOS H(L2CODE)
PKDEV H(L1CODE)
SKMAN PKMAN H(L0CODE)
SKDEV
SKCMAN
Outbound Authentication Certificate
PKA : Public Key of A SKA : Private Key of A H(M) : Hash of message M
Outbound Authentication [Smith et. al]
23 SIGMOD 2011 : TrustedDB