TPM 2.0. Introduction to Next Generation of Trusted Platform Module

Transcription

1 TPM 2.0 Introduction to Next Generation of Trusted Platform Module

2 What is a TPM? Stands for Trusted Platform Module Holds tamper-resistant values that are used to help establish trust in a platform Traditionally, has been a separate component on the system motherboard but now is also being integrated into the chipset TPM is the flagship product of the Trusted Computing Group (TCG) First TCG version of the specification (TPM 1.2) was released in 2003 Derived from TPM 1.1 specification of TCPA Became ISO/IEC 11889:2009 2

3 Reason for a TPM A primary function for the TPM is to identify a system The identity of a programmable device is a combination of the hardware and the software that it is running TPM reports on platform identity so that others can decide whether or not to trust the platform A TPM is a reliable witness but it does not make value judgments The TPM just provides responses to requests but is not able to directly intrude on system operation It s kind of like a smart card for your computer using the identity of the software for a PIN Can protect secrets so that they are only accessible when the right software is running on the system 3

4 The Hardware Identity The TPM uses an asymmetric key to identity the hardware Key is statistically unique In TPM 1.2, it is an RSA key, In TPM 2.0, can be either RSA or ECC This key is generated within the TPM and the private portion of the key is unknown outside of the TPM Except, manufactures can inject the key to save time in production The key uniquely identifies the TPM and the computer system to which it is attached The key might not tell us what the system is (cell phone or supercomputer) but it unambiguously tells us which system it is When the type of the system matters, there are ways to disambiguate 4

5 The Software Identity Accepted way to identify software is to hash it In TCG speak, this is called measuring software Collecting the hashes of all of the software that has run is the full identity but it is next to impossible to evaluate However, the identity of the system s trusted computing base (TCB) is smaller and more comprehensible If the TCB can be can be identified and the policy it enforces is known, then informed decisions can be made about whether or not to trust that system For example, we d like to know if the correct OS and anti-malware software was loaded and run before any application code was loaded 5

6 The Identity Software the Identity TCB 6

7 Identity of the TCB The TCB is the part of a system that is responsible for enforcing the security policy of the system In an OS like Windows, it includes the kernel and some privileged applications such as anti-malware TCB also includes the platform firmware/software used to load the TCB (the system BIOS/UEFI) We identify the TCB by measuring it 7

8 Measured Boot of the TCB System Reset DCRTM PEI Pre EFI Initialization DXE Driver Execution Environment Boot Manager Boot Device Select As the system boots, measurements of the TCB components are accumulated in the TPM in a way that lets the TPM provide the identity of the TCB software OS Loader System Load Policy ELAM OS Policy Engine Application Environment Measurements of the software go into a TPM register called a Platform Configuration Register (PCR) 8

9 Reporting on the TCB Measured boot leaves a characteristic fingerprint of the boot sequence in one or more PCR in the TPM The TPM can report these accumulated measurements in a cryptographically verifiable way Uses standard schemes (e.g., ECDSA) to sign the PCR values A good use is as part of health check of a client system when it joins the corporate network The PCR contents can often disambiguate the type of device Code identity for a cell phone will differ from code identity for a supercomputer 9

10 Trusting the TPM How does one trust what the TPM is saying? How does one know that they are dealing with an actual TPM? 10

11 Trusting the TPM The TPM has a asymmetric Endorsement Key (EK) that is the certified identity of the TPM Certificate could be an x509 certificate placed in the TPM by the TPM manufacturer The certificate could be an from the platform manufacturer that says I just shipped systems to you with these TPM EKs Combination of the above or something different When attaching to the corporate network, use certified key to sign the accumulated PCR measurements and give them to a server Signing key identifies the client hardware The Quote of PCR identifies the client software Protect privacy by using pseudonymous keys for signing instead of the EK 11

12 Why TPM 2.0? 12

13 Why TPM 2.0? Had to TPM 1.2 uses SHA1 and RSA 2048 as the only fully-supported algorithms SHA1 is no longer considered adequate RSA is not being recommended for security strengths above 112 bits RSA Key Size in Bits Security Strength in Bits Key bits / bit of security strength (12.5) (18.3) 3072 SECRET 128 (24) 7680 TOP SECRET 192 (40) From SP800-57, Table 2 13

14 Other Issues to Deal With in TPM 2.0 Crypto agility Don t want to have to rewrite the TPM specification every time an algorithm is broken/retired Need to accommodate geographic/government requirements Need to accommodate different security levels Authorization agility Need simpler authorization Need more complex authorization Hardware agility Implement in PC Implement in SoC (phone and tablet) Implement in embedded systems 14

15 Other Issues to Deal With in TPM 2.0 Crypto agility Authorization agility Hardware agility Authorization agility Hardware agility 15

16 What is Crypto Agility? Simply means that the interface to the TPM should accommodate changes to cryptography Different asymmetric algorithms and key sizes Different symmetric algorithms and key sizes Different hash algorithms and digest sizes Achieving this required a complete redo of the TPM specification Maintained many of the concepts, but Tossed all the data structures, and Redid all of the commands Made sure that the new data structures are flexible and able to accommodate new algorithms In the future, will add to the specification rather than replace it 16

17 Other Issues to Deal With in TPM 2.0 Crypto agility Authorization agility Hardware agility 17

18 Authorization Agility TPM 1.2 has only 3 authorization elements Authorization value PCR state Locality hardware privilege level 8 total combinations of these simple elements TPM 2.0 has 12 authorization elements so far Authorization value PCR State Locality Physical Presence Asymmetric signature Specific objects Symmetric shared secret Duplication Time Limited NV Written Specific Command Contents of NV Authorization elements can be combined using logical constructs (AND / OR) to give fine-grained access control over TPM 2.0 keys and data 18

19 Authorization Policy Example Scenario: Multiple systems are used by multiple users. Each user has access to a different set of systems. Want each user to have their identity recognized on each system on which they are authorized. Solution: Give each person an identity card (such as, CAC) and a password for that card. The identity card will sign a number when it is given the proper password (PIN). Each system then has a master key in the TPM so that access to the Master key is required to use the system. Create a policy for the Master key that is the OR of a signature from each of the identity cards authorized on that system AND measurements indicate that the system is in a trusted state 19

20 More Policy Examples Use input from biologic sensor as a factor for authorization Retina scanner Fingerprint scanner Facial recognition Etc. Use input from GPS so that a TPM key can only be used within specific geographic constraints Have key expire unless authorization is refreshed periodically 20

21 Other Issues to Deal With in TPM 2.0 Crypto agility Authorization agility Hardware agility 21

22 Hardware Agility Variability 22

23 Hardware Variability Almost all TPM 1.2 were implemented as discrete devices Provides the necessary isolation from the OS Secrets not accessible outside of the physical TPM device Many SoC implementations have an execution environment that is isolated from the OS TrustZone on ARM Platform Trust Technology (PTT) on some Intel systems Etc. SP provides guidance on how to host a TPM on these systems so that they are as secure as many discrete TPM implementations Usually, the only thing missing is advanced tamper resistance 23

24 Firmware TPM Because TPM 2.0 comes with source code, SoC vendors are going directly to TPM 2.0 instead of doing TPM 1.2 These implementations are often referred to as firmware TPMs (ftpm) to distinguish them from a TPM in a discrete chip Code runs in the isolated execution environment of the SoC Because of product cycles, it is hard to get a Common Criteria evaluation of an ftpm But, expect to see FIPS certified ftpm within a year-ish Level 1 is probable Level 2 is possibility because TPM 2.0 does not have the same issues as TPM 1.2 In TPM 1.2, can t do level 2 compliance without breaking a lot of SW 24

25 Other TPM 2.0 Improvements 25

26 Improved Controllability Separated control of the privacy and security aspects of the TPM Different key hierarchies storage and endorsement Different authorizations ownerauth and endorsementauth Different enables shenable and ehenable User gets to decide what gets used, or not TPM is more useful to the platform manufacturer Private key hierarchy Can use TPM to help ensure secure updates to the firmware Separate control for anti-hammering reset Owner knows the lockoutauth (hopefully) Lets the OS manage the ownerauth Starting with Win8, have simplified TPM provisioning 26

27 Miscellaneous Improvements Added a notion of time Can set an expiration time for a key Can set an expiration on an authorization Better use of non-volatile memory Counters, revocation bits, and application-specific PCR Special mode allowing high update rate without endurance problems Made it easier for different manufactures to build devices that worked the same Specification contains source code for all commands Possible to build a TPM simulator to test the specification Sources available to anyone Microsoft also provides machine-readable sources to TCG members 27

28 Windows Support of TPM 28

29 Windows Support of TPM TPM 2.0 is a Win8 certification requirement for all connected standby systems These are the devices that are always on and connected to some network (such as a cell phone) Microsoft is planning on making TPM 2.0 a certification requirement regardless of the system type 2015 timeframe to give vendors time to plan for the transition Microsoft is driving ubiquity because everyone deserves to have the security benefit of the TPM Easier to do this now that TPM 2.0 has addressed many of the cost issues Also, not likely that TPM 2.0 will be obsolete due to changes in cryptography 29

30 Current Windows TPM Applications BitLocker / Device Encryption Virtual Smart Card TPM can be enrolled and made to look like a smart card for the computer Direct Connect can use this for access to corporate network Don t need to have a smart card reader on every computer Keys with certificates can be protected by TPM Measured Boot More coming in Win8.1 Details in Chris Hallum s presentation 30

31 Questions?

32 Thanks for Coming!