Property Based TPM Virtualization

Size: px
Start display at page:

Download "Property Based TPM Virtualization"

Transcription

1 Property Based Virtualization Marcel Winandy Joint work with: Ahmad Reza Sadeghi, Christian Stüble Horst Görtz Institute for IT Security Chair for System Security Ruhr University Bochum, Germany Sirrix AG security technologies Bochum, Germany Marcel Winandy Property Based Virtualization 1

2 Introduction: Virtualization Features Commodity operating systems on various hardware platforms Virtual machines: suspend & resume, migration Security: isolation of virtual machines Application scenario: corporate/private computing Isolated work loads for private and corporate working Isolated work loads for different security levels Linux Linux Windows Linux Windows Hypervisor Hardware Hypervisor Hardware Marcel Winandy Property Based Virtualization 2

3 Introduction: Trusted Computing () : cheap, tamper evident hardware security module Cryptographic functions (RSA, SHA 1, key generation, RNG) Protected storage for small data (e.g. keys) Special keys: Endorsement Key (EK) and Storage Root Key (SRK) Authenticated Boot (recording integrity measurements) Measurements stored in Platform Configuration Registers (PCRs) Each component measures next component (chain of trust) hash hash hash hash Apps OS Boot Loader BIOS CRTM store hash store hash store hash store hash PCRs SRK EK Attestation and Sealing Attestation Identity Key (AIK) signs PCRs for (remote) attestation Binding key is used to encrypt data to the current PCR values (decrypting only possible with same PCR states) Marcel Winandy Property Based Virtualization 3

4 Introduction: Virtual () Each should be able to use Providing protected storage and crypto coprocessor Assurance about the booted hypervisor and virtual machines Support for migration Private Working Unclassified Corporate Classified Corporate Hypervisor Hardware Marcel Winandy Property Based Virtualization 4

5 Introduction: Virtual () Each should be able to use Providing protected storage and crypto coprocessor Assurance about the booted hypervisor and virtual machines Support for migration Virtualization of the Emulation in software, but binding to and hardware Berger et al. (USENIX 2006), Scarlata et al. (2007) Private Working Unclassified Corporate Classified Corporate Driver Driver Driver Hypervisor Hardware Marcel Winandy Property Based Virtualization 5

6 Shortcomings of Existing Solutions Migration Protected data bound to binary representation of hypervisor 's data may be unavailable after migration to another platform Keys Differentiated strategies for key generation missing some IT environments demand hardware protected keys wheras others would benefit from flexibility of software keys Privacy Revealing information about system configuration (v) reveals information during remote attestation of PCR values Profiling (security risk) and discrimination possible Marcel Winandy Property Based Virtualization 6

7 New Design Adding new components to internal design: Property Management Representation of virtual PCRs Different mechanisms to store and read values Realizing property based attestation and sealing Key Management Creating and loading cryptographic keys Supports software keys or keys of physical Policy User defined policy of the instance Marcel Winandy Property Based Virtualization 7

8 Flexible Architecture Driver Key Management _CreateWrapKey() _Extend(i, m) Interface CreateKey() Extend(i, m) Property Management PCRRead(i) _PCRRead(i) crypto Cryptographic Functions Management Interface migrate() Migration Controller Software Key Hardware Key PropertyProvider 1 PropertyProvider 2 PropertyProvider N PropertyFilter Policy Hypervisor Key Novel components for Marcel Winandy Property Based Virtualization 8

9 Property Providers Each property provider has its own PCR vector How to store values is up to each implementation This results in a matrix of vpcrs Policy decides which vector to use on which operation Instance vpcr[0] vpcr[1] PropertyProvider 1 PropertyProvider j PropertyProvider N Mapping vpcr[n] Initialization Applying all property providers to build the vpcr matrix Each Property Provider can implement a different mapping PCRs Marcel Winandy Property Based Virtualization 9

10 Changing the Measurement Function PCR extension function of the : Extend(i, m): PCR i SHA1(PCR m) i Generalizing this for each Provider j : Provider j.extend(i,m): vpcr i,j translate (vpcr,m) j i,j Examples: translate hash () is hashing like in hardware translate cert () looks for a certificate and stores the public key Marcel Winandy Property Based Virtualization 10

11 PCR Extension: Example OS measures a file and wants to extend the measurement in PCR 10 of the _Extend(10, f572d396fae fb2ce00f72e94f2258f) Property Management of instance calls each Property Provider vpcr 10,hash of Provider hash 09d2af8dd22201dd8d48e5dcfcaed281ff9422c7 vpcr 10,hash := SHA1(vPCR 10,hash f572d396fae fb2ce00f72e94f2258f) vpcr 10,cert of Provider cert PK certa Look for cert for hash f572d. If found one (e.g., certb), add its PK vpcr 10,hash : vpcr 10,cert : 3a2fdfb2e10d4286a c508b173c PK certa, PK certb Marcel Winandy Property Based Virtualization 11

12 Property Based Attestation with Provider cert is one example to use property certificates Certificates describe the properties for a particular measurement Issued by a Trusted Third Party 1. attest(nonce,i,,j) 6. (pcrdata, nonce) Verifier 2. quote(vaik ID,nonce,i,,j) 5. (pcrdata, nonce) 3. prov = policy.askforprovider(i,,j) 4. sign[vaik ID ](nonce,vpcr i,prov,,vpcr j,prov ) Marcel Winandy Property Based Virtualization 12

13 Migration of and Secure migration needed (confidentiality, integrity, authenticity) Example: move private working environment to home PC Private Working Classified Corporate Online Gaming Hypervisor (Xen 3.1) Hypervisor (Xen 3.2) Hardware (Office PC) Hardware (Home PC) Marcel Winandy Property Based Virtualization 13

14 Trusted Channel based Migration Source platform requests trusted channel to destination Creates secret encryption key bound to and configuration of destination platform (assurance about integrity of end points) Configuration can also be property based Re usable for several migrations Private Working Classified Corporate Online Gaming Hypervisor (Xen 3.1) Hypervisor (Xen 3.2) Hardware (Office PC) Trusted Channel Hardware (Home PC) Marcel Winandy Property Based Virtualization 14

15 Trusted Channel based Migration Source platform requests trusted channel to destination Creates secret encryption key bound to and configuration of destination platform (assurance about integrity of end points) Configuration can also be property based Re usable for several migrations Private Working Classified Corporate Online Gaming Hypervisor (Xen 3.1) Hypervisor (Xen 3.2) Hardware (Office PC) Trusted Channel Hardware (Home PC) Transfer encrypted state via Trusted Channel No re mapping of PCRs necessary (because of property providers) Marcel Winandy Property Based Virtualization 15

16 Trusted Channel based Migration Source platform requests trusted channel to destination Creates secret encryption key bound to and configuration of destination platform (assurance about integrity of end points) Configuration can also be property based Re usable for several migrations Classified Corporate Private Working Online Gaming Hypervisor (Xen 3.1) Hypervisor (Xen 3.2) Hardware (Office PC) Trusted Channel Hardware (Home PC) Transfer encrypted state via Trusted Channel No re mapping of PCRs necessary (because of property providers) Marcel Winandy Property Based Virtualization 16

17 Summary Key Management Software Key Hardware Key Key Driver _CreateWrapKey() _Extend(i, m) Interface CreateKey() Extend(i, m) Property Management PropertyProvider 1 PropertyProvider 2 PropertyProvider N PropertyFilter Policy PCRRead(i) _PCRRead(i) crypto Cryptographic Functions Management Interface Migration Controller migrate() Novel components for New Design Property Providers Key Management Policy Allows to link hypervisor to based on properties Availability of sealed data after migration or software updates Trusted Migration protocol ensures binding to trustworthy platform More flexibility in key usage Key Management can delegate key requests to hardware User defined policy decides which information to reveal Policy defines which Property Provider to use on attestation Marcel Winandy Property Based Virtualization 17

18 Thank you for your attention! Questions? Contact: Marcel Winandy Horst Görtz Institute for IT Security Ruhr University Bochum, Germany Marcel Winandy Property Based Virtualization 18

19 BACKUP Marcel Winandy Property Based Virtualization 19

20 Property Based Sealing Marcel Winandy Property Based Virtualization 20

21 Migration Protocol Source platform Destination platform Migration Controlling Process Migration Controlling Process ' migrate() initiatemigration() requesttrustedchannel() create() ' verify(pk Bind, cert Bind ) (PK Bind, cert Bind ) sk := createkey() esk := bind[pk Bind ](sk) s := getstate() es := encrypt[sk](s) deletekey(sk), deletestate() transfer(es,esk) X destroy() sk := unbind[pk Bind ](esk) s := decrypt[sk](es) setstate(s) Marcel Winandy Property Based Virtualization 21

Secure Data Management in Trusted Computing

Secure Data Management in Trusted Computing 1 Secure Data Management in Trusted Computing Ulrich Kühn Deutsche Telekom Laboratories, TU Berlin Klaus Kursawe (KU Leuven) Stefan Lucks (U Mannheim) Ahmad-Reza Sadeghi (RU Bochum) Christian Stüble (RU

More information

Patterns for Secure Boot and Secure Storage in Computer Systems

Patterns for Secure Boot and Secure Storage in Computer Systems Patterns for Secure Boot and Secure Storage in Computer Systems Hans Löhr, Ahmad-Reza Sadeghi, Marcel Winandy Horst Görtz Institute for IT Security, Ruhr-University Bochum, Germany {hans.loehr,ahmad.sadeghi,marcel.winandy}@trust.rub.de

More information

vtpm: Virtualizing the Trusted Platform Module

vtpm: Virtualizing the Trusted Platform Module Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA vtpm: Virtualizing the

More information

vtpm: Virtualizing the Trusted Platform Module

vtpm: Virtualizing the Trusted Platform Module vtpm: Virtualizing the Trusted Platform Module Stefan Berger Ramón Cáceres Kenneth A. Goldman Ronald Perez Reiner Sailer Leendert van Doorn {stefanb, caceres, kgoldman, ronpz, sailer, leendert}@us.ibm.com

More information

On the security of Virtual Machine migration and related topics

On the security of Virtual Machine migration and related topics Master thesis On the security of Virtual Machine migration and related topics Ramya Jayaram Masti Submitted in fulfillment of the requirements of Master of Science in Computer Science Department of Computer

More information

Opal SSDs Integrated with TPMs

Opal SSDs Integrated with TPMs Opal SSDs Integrated with TPMs August 21, 2012 Robert Thibadeau, Ph.D. U.S. Army SSDs Must be Opal s We also Studied using the TPM (Trusted Platform Module) with an Opal SSD (Self-Encrypting Drive) 2 Security

More information

Using the TPM: Data Protection and Storage

Using the TPM: Data Protection and Storage Using the TPM: Data Protection and Storage Ariel Segall ariels@alum.mit.edu Day 2 Approved for Public Release: 12-2749. Distribution unlimited License All materials are licensed under a Creative Commons

More information

Private Virtual Infrastructure: A Model for Trustworthy Utility Cloud Computing UMBC Computer Science Technical Report Number TR-CS-10-04

Private Virtual Infrastructure: A Model for Trustworthy Utility Cloud Computing UMBC Computer Science Technical Report Number TR-CS-10-04 Private Virtual Infrastructure: A Model for Trustworthy Utility Cloud Computing UMBC Computer Science Technical Report Number TR-CS-10-04 F. John Krautheim 1 Dhananjay S. Phatak Alan T. Sherman 1 Cyber

More information

Improving End-user Security and Trustworthiness of TCG-Platforms

Improving End-user Security and Trustworthiness of TCG-Platforms Improving End-user Security and Trustworthiness of TCG-Platforms Klaus Kursawe, kursawe@acm.org Christian Stüble Saarland University, Germany stueble@acm.org September 29, 2003 Abstract Over the last two

More information

Embedded Trusted Computing on ARM-based systems

Embedded Trusted Computing on ARM-based systems 1 / 26 Embedded Trusted Computing on ARM-based systems Martin Schramm, M.Eng. 10.04.2014 Agenda 2 of 26 martin.schramm@th-deg.de Embedded computing platforms have become omnipresent intend to alleviate

More information

Private Virtual Infrastructure: A Model for Trustworthy Utility Cloud Computing UMBC Computer Science Technical Report Number TR-CS-10-04

Private Virtual Infrastructure: A Model for Trustworthy Utility Cloud Computing UMBC Computer Science Technical Report Number TR-CS-10-04 Private Virtual Infrastructure: A Model for Trustworthy Utility Cloud Computing UMBC Computer Science Technical Report Number TR-CS-10-04 F. John Krautheim 1 Dhananjay S. Phatak Alan T. Sherman 1 Cyber

More information

Lecture Embedded System Security Dynamic Root of Trust and Trusted Execution

Lecture Embedded System Security Dynamic Root of Trust and Trusted Execution 1 Lecture Embedded System Security Dynamic Root of Trust and Execution Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt (CASED) Germany Summer Term 2014 Dynamic Root

More information

Trustworthy Identity Management for Web Authentication

Trustworthy Identity Management for Web Authentication Trustworthy Identity Management for Web Authentication Ramasivakarthik Mallavarapu Aalto University, School of Science and Technology kmallava@tkk.fi Abstract Identity theft today is one of the major security

More information

Software Execution Protection in the Cloud

Software Execution Protection in the Cloud Software Execution Protection in the Cloud Miguel Correia 1st European Workshop on Dependable Cloud Computing Sibiu, Romania, May 8 th 2012 Motivation clouds fail 2 1 Motivation accidental arbitrary faults

More information

Uni-directional Trusted Path: Transaction Confirmation on Just One Device

Uni-directional Trusted Path: Transaction Confirmation on Just One Device Uni-directional Trusted Path: Transaction Confirmation on Just One Device Atanas Filyanov 1, Jonathan M. McCune 2, Ahmad-Reza Sadeghi 3, Marcel Winandy 1 1 Ruhr-University Bochum, Germany 2 Carnegie Mellon

More information

TPM Key Backup and Recovery. For Trusted Platforms

TPM Key Backup and Recovery. For Trusted Platforms TPM Key Backup and Recovery For Trusted Platforms White paper for understanding and support proper use of backup and recovery procedures for Trusted Computing Platforms. 2006-09-21 V0.95 Page 1 / 17 Contents

More information

TCG Based Approach for Secure Management of Virtualized Platforms State-of-the-art

TCG Based Approach for Secure Management of Virtualized Platforms State-of-the-art SICS Technical Report T2010:05 ISSN 1100-3154 TCG Based Approach for Secure Management of Virtualized Platforms State-of-the-art (June 05, 2010) Mudassar Aslam, Christian Gehrmann {Mudassar.Aslam, Christian.Gehrmann}@sics.se

More information

William Hery (whery@poly.edu) Research Professor, Computer Science and Engineering NYU-Poly

William Hery (whery@poly.edu) Research Professor, Computer Science and Engineering NYU-Poly William Hery (whery@poly.edu) Research Professor, Computer Science and Engineering NYU-Poly Ramesh Karri (rkarri@poly.edu) Associate Professor, Electrical and Computer Engineering NYU-Poly Why is cyber

More information

Trustworthy Computing

Trustworthy Computing Stefan Thom Senior Software Development Engineer and Security Architect for IEB, Microsoft Rob Spiger, Senior Security Strategist Trustworthy Computing Agenda Windows 8 TPM Scenarios Hardware Choices with

More information

Background. TPMs in the real world. Components on TPM chip TPM 101. TCG: Trusted Computing Group. TCG: changes to PC or cell phone

Background. TPMs in the real world. Components on TPM chip TPM 101. TCG: Trusted Computing Group. TCG: changes to PC or cell phone CS 155 Spring 2006 Background TCG: Trusted Computing Group Dan Boneh TCG consortium. Founded in 1999 as TCPA. Main players (promotors): (>200 members) AMD, HP, IBM, Infineon, Intel, Lenovo, Microsoft,

More information

A TRUSTED STORAGE SYSTEM FOR THE CLOUD

A TRUSTED STORAGE SYSTEM FOR THE CLOUD University of Kentucky UKnowledge University of Kentucky Master's Theses Graduate School 2010 A TRUSTED STORAGE SYSTEM FOR THE CLOUD Sushama Karumanchi University of Kentucky, ska226@uky.edu Recommended

More information

Software-based TPM Emulator for Linux

Software-based TPM Emulator for Linux Software-based TPM Emulator for Linux Semester Thesis Mario Strasser Department of Computer Science Swiss Federal Institute of Technology Zurich Summer Semester 2004 Mario Strasser: Software-based TPM

More information

BitLocker Drive Encryption Hardware Enhanced Data Protection. Shon Eizenhoefer, Program Manager Microsoft Corporation

BitLocker Drive Encryption Hardware Enhanced Data Protection. Shon Eizenhoefer, Program Manager Microsoft Corporation BitLocker Drive Encryption Hardware Enhanced Data Protection Shon Eizenhoefer, Program Manager Microsoft Corporation Agenda Security Background BitLocker Drive Encryption TPM Overview Building a BitLocker

More information

A Virtualized Linux Integrity Subsystem for Trusted Cloud Computing

A Virtualized Linux Integrity Subsystem for Trusted Cloud Computing A Virtualized Linux Integrity Subsystem for Trusted Cloud Computing Stefan Berger Joint work with: Kenneth Goldman, Dimitrios Pendarakis, David Safford, Mimi Zohar IBM T.J. Watson Research Center 09/21/2011

More information

Embedding Trust into Cars Secure Software Delivery and Installation

Embedding Trust into Cars Secure Software Delivery and Installation Embedding Trust into Cars Secure Software Delivery and Installation André Adelsbach, Ulrich Huber, Ahmad-Reza Sadeghi, Christian Stüble Horst Görtz Institute for IT Security, Bochum, Germany Third Workshop

More information

Agenda. BitLocker Drive. BitLocker Drive Encryption Hardware Enhanced Data Protection. BitLocker And TPM Features

Agenda. BitLocker Drive. BitLocker Drive Encryption Hardware Enhanced Data Protection. BitLocker And TPM Features BitLocker Drive Encryption Hardware Enhanced Data Protection Shon Eizenhoefer, Program Manager Microsoft Corporation Agenda Security Background BitLocker Drive Encryption TPM Overview Building a BitLocker

More information

Index. BIOS rootkit, 119 Broad network access, 107

Index. BIOS rootkit, 119 Broad network access, 107 Index A Administrative components, 81, 83 Anti-malware, 125 ANY policy, 47 Asset tag, 114 Asymmetric encryption, 24 Attestation commercial market, 85 facts, 79 Intel TXT conceptual architecture, 85 models,

More information

Using the TPM to Solve Today s Most Urgent Cybersecurity Problems

Using the TPM to Solve Today s Most Urgent Cybersecurity Problems Using the to Solve Today s Most Urgent Cybersecurity Problems May 20, 2014 10:00AM PDT 2 Stacy Cannady, Technical Marketing Trustworthy Computing, Cisco Stacy Cannady, CISSP, is technical marketing - Trustworthy

More information

Acronym Term Description

Acronym Term Description This glossary contains definitions of terms created by TCG, or terms that have a particular meaning in trusted computing, or terms that cause particular confusion in trusted computing. Acronym Term Description

More information

Attestation and Authentication Protocols Using the TPM

Attestation and Authentication Protocols Using the TPM Attestation and Authentication Protocols Using the TPM Ariel Segall June 21, 2011 Approved for Public Release: 11-2876. Distribution Unlimited. c 2011. All Rights Reserved. (1/28) Motivation Almost all

More information

Recipe for Mobile Data Security: TPM, Bitlocker, Windows Vista and Active Directory

Recipe for Mobile Data Security: TPM, Bitlocker, Windows Vista and Active Directory Recipe for Mobile Data Security: TPM, Bitlocker, Windows Vista and Active Directory Tom Olzak October 2007 If your business is like mine, laptops regularly disappear. Until recently, centrally managed

More information

Technical Brief Distributed Trusted Computing

Technical Brief Distributed Trusted Computing Technical Brief Distributed Trusted Computing Josh Wood Look inside to learn about Distributed Trusted Computing in Tectonic Enterprise, an industry-first set of technologies that cryptographically verify,

More information

Trusted Boot Loader Steve Johnson, Panasonic Chair Security WG San Jose April 12, 2006

Trusted Boot Loader Steve Johnson, Panasonic Chair Security WG San Jose April 12, 2006 Trusted Boot Loader Steve Johnson, Panasonic Chair Security WG San Jose April 12, 2006 April 12th, 2006 1 Synopsis Background Trusted boot Security enhancements to boot loader Necessary code U-Boot Kernel

More information

Bypassing Local Windows Authentication to Defeat Full Disk Encryption. Ian Haken

Bypassing Local Windows Authentication to Defeat Full Disk Encryption. Ian Haken Bypassing Local Windows Authentication to Defeat Full Disk Encryption Ian Haken Who Am I? Currently a security researcher at Synopsys, working on application security tools and Coverity s static analysis

More information

Protecting Data with Short- Lived Encryption Keys and Hardware Root of Trust. Dan Griffin DefCon 2013

Protecting Data with Short- Lived Encryption Keys and Hardware Root of Trust. Dan Griffin DefCon 2013 Protecting Data with Short- Lived Encryption Keys and Hardware Root of Trust Dan Griffin DefCon 2013 Time-Bound Keys Announcements New tool: TimedKey.exe New whitepaper: Trusted Tamperproof Time on Mobile

More information

OVAL+TPM. A Case Study in Enterprise Trusted Computing. Ariel Segall. June 21, 2011

OVAL+TPM. A Case Study in Enterprise Trusted Computing. Ariel Segall. June 21, 2011 OVAL+TPM A Case Study in Enterprise Trusted Computing Ariel Segall June 21, 2011 Approved for Public Release: 11-0144. Distribution Unlimited. c 2011. All Rights Reserved. (1/15) Motivation Goal: Demonstrate

More information

Trusted Platform Module

Trusted Platform Module Trusted Platform Module TPM Fundamental APTISS, August 2008 Raymond Ng Infineon Technologies Asia Pacific Pte Ltd Raymond.ng@infineon.com TPM Fundamental Introduction to TPM Functional Component of TPM

More information

Mutual Authentication Cloud Computing Platform based on TPM

Mutual Authentication Cloud Computing Platform based on TPM Mutual Authentication Cloud Computing Platform based on TPM Lei Peng 1, Yanli Xiao 2 1 College of Information Engineering, Taishan Medical University, Taian Shandong, China 2 Department of Graduate, Taishan

More information

Introduction to the TPM 1.2

Introduction to the TPM 1.2 Introduction to the TPM 1.2 Mark Ryan University of Birmingham DRAFT of March 24, 2009 Comments welcome 1 Introduction The Trusted Platform Module (TPM) is a hardware chip designed to enable commodity

More information

Trusted Virtual Machine Management for Virtualization in Critical Environments

Trusted Virtual Machine Management for Virtualization in Critical Environments Trusted Virtual Machine Management for Virtualization in Critical Environments Khan Ferdous Wahid Fraunhofer SIT Rheinstraße 75 64295 Darmstadt Germany www.sit.fraunhofer.de khan.wahid@sit.fraunhofer.de

More information

Abstract. 1 Introduction

Abstract. 1 Introduction Credo: Trusted Computing for s with a Commodity Hypervisor Himanshu Raj, David Robinson, Talha Bin Tariq, Paul England, Stefan Saroiu, Alec Wolman Microsoft Research Abstract This paper presents the Credo

More information

Using the TPM: Authentication and Attestation

Using the TPM: Authentication and Attestation Using the TPM: Machine Ariel Segall ariels@alum.mit.edu Day 2 Approved for Public Release: 12-2749. Distribution unlimited License All materials are licensed under a Creative Commons Share Alike license.

More information

Windows Server 2008 R2 Boot Manager Security Policy For FIPS 140-2 Validation

Windows Server 2008 R2 Boot Manager Security Policy For FIPS 140-2 Validation Boot Manager Security Policy Windows Server 2008 R2 Boot Manager Security Policy For FIPS 140-2 Validation v 1.3 6/8/11 1 INTRODUCTION... 1 1.1 Cryptographic Boundary for BOOTMGR... 1 2 SECURITY POLICY...

More information

Threat Model for Software Reconfigurable Communications Systems

Threat Model for Software Reconfigurable Communications Systems Threat Model for Software Reconfigurable Communications Systems Presented to the Management Group 6 March 007 Bernard Eydt Booz Allen Hamilton Chair, SDR Security Working Group Overview Overview of the

More information

Injecting Trust to Cryptographic Key Management

Injecting Trust to Cryptographic Key Management Injecting Trust to Cryptographic Key Management Gökhan Bal Goethe-University Frankfurt am Main, Germany bal@cs.uni-frankfurt.de Andreas U. Schmidt Fraunhofer Institute for Secure Information Technology

More information

Penetration Testing Windows Vista TM BitLocker TM

Penetration Testing Windows Vista TM BitLocker TM Penetration Testing BitLocker TM Drive Encryption Douglas MacIver Penetration Engineer System Integrity Group, Corporation Hack In The Box 2006/09/21 2006 Corporation. All rights reserved. Trustworthy

More information

A Security Assessment of Trusted Platform Modules Computer Science Technical Report TR2007-597

A Security Assessment of Trusted Platform Modules Computer Science Technical Report TR2007-597 A Security Assessment of Trusted Platform Modules Computer Science Technical Report TR2007-597 Evan R. Sparks Evan.R.Sparks.07@Alum.Dartmouth.ORG Senior Honors Thesis http://www.cs.dartmouth.edu/ pkilab/sparks/

More information

Hardware Security for Device Authentication in the Smart Grid

Hardware Security for Device Authentication in the Smart Grid Hardware Security for Device Authentication in the Smart Grid Andrew J. Paverd and Andrew P. Martin Department of Computer Science, University of Oxford, UK {andrew.paverd,andrew.martin}@cs.ox.ac.uk Abstract.

More information

Building Blocks Towards a Trustworthy NFV Infrastructure

Building Blocks Towards a Trustworthy NFV Infrastructure Building Blocks Towards a Trustworthy NFV Infrastructure IRTF NFVRG Adrian L. Shaw Hewlett-Packard Laboratories / July 22 nd, 2015 1 Why security and trust? Big requirement for critical

More information

Implementation of a Trusted Ticket System

Implementation of a Trusted Ticket System Implementation of a Trusted Ticket System Andreas Leicher 1, Nicolai Kuntze 2, and Andreas U. Schmidt 3 1 Johann Wolfgang Goethe-Universität, Frankfurt am Main,Germany, leicher@cs.uni-frankfurt.de 2 Fraunhofer

More information

Trusted Computing. Insecure PCs. Foundations for secure e-commerce (bmevihim219)

Trusted Computing. Insecure PCs. Foundations for secure e-commerce (bmevihim219) Foundations for secure e-commerce (bmevihim219) Dr. Levente Buttyán associate professor BME Híradástechnikai Tanszék Lab of Cryptography and System Security (CrySyS) buttyan@hit.bme.hu, buttyan@crysys.hu

More information

Accelerate OpenStack* Together. * OpenStack is a registered trademark of the OpenStack Foundation

Accelerate OpenStack* Together. * OpenStack is a registered trademark of the OpenStack Foundation Accelerate OpenStack* Together * OpenStack is a registered trademark of the OpenStack Foundation Where are your workloads running Ensuring Boundary Control in OpenStack Cloud. Raghu Yeluri Principal Engineer,

More information

CS 356 Lecture 28 Internet Authentication. Spring 2013

CS 356 Lecture 28 Internet Authentication. Spring 2013 CS 356 Lecture 28 Internet Authentication Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists

More information

M-Shield mobile security technology

M-Shield mobile security technology Technology for Innovators TM M-Shield mobile security technology making wireless secure Overview As 3G networks are successfully deployed worldwide, opportunities are arising to deliver to end-users a

More information

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Using etoken for SSL Web Authentication. SSL V3.0 Overview Using etoken for SSL Web Authentication Lesson 12 April 2004 etoken Certification Course SSL V3.0 Overview Secure Sockets Layer protocol, version 3.0 Provides communication privacy over the internet. Prevents

More information

Hierarchies. Three Persistent Hierarchies. Chapter 9

Hierarchies. Three Persistent Hierarchies. Chapter 9 Chapter 9 Hierarchies A hierarchy is a collection of entities that are related and managed as a group. Those entities include permanent objects (the hierarchy handles), primary objects at the root of a

More information

Secure Device Identity Tutorial

Secure Device Identity Tutorial Mike Borza John Viega with Charles Qi Karen Zelenko 2005-07-18 Page 1 Agenda Secure Device Identity 100,000 foot view The 5 criteria The 10,000 foot view Related technologies Related presentations Charles

More information

Digital Rights Management Demonstrator

Digital Rights Management Demonstrator Digital Rights Management Demonstrator Requirements, Analysis, and Design Authors: Andre Osterhues, Marko Wolf Institute: Ruhr-University Bochum Date: March 2, 2007 Abstract: This document describes a

More information

Data At Rest Protection

Data At Rest Protection Data At Rest Protection Dell Data Protection Encryption Full Volume Encryption Whitepaper October 2011 THIS WHITE PAPER IS FOR INFORMATIONAL PURPOSES ONLY, AND MAY CONTAIN TYPOGRAPHICAL ERRORS AND TECHNICAL

More information

TPM. (Trusted Platform Module) Installation Guide V2.1

TPM. (Trusted Platform Module) Installation Guide V2.1 TPM (Trusted Platform Module) Installation Guide V2.1 Table of contents 1 Introduction 1.1 Convention... 4 1.2 TPM - An Overview... 5 2 Using TPM for the first time 2.1 Enabling TPM... 6 2.2 Installing

More information

Trusted Virtual Domains Design, Implementation and Lessons Learned

Trusted Virtual Domains Design, Implementation and Lessons Learned Trusted Virtual Domains Design, Implementation and Lessons Learned Luigi Catuogno 1, Alexandra Dmitrienko 1, Konrad Eriksson 2, Dirk Kuhlmann 3, Gianluca Ramunno 4, Ahmad-Reza Sadeghi 1, Steffen Schulz

More information

Master s Thesis. End-To-End Application Security Using Trusted Computing. Michiel Broekman. August 18, 2005

Master s Thesis. End-To-End Application Security Using Trusted Computing. Michiel Broekman. August 18, 2005 Master s Thesis End-To-End Application Security Using Trusted Computing Michiel Broekman August 18, 2005 University of Oxford Software Engineering Programme University of Nijmegen Security of Systems Group

More information

Lecture Overview. INF3510 Information Security Spring 2015. Lecture 4 Computer Security. Meaningless transport defences when endpoints are insecure

Lecture Overview. INF3510 Information Security Spring 2015. Lecture 4 Computer Security. Meaningless transport defences when endpoints are insecure Lecture Overview INF3510 Information Security Spring 2015 Fundamental computer security concepts CPU and OS kernel security mechanisms Virtualization Memory Protection Trusted computing and TPM Lecture

More information

Trusted Platforms for Homeland Security

Trusted Platforms for Homeland Security Trusted Platforms for Homeland Security By Kevin Schutz, Product Manager Secure Products Summary Ongoing threats from hackers, viruses, and worms continue to make security a top priority for IT and business

More information

The TCG Dynamic Root for Trusted Measurement

The TCG Dynamic Root for Trusted Measurement Copyright Trusted Computing Group 1 The TCG Dynamic Root for Trusted Measurement Author: Lee Wilson TCG D-RTM Subgroup Chair PureFlex Security Architect, IBM Corporation BASIC CONCEPTS Copyright 2013 Trusted

More information

Secure Storage. Lost Laptops

Secure Storage. Lost Laptops Secure Storage 1 Lost Laptops Lost and stolen laptops are a common occurrence Estimated occurrences in US airports every week: 12,000 Average cost of a lost laptop for a corporation is $50K Costs include

More information

CS 155 Spring 2010. TCG: Trusted Computing Architecture

CS 155 Spring 2010. TCG: Trusted Computing Architecture CS 155 Spring 2010 TCG: Trusted Computing Architecture Background! TCG consortium. Founded in 1999 as TCPA. Main players (promotors):! Goals: AMD, HP, IBM, Infineon, Intel, Lenovo, Microsoft, Sun (>200

More information

Securing the E-Health Cloud

Securing the E-Health Cloud Securing the E-Health Cloud Hans Löhr, Ahmad-Reza Sadeghi, Marcel Winandy 1st ACM International Health Informatics Symposium (IHI 2010) Arlington, Virginia, USA, 11-12 November 2010 Introduction Buzzwords

More information

IBM Crypto Server Management General Information Manual

IBM Crypto Server Management General Information Manual CSM-1000-0 IBM Crypto Server Management General Information Manual Notices The functions described in this document are IBM property, and can only be used, if they are a part of an agreement with IBM.

More information

Securing sensitive data at Rest ProtectFile, ProtectDb and ProtectV. Nadav Elkabets Presale Consultant

Securing sensitive data at Rest ProtectFile, ProtectDb and ProtectV. Nadav Elkabets Presale Consultant Securing sensitive data at Rest ProtectFile, ProtectDb and ProtectV Nadav Elkabets Presale Consultant Protecting Your Data Encrypt Your Data 1 ProtectFile StorageSecure ProtectDB ProtectV Databases File

More information

Remote 2014 Monitoring & Control. Securing Mobile Devices November 7 th 2014

Remote 2014 Monitoring & Control. Securing Mobile Devices November 7 th 2014 Remote 2014 Monitoring & Control Securing Mobile Devices November 7 th 2014 Purpose / Agenda Ken Lewis, CISSP Director of Cross Domain Security Solutions for Tresys Technology Systems Security Engineer

More information

TPM. (Trusted Platform Module) Installation Guide V3.3.0. for Windows Vista

TPM. (Trusted Platform Module) Installation Guide V3.3.0. for Windows Vista TPM (Trusted Platform Module) Installation Guide V3.3.0 for Windows Vista Table of contents 1 Introduction 1.1 Convention... 4 1.2 TPM - An Overview... 5 2 Using TPM for the first time 2.1 Enabling TPM...

More information

Encrypted File Systems. Don Porter CSE 506

Encrypted File Systems. Don Porter CSE 506 Encrypted File Systems Don Porter CSE 506 Goals Protect confidentiality of data at rest (i.e., on disk) Even if the media is lost or stolen Protecting confidentiality of in-memory data much harder Continue

More information

Secure Wireless Application Platform

Secure Wireless Application Platform Texas Instruments SW@P Secure Wireless Application Platform New Challenges for Wireless Handsets Open Environment Multi-application, Interoperability Multiple Access Data Paths GSM/GPRS, EDGE, 802.11,

More information

Analyzing the Security Schemes of Various Cloud Storage Services

Analyzing the Security Schemes of Various Cloud Storage Services Analyzing the Security Schemes of Various Cloud Storage Services ECE 646 Project Presentation Fall 2014 12/09/2014 Team Members Ankita Pandey Gagandeep Singh Bamrah Pros and Cons of Cloud Storage Services

More information

Secure Network Communications FIPS 140 2 Non Proprietary Security Policy

Secure Network Communications FIPS 140 2 Non Proprietary Security Policy Secure Network Communications FIPS 140 2 Non Proprietary Security Policy 21 June 2010 Table of Contents Introduction Module Specification Ports and Interfaces Approved Algorithms Test Environment Roles

More information

Towards Automated Security Policy Enforcement in Multi-Tenant Virtual Data Centers

Towards Automated Security Policy Enforcement in Multi-Tenant Virtual Data Centers Towards Automated Security Policy Enforcement in Multi-Tenant Virtual Data Centers Serdar Cabuk, Chris I. Dalton, Konrad Eriksson, Dirk Kuhlmann, HariGovind V. Ramasamy, Gianluca Ramunno, Ahmad-Reza Sadeghi,

More information

Too Young to be Secure: Analysis of UEFI Threats and Vulnerabilities

Too Young to be Secure: Analysis of UEFI Threats and Vulnerabilities St. Petersburg State University of Aerospace Instrumentation Department of Information Systems Security Too Young to be Secure: Analysis of UEFI Threats and Vulnerabilities Anton Sergeev Vladimir Bashun

More information

Efficient Framework for Deploying Information in Cloud Virtual Datacenters with Cryptography Algorithms

Efficient Framework for Deploying Information in Cloud Virtual Datacenters with Cryptography Algorithms Efficient Framework for Deploying Information in Cloud Virtual Datacenters with Cryptography Algorithms Radhika G #1, K.V.V. Satyanarayana *2, Tejaswi A #3 1,2,3 Dept of CSE, K L University, Vaddeswaram-522502,

More information

Integrity measurements for stronger cloud-based authentication

Integrity measurements for stronger cloud-based authentication Integrity measurements for stronger cloud-based authentication John Žic1 Thomas Hardjono 2 1 CSIRO Computational Informatics 2 MIT Kerberos and Internet of Trust Trust in the Digital World: Enabling the

More information

EMSCB: European Multilaterally Secure Computing Base

EMSCB: European Multilaterally Secure Computing Base EMSCB: European Multilaterally Secure Computing Base DemoCD User Guide for Turaya-Crypt / Turaya-VPN June 19, 2006 Contents 1 Overview 3 1.1 EMSCB....................................... 3 1.2 Turaya-VPN....................................

More information

Encrypting stored data. Tuomas Aura T-110.4206 Information security technology

Encrypting stored data. Tuomas Aura T-110.4206 Information security technology Encrypting stored data Tuomas Aura T-110.4206 Information security technology Outline 1. Scenarios 2. File encryption 3. Encrypting file system 4. Full disk encryption 5. Data recovery Simple applications

More information

CycurHSM An Automotive-qualified Software Stack for Hardware Security Modules

CycurHSM An Automotive-qualified Software Stack for Hardware Security Modules CycurHSM An Automotive-qualified Software Stack for Hardware Security Modules Dr. Frederic Stumpf, ESCRYPT GmbH Embedded Security, Stuttgart, Germany 1 Introduction Electronic Control Units (ECU) are embedded

More information

How to Secure Infrastructure Clouds with Trusted Computing Technologies

How to Secure Infrastructure Clouds with Trusted Computing Technologies How to Secure Infrastructure Clouds with Trusted Computing Technologies Nicolae Paladi Swedish Institute of Computer Science 2 Contents 1. Infrastructure-as-a-Service 2. Security challenges of IaaS 3.

More information

Certification Report

Certification Report Certification Report EAL 4+ Evaluation of ncipher nshield Family of Hardware Security Modules Firmware Version 2.33.60 Issued by: Communications Security Establishment Canada Certification Body Canadian

More information

Extending Secure Execution Environments Beyond the TPM (An Architecture for TPM & SmartCard Co-operative Model) Talha Tariq

Extending Secure Execution Environments Beyond the TPM (An Architecture for TPM & SmartCard Co-operative Model) Talha Tariq Extending Secure Execution Environments Beyond the TPM (An Architecture for TPM & SmartCard Co-operative Model) Talha Tariq Technical Report RHUL-MA-2009-09 16th February 2009 Department of Mathematics

More information

Cisco Trust Anchor Technologies

Cisco Trust Anchor Technologies Data Sheet Cisco Trust Anchor Technologies Overview Cisco Trust Anchor Technologies provide the foundation for trustworthy systems across Cisco. The Cisco Trust Anchor and a Secure Boot check of signed

More information

Using Data Encryption to Achieve HIPAA Safe Harbor in the Cloud

Using Data Encryption to Achieve HIPAA Safe Harbor in the Cloud Using Data Encryption to Achieve HIPAA Safe Harbor in the Cloud 1 Contents The Obligation to Protect Patient Data in the Cloud................................................... Complying with the HIPAA

More information

Trusted Virtual Platforms: A Key Enabler for Converged Client Devices

Trusted Virtual Platforms: A Key Enabler for Converged Client Devices Trusted Virtual Platforms: A Key Enabler for Converged Client Devices Chris I Dalton, David Plaquin, Wolfgang Weidner, Dirk Kuhlmann, Boris Balacheff, Richard Brown HP Laboratories, Filton Road, Bristol

More information

Secure web transactions system

Secure web transactions system Secure web transactions system TRUSTED WEB SECURITY MODEL Recently, as the generally accepted model in Internet application development, three-tier or multi-tier applications are used. Moreover, new trends

More information

TCG PC Client Specific Implementation Specification for Conventional BIOS

TCG PC Client Specific Implementation Specification for Conventional BIOS TCG PC Client Specific Implementation Specification for Conventional BIOS Specification Version 1.21 Errata Revision 1.00 February 24 th, 2012 For TPM Family 1.2; Level 2 Contact: admin@trustedcomputinggroup.org

More information

Virtualization for Cloud Computing

Virtualization for Cloud Computing Virtualization for Cloud Computing Dr. Sanjay P. Ahuja, Ph.D. 2010-14 FIS Distinguished Professor of Computer Science School of Computing, UNF CLOUD COMPUTING On demand provision of computational resources

More information

Pulse Secure, LLC. January 9, 2015

Pulse Secure, LLC. January 9, 2015 Pulse Secure Network Connect Cryptographic Module Version 2.0 Non-Proprietary Security Policy Document Version 1.1 Pulse Secure, LLC. January 9, 2015 2015 by Pulse Secure, LLC. All rights reserved. May

More information

SecureDoc Disk Encryption Cryptographic Engine

SecureDoc Disk Encryption Cryptographic Engine SecureDoc Disk Encryption Cryptographic Engine FIPS 140-2 Non-Proprietary Security Policy Abstract: This document specifies Security Policy enforced by SecureDoc Cryptographic Engine compliant with the

More information

FPGAs for Trusted Cloud Computing

FPGAs for Trusted Cloud Computing FPGAs for Trusted Cloud Computing Traditional Servers Datacenter Cloud Servers Datacenter Cloud Manager Client Client Control Client Client Control 2 Existing cloud systems cannot offer strong security

More information

Security Policy for FIPS 140 2 Validation

Security Policy for FIPS 140 2 Validation BitLocker Windows OS Loader Security Policy for FIPS 140 2 Validation BitLocker Windows OS Loader (winload) in Microsoft Windows 8.1 Enterprise Windows Server 2012 R2 Windows Storage Server 2012 R2 Surface

More information

An Improved Trusted Full Disk Encryption Model

An Improved Trusted Full Disk Encryption Model An Improved Trusted Full Disk Encryption Model Prasenjit Das and Nirmalya Kar Department of Computer Sc. & Engineering, National Institute of Technology Agartala, India. e-mail: pj.cstech@gmail.com; nirmalya@nita.ac.in

More information

CRYPTOGRAPHY AS A SERVICE

CRYPTOGRAPHY AS A SERVICE CRYPTOGRAPHY AS A SERVICE Peter Robinson RSA, The Security Division of EMC Session ID: ADS R01 Session Classification: Advanced Introduction Deploying cryptographic keys to end points such as smart phones,

More information

Cryptography as a service in a cloud computing environment

Cryptography as a service in a cloud computing environment EINDHOVEN UNIVERSITY OF TECHNOLOGY Department of Mathematics and Computing Science MASTER S THESIS Cryptography as a service in a cloud computing environment Hugo a.w. Ideler Eindhoven, December 2012 Supervisors:

More information

Towards a Trust Envisioned Cyber Security

Towards a Trust Envisioned Cyber Security International Journal of Innovation and Applied Studies ISSN 2028-9324 Vol. 2 No. 4 Apr. 2013, pp. 540-546 2013 Innovative Space of Scientific Research Journals http://www.issr-journals.org/ijias/ Towards

More information