Trusted Platforms for Homeland Security

Transcription

1 Trusted Platforms for Homeland Security By Kevin Schutz, Product Manager Secure Products Summary Ongoing threats from hackers, viruses, and worms continue to make security a top priority for IT and business professionals in both the private and government sectors. Critical homeland infrastructures depend on IT for operations command and control. The emerging Trusted Platform Module (TPM), as driven by the industry consortium Trusted Computing Group (TCG), is a standard that allows affordable authentication, encryption, and network access to be accomplished on a variety of computing platforms, most notably today's PCs. In this paper we will examine the hardware and software applications available for immediate implementation and discuss how the TPM chip can be adapted to address many homeland security issues and applications. Atmel Corporation 2325 Orchard Parkway San Jose, CA TEL (408) FAX (408) Web Site:

2 The Trusted Computing Group The TCG is an industry standards body formed in 1999 by several PC industry leaders. Originally called the Trusted Computing Platform Alliance (TCPA), the primary goal of the group is to promote the concept of trusted computing by establishing an open industry standard, enabling devices and transactions to be trusted, private, protected, safe, and reliable across a wide array of platforms. The TCG establishes specifications for trusted computing across a variety of computing platforms. The foundation for trusted computing relies on the concept of providing a hardware-based "root of trust." Once this root of trust is established, the boundary of trust can be extended to include software at various levels within the computing environment. Hardware-based roots of trust can be quantifiably measured against specific protection profiles, enabling one to begin to accurately measure risk. Once risk can be measured, methods of risk mitigation can be developed, including crafting appropriate policies, underwriting risk, and possibly improving or hardening the computing environment more thoroughly. Trusted Platform Modules Within the concept of trusted computing, a silicon chip defined as a Trusted Platform Module (TPM) provides the hardware-based root of trust. The TPM can be thought of as a secure key generator and key cache management device, supporting industry-standard cryptographic APIs such as MS CAPI and PKSC#11. The TPM contains sufficient cryptographic functionality to generate, store, and manage cryptographic keys in hardware while leveraging the resources of the rest of the system platform. This allows for costeffective "hardening" of many of today's commonly deployed applications that previously relied solely upon software encryption algorithms with keys hidden on a hard disk drive (HDD). A TPM includes a true random number generator (RNG) used in the creation of RSA key pairs internal to the TPM. The source of the "root of trust" lies in the generation of the first key pair a TPM creates: the Storage Root Key (SRK). The SRK is never exported from the TPM. Each SRK is unique, making each TPM unique. Each subsequent RSA key pair that the TPM is requested to generate is bound to the original SRK. The private keys are either securely stored in the TPM or encrypted and then exported from the TPM and stored on a mass storage device such as an HDD. Whenever a key that is not stored on the TPM is required for a particular operation, the encrypted key blob is imported onto the TPM, where it is securely decrypted internally on the TPM. In properly architected systems, unencrypted private keys are never stored outside the TPM for any significant amount of time. The Trusted Computing Group standard version 1.1b specifies that TPM ICs perform five major functions: 1. public key functions for on-chip key pair generation using a hardware RNG; 2. public key signature, encryption, and decryption to enable secure storage of data and digital secrets; A TPM 02/04

3 3. storage of hashes (unique numbers calculated from pre-runtime configuration information) that enable verifiable attestation of the machine configuration when booted; 4. an endorsement key that can be used to anonymously establish that an identity key was generated in a TPM; and 5. initialization and management functions that allow the owner to turn TPM functionality on and off, reset the chip, and take ownership of its functions. Atmel's TPMs meet the TCG standard and also provide additional features for extended security. They integrate a high-performance processor, a cryptographic engine, a random number generator, a secure internal memory, a real-time clock, and tamper prevention circuitry on a single integrated circuit. The TPM processor controls the functions and sequencing of the entire TPM, including its internal functional blocks and its interface to the rest of the system resources, such as the primary system processor and the mass storage available on the system. It moves data between the system processor and the internal TPM memory and sequences the cryptographic engine. The TPM's RNG generates the seed numbers for the cryptographic processor's encryption, decryption, and key generation functions. By off-loading the RSA calculation from the general-purpose system processor, Atmel TPMs improve both system and encryption performance. The TPM's non-volatile memory securely stores encryption keys, including the SRK, endorsement key (EK), and other sensitive data. The TPM processor and the tamper circuits control access to the protected memory. Atmel TPMs also include an unalterable real-time clock (not required by TCG standard 1.1b) that provides tamper-proof, unique date stamping for the authentication and attestation processes. Any alteration of the system clock (e.g., changing the date) signals a possible attempt to extract information out of the TPM. In addition, proprietary, tamper-proof circuits in Atmel TPMs monitor the voltage, clock frequency, and other aspects of the TPM's operating environment for signs of tampering. If the environment moves out of a prescribed range, the tamper prevention circuits will take action to prevent access to sensitive information stored within the TPM. For example, if the TPM's supply voltage drops below a prescribed level, internal memory reads would not be allowed. Lowering the voltage can be a means of accessing sensitive information. The tamper circuits are designed to thwart these attacks. TPMs contain secure non-volatile storage space that is intended to contain measurements of system hardware and software status. Measurement consists primarily of submitting all system software and hardware to a hash algorithm in a predetermined sequence. If this measurement is performed when the system is in a known trusted state, then the resulting hash can be stored in the TPM and compared to the result of a subsequent measurement. Any changes will be detected by the comparison, and appropriate actions can be taken to prevent execution of modified software or hardware. This measurement capability can be used to provide detection of any remote system modifications resulting from malicious viruses or worms. At this point, it is important to note that TPMs do not control any events. They only serve to observe and track system activity. TPMs communicate with system CPUs on a non-system bus, and only act under the control of the system CPU and the policies codified in the A TPM 02/04

4 Utilization of RSA Creating Safe Storage operating system and other application software. If the TPM does detect any suspicious activity, it can only report said activity when requested. Whether to query TPMs for such activity is a policy decision. Furthermore, it is a policy decision to decide to act in a specific manner if the TPM does report back a suspicious result. Finally, as originally defined, TPMs were not intended to serve as stream encryption engines. This is not a matter of technological capability, but rather one of cost. TPMs typically will be deployed in systems containing CPUs that are high-performance relative to TPMs, so the TPM will hand off the stream encryption tasks to the CPU. Since stream encryption capabilities are already present in the CPU, it should be most effective at performing this task. TPMs do not control the encryption process; they only provide capabilities to monitor system processes. The CPU controls any actions the TPM takes; the CPU makes a request to the TPM, and the TPM will take an action. It is generally acknowledged in cryptographic circles that algorithms must be open for public scrutiny before they can be widely accepted and can claim to have withstood critical evaluation by skilled cryptographers. RSA has a proven track record worldwide and is widely deployed in a variety of applications. By employing RSA encryption, TPMs can be used by many of today's popular applications without modification, providing immediate value to the market. Traditional open systems such as PCs do not have a safe place to store confidential information. Now that affordable TPMs are available, a TPM can provide a small safe or depository on the motherboard in which to store such information. Even other computing platforms that employ architectures that are not as open as a PC, such a servers, can benefit from using TPMs, which provide certifiable secure hardware. In many of today's non-tpm systems that employ only software encryption of data and files, the keys are usually stored somewhere on the hard drive. If someone stumbles across encrypted files, all they see is a blob of data. However, given enough time, a diligent hacker - even one who is working at a remote location - will locate the keys hidden on the hard drive. If the keys can be found, the data may as well not be encrypted! With TPMs as part of the system, the keys need not be hidden on the disk drive but can still be protected. The keys can also be stored off the hard drive on a removable token such as a smart card or USB dongle. But removable tokens are much easier to misplace or lose, and they tend to cost much more than TPMs. TPMs provide an affordable improvement in security over existing software-only solutions. With the advent of TPMs, OEMs now have the ability to provide affordable, certifiable hardware security in open system architectures based on industry standards A TPM 02/04

5 Usage Models TPM usage models can range from simple data and file encryption to authentication of entire computing platforms and environments. Several examples of different models follow. Secure Access This model is intended to address the concern of unauthorized local or remote user access to computing resources. The solution is to permit access through automated login and secure auto-logon to applications. TPMs are used to protect and store the encryption keys used to encrypt/decrypt passwords. The benefits include single sign-on; assurance that only the rightful owner has access to the client and related data and capabilities; possible multiple-user authentication methods (compatible with smart cards, biometrics, etc.); and credential/password management via the TPM. Data Protection This model is intended to address the concern of compromised integrity of data stored on a HDD. The solution is to permit access to protected data only by lawful owners of the data. TPMs apply by protecting and storing the encryption keys used to encrypt/decrypt data stored on the HDD, and digital certificates to authenticate the user. The benefits include the transparent encryption of files and folders and access to encrypted files by the OS in the same manner as standard files. Protected Communications This model is intended to address the concern of compromised communications, such as . The solution is to encrypt the communication during transmission through insecure networks and provide digital signatures for proof of content integrity and authorship, using a secure plug-in that integrates seamlessly into popular applications. TPMs can protect and store the encryption keys used to decrypt the communication session key and digital certificates to authenticate the user. The benefits of this model include proof of authorship, integrity of content, and non-repudiation. Secure Network Access This model addresses the concern of restricted access by unauthorized systems to the network. The solution is to manage and control access to resources via the Web or the Internet and to secure the transmission of data over TCP/IP networks. TPMs can protect and store the primary signing key used to authenticate the client. This authentication of the client facilitates the exchange of keys with integrity, enabling the protected communications over integrated network by only allowing network access to known clients. Similarly, for two-way authentication, the network can authenticate the client. This model gives remote employees secure access to corporate LANs and high-speed Internet from any dial-up, cable/dsl, and wireless access point; enables IT staff to verify that the client is known and to secure internal networks and portions of the network; and provides fast hardware solutions for VPN-gateways and Peerless software-only solutions for clients A TPM 02/04

6 Example Using a TPM, the client is able to boot up in a controlled, protected manner. The executive may need to authenticate herself or himself to the client in order to gain access to the client's resources. Once the executive has authenticated herself or himself to the TPM, the client can authenticate with the access point. Both the client and the access point have the ability challenge each other before allowing any further transactions to occur. (See Figures 1 and 2.) Once both the client and the access point have mutually authenticated each other, the next step is to repeat the mutual authentication process between the access point and the disk array (including any intervening nodes). (See Figure 3.) Once each segment of the network has been mutually authenticated, each node pair can then securely perform key exchanges that can be used to protect the communications channels in the form of a VPN from the disk array to the client. In each step of the process, the TPM provides the hardware protection of the keys required to authenticate and harden the communication channel. Intermediate stages of the network may utilize open and shared network segment, allowing transmission over the Internet. Figure 1. Client Authenticates To Access Point Figure 2. Access Point Authenticates To Client A TPM 02/04

7 Figure 3. Network Access Conclusion Trusted platforms enable new usage models for protecting confidential information, securing access, and hardening communication channels based on a measurable hardware root of trust in the form of a TPM. These trusted platforms then become foundations for ensuring trust in what has traditionally been an untrusted and unprotected computing environment. Trusted platforms are commercially available today and can be readily adopted to address homeland security issues. About TCG The Trusted Computing Group (TCG) is an open, industry standards organization formed to develop, define, and promote open standards or hardware-enabled trusted computing and security technologies, including hardware building blocks and software interfaces, across multiple platforms, peripherals, and devices. TCG specifications enable more secure computing environments without compromising functional integrity, privacy, or individual rights. The primary goal is to help users protect their information assets (data, passwords, keys, etc.) from compromise due to external software attack and physical theft. For more information, go to Kevin Schutz, a product manager for Atmel Corporation, is currently focusing on Application Specific Standard Products (ASSPs) for the embedded security market. He has over 20 years of experience in a variety of engineering and business roles within the semiconductor market. He received his B.S.E.E. degree from Colorado State University A TPM 02/04

8 Editor's Notes and his M.B.A. and M.S.E.E. degrees from the University of Colorado. Kevin is a member of the IEEE and is active in a number of TCG working groups. About Atmel Corporation Founded in 1984, Atmel Corporation is headquartered in San Jose, California with manufacturing facilities in North America and Europe. Atmel designs, manufactures and markets worldwide, advanced logic, mixed-signal, nonvolatile memory and RF semiconductors. Atmel is also a leading provider of system-level integration semiconductor solutions using CMOS, BiCMOS, SiGe, and high-voltage BCDMOS process technologies. Further information can be obtained from Atmel s Web site at Contact: Author s Name, Author s Title, Location, Country, Tel: (+33) (0) , [email protected] Atmel Corporation All rights reserved. Atmel and combinations thereof are the registered trademarks of Atmel Corporation. Other terms and product names may be the trademarks of others A TPM 02/04