Opal SSDs Integrated with TPMs



Similar documents
TPM Key Backup and Recovery. For Trusted Platforms

BitLocker Drive Encryption Hardware Enhanced Data Protection. Shon Eizenhoefer, Program Manager Microsoft Corporation

Recipe for Mobile Data Security: TPM, Bitlocker, Windows Vista and Active Directory

Acronym Term Description

Trusted Platforms for Homeland Security

Using AES 256 bit Encryption

Bypassing Local Windows Authentication to Defeat Full Disk Encryption. Ian Haken

Property Based TPM Virtualization

Software-based TPM Emulator for Linux

Trusted Computing Basics: Self-Encrypting Drives

Secure Data Management in Trusted Computing

Software Execution Protection in the Cloud

Trusted Platform Module

Mutual Authentication Cloud Computing Platform based on TPM

Advances in Storage Security Standards Jason Cox Intel Corporation

Data At Rest Protection

ACER ProShield. Table of Contents

Hierarchies. Three Persistent Hierarchies. Chapter 9

YubiKey Integration for Full Disk Encryption

An Improved Trusted Full Disk Encryption Model

Background. TPMs in the real world. Components on TPM chip TPM 101. TCG: Trusted Computing Group. TCG: changes to PC or cell phone

Using the TPM: Data Protection and Storage

Index. BIOS rootkit, 119 Broad network access, 107

Navigating Endpoint Encryption Technologies

Technical Brief Distributed Trusted Computing

TPM. (Trusted Platform Module) Installation Guide V2.1

RSA Authentication Manager 7.1 Basic Exercises

Introduction to BitLocker FVE

vtpm: Virtualizing the Trusted Platform Module

Embedded Trusted Computing on ARM-based systems

Secure Device Identity Tutorial

Pulse Secure, LLC. January 9, 2015

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

BitLocker Encryption for non-tpm laptops

TPM. (Trusted Platform Module) Installation Guide V for Windows Vista

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Attestation and Authentication Protocols Using the TPM

vtpm: Virtualizing the Trusted Platform Module

Patterns for Secure Boot and Secure Storage in Computer Systems

SecureStore I.CA. User manual. Version 2.16 and higher

Commercially Proven Trusted Computing Solutions RSA 2010

End User Devices Security Guidance: Apple OS X 10.10

Secure Storage. Lost Laptops

Kaspersky Lab s Full Disk Encryption Technology

Technical Note. Installing Micron SEDs in Windows 8 and 10. Introduction. TN-FD-28: Installing Micron SEDs in Windows 8 and 10.

Rights Management Services

Gain Complete Data Protection with SanDisk Self-Encrypting SSDs and Wave Systems

Cisco Trust Anchor Technologies

Key Management Best Practices

1. System Requirements

HP Commercial Notebook BIOS Password Setup

TrustKey Tool User Manual

Guidance End User Devices Security Guidance: Apple OS X 10.9

Security Overview for Windows Vista. Bob McCoy, MCSE, CISSP/ISSAP Technical Account Manager Microsoft Corporation

Symantec Corporation Symantec Enterprise Vault Cryptographic Module Software Version:

PROXKey Tool User Manual

What security and assurance standards does Trustis use for TMDCS certificate services?

CS252 Project An Encrypted File System using TPM

Angel Dichev RIG, SAP Labs

SecureDoc Disk Encryption Cryptographic Engine

Industrial Flash Storage Trends in Software and Security

On the security of Virtual Machine migration and related topics

How Drive Encryption Works

The Impact of Cryptography on Platform Security

Secure Cloud Storage and Computing Using Reconfigurable Hardware

TCG PC Client Specific Implementation Specification for Conventional BIOS

Factory-Installed, Standards-Based Hardware Security. Steven K. Sprague President & CEO, Wave Systems Corp.

Windows Server 2008 R2 Boot Manager Security Policy For FIPS Validation

Salesforce1 Mobile Security Guide

Self-Encrypting Drives

ClockWork Enterprise 5

Encrypting stored data. Tuomas Aura T Information security technology

Full Drive Encryption Security Problem Definition - Encryption Engine

Using BroadSAFE TM Technology 07/18/05

Integration Guide. CyberArk Microsoft Windows

FIPS Non Proprietary Security Policy: Kingston Technology DataTraveler DT4000 Series USB Flash Drive

VMWare Workstation 11 Installation MICROSOFT WINDOWS SERVER 2008 R2 STANDARD ENTERPRISE ED.

Windows 7 BitLocker Drive Encryption Security Policy For FIPS Validation

AN IMPLEMENTATION OF HYBRID ENCRYPTION-DECRYPTION (RSA WITH AES AND SHA256) FOR USE IN DATA EXCHANGE BETWEEN CLIENT APPLICATIONS AND WEB SERVICES

e-authentication guidelines for esign- Online Electronic Signature Service

DriveLock and Windows 8

Trustworthy Computing

Making Data at Rest Encryption Easy

Disk Encryption. Aaron Howard IT Security Office

William Hery Research Professor, Computer Science and Engineering NYU-Poly

Key Management and Distribution

Table of Contents. TPM Configuration Procedure Configuring the System BIOS... 2

EMBASSY Remote Administration Server (ERAS) BitLocker Deployment Guide

IBM Crypto Server Management General Information Manual

Embedding Trust into Cars Secure Software Delivery and Installation

Transcription:

Opal SSDs Integrated with TPMs August 21, 2012 Robert Thibadeau, Ph.D.

U.S. Army SSDs Must be Opal s We also Studied using the TPM (Trusted Platform Module) with an Opal SSD (Self-Encrypting Drive) 2

Security Architecture Provisioning and Use Central Distribution Highly trusted, highly secure location where PCs and s are provisioned with security configurations and secrets that will not change over the life of the PC and. Fielding Site Trusted, secure location where certain field provisioning, de-provisioning, and purging operations take place on the s. -- NOT TPMS which are on the motherboards PC Moderately trusted, moderately secure location. At this location all authorities and their credentials are fixed except a user can change his own password. OPAL PRE-BOOT (MBR Shadow) is considered SECURE 3

Trusted Computing Group (TCG) Overview Self-Encrypting Drive () Opal 1.0 & 2.0+ Data-At-Rest Protection Trusted Platform Module (TPM) Versions 1.2 & 2.0e Hardware Protected PC Identity Key and Key Storage 4

What is an? Secure Data Storage Overview Self-Encrypting Drive () Opal 1.0 & 2.0+ Data-At-Rest Protection Independent of OS and OS- Present Software Motherboard Drive Controller (SATA) Drive I/O Interface (SATA) Drive Electronics w/ Encryption Circuits and Passcode Firmware 100% of Data Written Here is Encrypted 5

Overview What is a TPM? TPM Guards Cryptography and Data Trusted Platform Module (TPM) Versions 1.2 & 2.0e Hardware Protected PC Identity Key and Pre-OS-Boot Environment Public-Private Keypairs Hardware Protected Private Key Operations Secured Input - Output Cryptographic Processor Random Number Generator RSA Key Generator SHA-1 Hash Generator Encryption/Decryption Signature Engine TPM Platform Configuration Registers (PCRs) For Guarded PC Health Measurements Onboard Memory Endorsement Key (EK) Storage Root Key (SRK) SRK Memory Platform Configuration Registers (PCR) Attestation Identity Keys (AIK) Other Storage keys 6

Overview In Normal Use How do the two work together? Passcode to Unlock TPM Additional Unlock Key 7

Overview How do the two work together? In Provisioning Disk Duplicator Passcodes to Unlock and Manage and Use TPM Central Distribution PC Setup TPM_Passcode, Key Pair, and Certificate Creation TPM Additional Unlock Key 8

Overview Use Cases 1 2 + TPM 3 TPM 9

Opal s support Authority Hierarchy authenticated with 32 Byte Passcodes Security Architecture Admin SP Administrator, or SID, or Drive Owner Creates / Deletes Central Distribution Assigns Roles Initialize Locked 128 MB* *Includes preboot SW and a datastore Locking SP Administrator, or Admin Up to 4 Fielding Site Admin or User Passcode Creates / Deletes Assigns Locking Roles Locking SP User, or User Up to 8 Vehicular PC Unlocks Unlocked 256 GB 10

TPMs Create their Own Public Private Keypairs and Protect Private Key Encryption(Signing) or Decryption(Exchange) Created Only Auth Owner (20 Byte Passcode) Once in Central Distribution Creates / Deletes Assigns Roles Can Assign Other Passcodes to Use Private Keys Public Private Keypairs EK (Endorsement Key) Unique to Every TPM Needed to Make AIK (Attestation Identity Key) Unique to Every TPM Needed to Make Needed to Certify SK (Storage Key) E.g., To Store Passwords Non-Spoofable Device Identity 11

X.509v3 Certificates Certify Public Keys Public (Puk) - Private (Prk) Keypairs Private Keys held externally in high security Root Certificate with Puk 1 Self-Signed by Prk 1 Signed by Manufacturer Root Certificate with Puk 3 Self-Signed by Prk 3 Signed by org TPM Non- Migratable Keypairs (Private Keys are created and Never Leave the TPM) EK Certificate with Puk 2 Signed by Prk 1 Proves real TPM Created Only Once in Central Distribution AIK Certificate with Puk 4 Signed by Prk 3 Proves Device ID SK Certificate with Puk 5 Signed by Prk 4 Stores Passcode Split 12

Operator Drive Unlock Sequence: TPM Bound & Non-TPM TPM Binding Security Architecture Non or Unbound TPM User 1 Passcode User 1 Passcode Pre-Boot Pre-Boot Data store Preboot Auth Code TPM User 2 = TPM Split XOR User 1 SK Passcode TPM SK Blob TPM Split Access Control Preboot Auth Code Access Control Media key Media key Drive Unlock Drive Unlock 13

Thanks! Central Distribution Highly trusted, highly secure location where PCs and s are provisioned with security configurations and secrets that will not change over the life of the PC and. Fielding Site Trusted, secure location where certain field provisioning, de-provisioning, and purging operations take place on the s. -- NOT TPMS which are on the motherboards PC Moderately trusted, moderately secure location. At this location all authorities and their credentials are fixed except a user can change his own password. OPAL PRE-BOOT (MBR Shadow) is considered SECURE 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information