TPM 2.0. Introduction to Next Generation of Trusted Platform Module

Similar documents
Trustworthy Computing

Acronym Term Description

Opal SSDs Integrated with TPMs

Using AES 256 bit Encryption

IoT Security Concerns and Renesas Synergy Solutions

Protecting Data with Short- Lived Encryption Keys and Hardware Root of Trust. Dan Griffin DefCon 2013

Patterns for Secure Boot and Secure Storage in Computer Systems

Hierarchies. Three Persistent Hierarchies. Chapter 9

Security Policy for FIPS Validation

TPM Key Backup and Recovery. For Trusted Platforms

BitLocker Drive Encryption Hardware Enhanced Data Protection. Shon Eizenhoefer, Program Manager Microsoft Corporation

Recipe for Mobile Data Security: TPM, Bitlocker, Windows Vista and Active Directory

SecureDoc Disk Encryption Cryptographic Engine

IBM Crypto Server Management General Information Manual

PrivyLink Cryptographic Key Server *

Penetration Testing Windows Vista TM BitLocker TM

Windows Server 2008 R2 Boot Manager Security Policy For FIPS Validation

Secure Network Communications FIPS Non Proprietary Security Policy

Entrust Smartcard & USB Authentication

Embedded Trusted Computing on ARM-based systems

Overview of Windows 10 Requirements for TPM, HVCI and SecureBoot

Trusted Platform Module

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

Secure Data Management in Trusted Computing

Software Execution Protection in the Cloud

Session ID: Session Classification:

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

Whitepaper Enhancing BitLocker Deployment and Management with SimplySecure. Addressing the Concerns of the IT Professional Rob Weber February 2015

Introducing etoken. What is etoken?

Background. TPMs in the real world. Components on TPM chip TPM 101. TCG: Trusted Computing Group. TCG: changes to PC or cell phone

TrustKey Tool User Manual

Using the TPM to Solve Today s Most Urgent Cybersecurity Problems

Enhancing Organizational Security Through the Use of Virtual Smart Cards

Dell Client BIOS: Signed Firmware Update

Hi and welcome to the Microsoft Virtual Academy and

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi

Safeguarding Data Using Encryption. Matthew Scholl & Andrew Regenscheid Computer Security Division, ITL, NIST

CycurHSM An Automotive-qualified Software Stack for Hardware Security Modules

Key & Data Storage on Mobile Devices

Index. BIOS rootkit, 119 Broad network access, 107

YubiKey Integration for Full Disk Encryption

Overview. SSL Cryptography Overview CHAPTER 1

Certification Report

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Secure Data Exchange Solution

Pulse Secure, LLC. January 9, 2015

NIST s FIPS 201: Personal Identity Verification (PIV) of Federal Employees and Contractors Masaryk University in Brno Faculty of Informatics

IoT Security Platform

FIPS Non Proprietary Security Policy: Kingston Technology DataTraveler DT4000 Series USB Flash Drive

Securing Host Operations with a Dedicated Cryptographic IC - CryptoCompanion

Factory-Installed, Standards-Based Hardware Security. Steven K. Sprague President & CEO, Wave Systems Corp.

Certification Report

PROXKey Tool User Manual

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Lecture Overview. INF3510 Information Security Spring Lecture 4 Computer Security. Meaningless transport defences when endpoints are insecure

Advanced Authentication

The Impact of Cryptography on Platform Security

TNC: Open Standards for Network Security Automation. Copyright 2010 Trusted Computing Group

Secure Storage. Lost Laptops

Innovations in Digital Signature. Rethinking Digital Signatures

Software Token Security & Provisioning: Innovation Galore!

Cautions When Using BitLocker Drive Encryption on PRIMERGY

Using BroadSAFE TM Technology 07/18/05

Embedded Java & Secure Element for high security in IoT systems

PRIME IDENTITY MANAGEMENT CORE

vtpm: Virtualizing the Trusted Platform Module

Security Technology for Smartphones

Security Overview for Windows Vista. Bob McCoy, MCSE, CISSP/ISSAP Technical Account Manager Microsoft Corporation

RF-Enabled Applications and Technology: Comparing and Contrasting RFID and RF-Enabled Smart Cards

Cryptographic and Security Testing Laboratory. Deputy Laboratory Director, CST Laboratory Manager

FIPS Security Policy 3Com Embedded Firewall PCI Cards

SECURITY PRACTICES FOR ADVANCED METERING INFRASTRUCTURE Elif Üstündağ Soykan, Seda Demirağ Ersöz , ICSG 2014

Hardware Security Modules for Protecting Embedded Systems

Windows 7. Qing Liu Michael Stevens

Guidelines on use of encryption to protect person identifiable and sensitive information

WIRELESS LAN SECURITY FUNDAMENTALS

Technical Brief Distributed Trusted Computing

Bypassing Local Windows Authentication to Defeat Full Disk Encryption. Ian Haken

Lecture VII : Public Key Infrastructure (PKI)

OFFICE OF THE CONTROLLER OF CERTIFICATION AUTHORITIES TECHNICAL REQUIREMENTS FOR AUDIT OF CERTIFICATION AUTHORITIES

Ciphire Mail. Abstract

Securing Data on Microsoft SQL Server 2012

Cisco Trust Anchor Technologies

User Guide. FIPS Mode. For use with epolicy Orchestrator 4.6.x Software

Enhanced Privacy ID (EPID) Ernie Brickell and Jiangtao Li Intel Corporation

Certicom Security for Government Suppliers developing client-side products to meet the US Government FIPS security requirement

Implementation of biometrics, issues to be solved

Achieving Universal Secure Identity Verification with Convenience and Personal Privacy A PRIVARIS BUSINESS WHITE PAPER

CRYPTOGRAPHY AS A SERVICE

Windows Phone 8 Security Overview

EMBASSY Remote Administration Server (ERAS) BitLocker Deployment Guide

Smart Card Technology Capabilities

Lecture Embedded System Security Dynamic Root of Trust and Trusted Execution

I N F O R M A T I O N S E C U R I T Y

Introduction to BitLocker FVE

MS-55096: Securing Data on Microsoft SQL Server 2012

Contactless Smart Cards vs. EPC Gen 2 RFID Tags: Frequently Asked Questions. July, Developed by: Smart Card Alliance Identity Council

WebSphere DataPower Release FIPS and NIST SP a support.

Transcription:

TPM 2.0 Introduction to Next Generation of Trusted Platform Module

What is a TPM? Stands for Trusted Platform Module Holds tamper-resistant values that are used to help establish trust in a platform Traditionally, has been a separate component on the system motherboard but now is also being integrated into the chipset TPM is the flagship product of the Trusted Computing Group (TCG) First TCG version of the specification (TPM 1.2) was released in 2003 Derived from TPM 1.1 specification of TCPA Became ISO/IEC 11889:2009 2

Reason for a TPM A primary function for the TPM is to identify a system The identity of a programmable device is a combination of the hardware and the software that it is running TPM reports on platform identity so that others can decide whether or not to trust the platform A TPM is a reliable witness but it does not make value judgments The TPM just provides responses to requests but is not able to directly intrude on system operation It s kind of like a smart card for your computer using the identity of the software for a PIN Can protect secrets so that they are only accessible when the right software is running on the system 3

The Hardware Identity The TPM uses an asymmetric key to identity the hardware Key is statistically unique In TPM 1.2, it is an RSA key, In TPM 2.0, can be either RSA or ECC This key is generated within the TPM and the private portion of the key is unknown outside of the TPM Except, manufactures can inject the key to save time in production The key uniquely identifies the TPM and the computer system to which it is attached The key might not tell us what the system is (cell phone or supercomputer) but it unambiguously tells us which system it is When the type of the system matters, there are ways to disambiguate 4

The Software Identity Accepted way to identify software is to hash it In TCG speak, this is called measuring software Collecting the hashes of all of the software that has run is the full identity but it is next to impossible to evaluate However, the identity of the system s trusted computing base (TCB) is smaller and more comprehensible If the TCB can be can be identified and the policy it enforces is known, then informed decisions can be made about whether or not to trust that system For example, we d like to know if the correct OS and anti-malware software was loaded and run before any application code was loaded 5

The Identity Software the Identity TCB 6

Identity of the TCB The TCB is the part of a system that is responsible for enforcing the security policy of the system In an OS like Windows, it includes the kernel and some privileged applications such as anti-malware TCB also includes the platform firmware/software used to load the TCB (the system BIOS/UEFI) We identify the TCB by measuring it 7

Measured Boot of the TCB System Reset DCRTM PEI Pre EFI Initialization DXE Driver Execution Environment Boot Manager Boot Device Select As the system boots, measurements of the TCB components are accumulated in the TPM in a way that lets the TPM provide the identity of the TCB software OS Loader System Load Policy ELAM OS Policy Engine Application Environment Measurements of the software go into a TPM register called a Platform Configuration Register (PCR) 8

Reporting on the TCB Measured boot leaves a characteristic fingerprint of the boot sequence in one or more PCR in the TPM The TPM can report these accumulated measurements in a cryptographically verifiable way Uses standard schemes (e.g., ECDSA) to sign the PCR values A good use is as part of health check of a client system when it joins the corporate network The PCR contents can often disambiguate the type of device Code identity for a cell phone will differ from code identity for a supercomputer 9

Trusting the TPM How does one trust what the TPM is saying? How does one know that they are dealing with an actual TPM? 10

Trusting the TPM The TPM has a asymmetric Endorsement Key (EK) that is the certified identity of the TPM Certificate could be an x509 certificate placed in the TPM by the TPM manufacturer The certificate could be an email from the platform manufacturer that says I just shipped systems to you with these TPM EKs Combination of the above or something different When attaching to the corporate network, use certified key to sign the accumulated PCR measurements and give them to a server Signing key identifies the client hardware The Quote of PCR identifies the client software Protect privacy by using pseudonymous keys for signing instead of the EK 11

Why TPM 2.0? 12

Why TPM 2.0? Had to TPM 1.2 uses SHA1 and RSA 2048 as the only fully-supported algorithms SHA1 is no longer considered adequate RSA is not being recommended for security strengths above 112 bits RSA Key Size in Bits Security Strength in Bits Key bits / bit of security strength 1024 80 (12.5) 2048 112 (18.3) 3072 SECRET 128 (24) 7680 TOP SECRET 192 (40) From SP800-57, Table 2 13

Other Issues to Deal With in TPM 2.0 Crypto agility Don t want to have to rewrite the TPM specification every time an algorithm is broken/retired Need to accommodate geographic/government requirements Need to accommodate different security levels Authorization agility Need simpler authorization Need more complex authorization Hardware agility Implement in PC Implement in SoC (phone and tablet) Implement in embedded systems 14

Other Issues to Deal With in TPM 2.0 Crypto agility Authorization agility Hardware agility Authorization agility Hardware agility 15

What is Crypto Agility? Simply means that the interface to the TPM should accommodate changes to cryptography Different asymmetric algorithms and key sizes Different symmetric algorithms and key sizes Different hash algorithms and digest sizes Achieving this required a complete redo of the TPM specification Maintained many of the concepts, but Tossed all the data structures, and Redid all of the commands Made sure that the new data structures are flexible and able to accommodate new algorithms In the future, will add to the specification rather than replace it 16

Other Issues to Deal With in TPM 2.0 Crypto agility Authorization agility Hardware agility 17

Authorization Agility TPM 1.2 has only 3 authorization elements Authorization value PCR state Locality hardware privilege level 8 total combinations of these simple elements TPM 2.0 has 12 authorization elements so far Authorization value PCR State Locality Physical Presence Asymmetric signature Specific objects Symmetric shared secret Duplication Time Limited NV Written Specific Command Contents of NV Authorization elements can be combined using logical constructs (AND / OR) to give fine-grained access control over TPM 2.0 keys and data 18

Authorization Policy Example Scenario: Multiple systems are used by multiple users. Each user has access to a different set of systems. Want each user to have their identity recognized on each system on which they are authorized. Solution: Give each person an identity card (such as, CAC) and a password for that card. The identity card will sign a number when it is given the proper password (PIN). Each system then has a master key in the TPM so that access to the Master key is required to use the system. Create a policy for the Master key that is the OR of a signature from each of the identity cards authorized on that system AND measurements indicate that the system is in a trusted state 19

More Policy Examples Use input from biologic sensor as a factor for authorization Retina scanner Fingerprint scanner Facial recognition Etc. Use input from GPS so that a TPM key can only be used within specific geographic constraints Have key expire unless authorization is refreshed periodically 20

Other Issues to Deal With in TPM 2.0 Crypto agility Authorization agility Hardware agility 21

Hardware Agility Variability 22

Hardware Variability Almost all TPM 1.2 were implemented as discrete devices Provides the necessary isolation from the OS Secrets not accessible outside of the physical TPM device Many SoC implementations have an execution environment that is isolated from the OS TrustZone on ARM Platform Trust Technology (PTT) on some Intel systems Etc. SP800-164 provides guidance on how to host a TPM on these systems so that they are as secure as many discrete TPM implementations Usually, the only thing missing is advanced tamper resistance 23

Firmware TPM Because TPM 2.0 comes with source code, SoC vendors are going directly to TPM 2.0 instead of doing TPM 1.2 These implementations are often referred to as firmware TPMs (ftpm) to distinguish them from a TPM in a discrete chip Code runs in the isolated execution environment of the SoC Because of product cycles, it is hard to get a Common Criteria evaluation of an ftpm But, expect to see FIPS certified ftpm within a year-ish Level 1 is probable Level 2 is possibility because TPM 2.0 does not have the same issues as TPM 1.2 In TPM 1.2, can t do level 2 compliance without breaking a lot of SW 24

Other TPM 2.0 Improvements 25

Improved Controllability Separated control of the privacy and security aspects of the TPM Different key hierarchies storage and endorsement Different authorizations ownerauth and endorsementauth Different enables shenable and ehenable User gets to decide what gets used, or not TPM is more useful to the platform manufacturer Private key hierarchy Can use TPM to help ensure secure updates to the firmware Separate control for anti-hammering reset Owner knows the lockoutauth (hopefully) Lets the OS manage the ownerauth Starting with Win8, have simplified TPM provisioning 26

Miscellaneous Improvements Added a notion of time Can set an expiration time for a key Can set an expiration on an authorization Better use of non-volatile memory Counters, revocation bits, and application-specific PCR Special mode allowing high update rate without endurance problems Made it easier for different manufactures to build devices that worked the same Specification contains source code for all commands Possible to build a TPM simulator to test the specification Sources available to anyone Microsoft also provides machine-readable sources to TCG members 27

Windows Support of TPM 28

Windows Support of TPM TPM 2.0 is a Win8 certification requirement for all connected standby systems These are the devices that are always on and connected to some network (such as a cell phone) Microsoft is planning on making TPM 2.0 a certification requirement regardless of the system type 2015 timeframe to give vendors time to plan for the transition Microsoft is driving ubiquity because everyone deserves to have the security benefit of the TPM Easier to do this now that TPM 2.0 has addressed many of the cost issues Also, not likely that TPM 2.0 will be obsolete due to changes in cryptography 29

Current Windows TPM Applications BitLocker / Device Encryption Virtual Smart Card TPM can be enrolled and made to look like a smart card for the computer Direct Connect can use this for access to corporate network Don t need to have a smart card reader on every computer Keys with certificates can be protected by TPM Measured Boot More coming in Win8.1 Details in Chris Hallum s presentation 30

Questions?

Thanks for Coming!

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information