CS 155 Spring 2010. TCG: Trusted Computing Architecture

Similar documents
Background. TPMs in the real world. Components on TPM chip TPM 101. TCG: Trusted Computing Group. TCG: changes to PC or cell phone

Trusted Computing. Insecure PCs. Foundations for secure e-commerce (bmevihim219)

Bypassing Local Windows Authentication to Defeat Full Disk Encryption. Ian Haken

Software-based TPM Emulator for Linux

BitLocker Drive Encryption Hardware Enhanced Data Protection. Shon Eizenhoefer, Program Manager Microsoft Corporation

Software Execution Protection in the Cloud

Secure Data Management in Trusted Computing

Patterns for Secure Boot and Secure Storage in Computer Systems

Recipe for Mobile Data Security: TPM, Bitlocker, Windows Vista and Active Directory

Factory-Installed, Standards-Based Hardware Security. Steven K. Sprague President & CEO, Wave Systems Corp.

Tamper free deployment and execution of software using TPM

vtpm: Virtualizing the Trusted Platform Module

Lecture Overview. INF3510 Information Security Spring Lecture 4 Computer Security. Meaningless transport defences when endpoints are insecure

Using the TPM: Data Protection and Storage

Protecting Data with Short- Lived Encryption Keys and Hardware Root of Trust. Dan Griffin DefCon 2013

Property Based TPM Virtualization

Embedded Trusted Computing on ARM-based systems

Secure Storage. Lost Laptops

TPM Key Backup and Recovery. For Trusted Platforms

Whitepaper Enhancing BitLocker Deployment and Management with SimplySecure. Addressing the Concerns of the IT Professional Rob Weber February 2015

Trusted Platforms for Homeland Security

Opal SSDs Integrated with TPMs

Introduction to BitLocker FVE

Improving End-user Security and Trustworthiness of TCG-Platforms

How to Secure Infrastructure Clouds with Trusted Computing Technologies

Trusted Platform Module

Acronym Term Description

Penetration Testing Windows Vista TM BitLocker TM

Trustworthy Computing

A Virtualized Linux Integrity Subsystem for Trusted Cloud Computing

TCG Based Approach for Secure Management of Virtualized Platforms State-of-the-art

Implementing Hardware Roots of Trust: The Trusted Platform Module Comes of Age Sponsored by the Trusted Computing Group (TCG)

Encrypting stored data. Tuomas Aura T Information security technology

William Hery Research Professor, Computer Science and Engineering NYU-Poly

On the security of Virtual Machine migration and related topics

vtpm: Virtualizing the Trusted Platform Module

Cautions When Using BitLocker Drive Encryption on PRIMERGY

Certification Report

Technical Brief Distributed Trusted Computing

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Lecture Embedded System Security Dynamic Root of Trust and Trusted Execution

FileCloud Security FAQ

Enhancing Organizational Security Through the Use of Virtual Smart Cards

ACER ProShield. Table of Contents

Using AES 256 bit Encryption

Index. BIOS rootkit, 119 Broad network access, 107

TCG PC Client Specific Implementation Specification for Conventional BIOS

CS252 Project An Encrypted File System using TPM

Using BitLocker As Part Of A Customer Data Protection Program: Part 1

ARTICLE 29 Data Protection Working Party

Trusted Virtual Datacenter Radically simplified security management

TNC is an open architecture for network access control. If you re not sure what NAC is, we ll cover that in a second. For now, the main point here is

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

EMBASSY Remote Administration Server (ERAS) BitLocker Deployment Guide

Republic Polytechnic School of Information and Communications Technology C226 Operating System Concepts. Module Curriculum

Data Firewall: A TPM-based Security Framework for Protecting Data in Thick Client Mobile Environment

Security Overview for Windows Vista. Bob McCoy, MCSE, CISSP/ISSAP Technical Account Manager Microsoft Corporation

Introduction to the TPM 1.2

Hi and welcome to the Microsoft Virtual Academy and

OVAL+TPM. A Case Study in Enterprise Trusted Computing. Ariel Segall. June 21, 2011

Windows Server 2008 R2 Boot Manager Security Policy For FIPS Validation

Using the TPM to Solve Today s Most Urgent Cybersecurity Problems

Secure Network Communications FIPS Non Proprietary Security Policy

Dell Client BIOS: Signed Firmware Update

Security Policy for FIPS Validation

End User Devices Security Guidance: Apple OS X 10.10

Private Virtual Infrastructure: A Model for Trustworthy Utility Cloud Computing UMBC Computer Science Technical Report Number TR-CS-10-04

Aircloak Analytics: Anonymized User Data without Data Loss

Disk Encryption. Aaron Howard IT Security Office

How To Trust Your Computer With A Trusted Platform Module (Tcp)

Computer Security. Draft Exam with Answers

Certifying Program Execution with Secure Processors

Towards a Trust Envisioned Cyber Security

A Security Assessment of Trusted Platform Modules Computer Science Technical Report TR

Hierarchies. Three Persistent Hierarchies. Chapter 9

Windows Server Virtualization & The Windows Hypervisor

SecureDoc Disk Encryption Cryptographic Engine

Abstract. 1 Introduction

The Advantages of Trusted Virtual Platforms

Trusted Platform Module (TPM) Quick Reference Guide

Analyzing the Security Schemes of Various Cloud Storage Services

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

Introducing etoken. What is etoken?

How to Encrypt your Windows 7 SDS Machine with Bitlocker

Chapter 4 Application, Data and Host Security

Secure Device Identity Tutorial

Private Virtual Infrastructure: A Model for Trustworthy Utility Cloud Computing UMBC Computer Science Technical Report Number TR-CS-10-04

Security Technology for Smartphones

CS 356 Lecture 28 Internet Authentication. Spring 2013

Windows Phone 8 Security Overview

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

SecureAge SecureDs Data Breach Prevention Solution

Session ID: Session Classification:

Management of Hardware Passwords in Think PCs.

Mutual Authentication Cloud Computing Platform based on TPM

Today. Important From Last Time. Old Joke. Computer Security. Embedded Security. Trusted Computing Base

Firmware security features in HP Compaq business notebooks

Protect Sensitive Data Using Encryption Technologies. Ravi Sankar Technology Evangelist Microsoft Corporation

HP ProtectTools User Guide

Using BroadSAFE TM Technology 07/18/05

Transcription:

CS 155 Spring 2010 TCG: Trusted Computing Architecture

Background! TCG consortium. Founded in 1999 as TCPA. Main players (promotors):! Goals: AMD, HP, IBM, Infineon, Intel, Lenovo, Microsoft, Sun (>200 members) Hardware protected (encrypted) storage: Only authorized software can decrypt data e.g.: protecting key for decrypting file system Secure boot: method to authorize software Attestation: Prove to remote server what software is running on my machine.

TCG: changes to PC or cell phone! Extra hardware: TPM Trusted Platform Module (TPM) chip Single 33MhZ clock. TPM Chip vendors: (~.3$) Atmel, Infineon, National, STMicro Intel D875GRH motherboard! Software changes: BIOS OS and Apps

TPMs in the real world! Systems containing TPM chips: Lenovo (IBM) Thinkpads and desktops Fujitsu lifebook HP desktop and notebooks Acer, Toshiba, Panasonic, Gateway, Dell,! Software using TPMs: File/disk encryption: Vista, IBM, HP, Softex Attestation for enterprise login: Cognizance, Wave Client-side single sign on: IBM, Utimaco, Wave

TPM 101 What the TPM does How to use it

Components on TPM chip Non Volatile Storage (> 1280 bytes) PCR Registers ( 16 registers) Other Junk I/O Crypto Engine: RSA, SHA-1, HMAC, RNG RSA: 1024, 2048 bit modulus SHA-1: Outputs 20 byte digest

Non-volatile storage 1. Endorsement Key (EK) (2048-bit RSA) Created at manufacturing time. Cannot be changed. Used for attestation (described later) 2. Storage Root Key (SRK) (2048-bit RSA) Used for implementing encrypted storage Created after running TPM_TakeOwnership( OwnerPassword, ) Can be cleared later with TPM_ForceClear from BIOS 3. OwnerPassword (160 bits) and persistent flags Private EK, SRK, and OwnerPwd never leave the TPM

PCR: the heart of the matter! PCR: Platform Configuration Registers Lots of PCR registers on chip (at least 16) Register contents: 20-byte SHA-1 digest (+junk)! Updating PCR #n : TPM_Extend(n,D): PCR[n] SHA-1 ( PCR[n] D ) TPM_PcrRead(n): returns value(pcr(n))! PCRs initialized to default value (e.g. 0) at boot time TPM can be told to restore PCR values via TPM_SaveState and TPM_Startup(ST_STATE)

Using PCRs: the TCG boot process! BIOS boot block executes Calls TPM_Startup (ST_CLEAR) to initialize PCRs to 0 Calls PCR_Extend( n, <BIOS code> ) Then loads and runs BIOS post boot code! BIOS executes: Calls PCR_Extend( n, <MBR code> ) Then runs MBR (master boot record), e.g. GRUB.! MBR executes: Calls PCR_Extend( n, <OS loader code, config> ) Then runs OS loader and so on

In a diagram Hardware BIOS boot block BIOS OS loader OS Application Root of trust in integrity measurement TPM Root of trust in integrity reporting measuring Extend PCR After boot, PCRs contain hash chain of booted software Collision resistance of SHA1 (?) ensures commitment

Example: Trusted GRUB (IBM 05) What PCR # to use and what to measure specified in GRUB config file

Using PCR values after boot! Application 1: encrypted (a.k.a sealed) storage.! Step 1: TPM_TakeOwnership( OwnerPassword, ) Creates 2048-bit RSA Storage Root Key (SRK) on TPM Cannot run TPM_TakeOwnership again without OwnerPwd: Ownership Enabled Flag False Done once by IT department or laptop owner.! (optional) Step 2: TPM_CreateWrapKey / TPM_LoadKey Create more RSA keys on TPM protected by SRK Each key identified by 32-bit keyhandle

Protected Storage! Main Step: Encrypt data using RSA key on TPM TPM_Seal (some) Arguments: keyhandle: which TPM key to encrypt with KeyAuth: Password for using key `keyhandle PcrValues: PCRs to embed in encrypted blob data block: at most 256 bytes (2048 bits) Used to encrypt symmetric key (e.g. AES) Returns encrypted blob.! Main point: blob can only be decrypted with TPM_Unseal when PCR-reg-vals = PCR-vals in blob. TPM_Unseal will fail othrwise

Protected Storage! Embedding PCR values in blob ensures that only certain apps can decrypt data. e.g.: Messing with MBR or OS kernel will change PCR values.

Sealed storage: applications! Lock software on machine: OS and apps sealed with MBR s PCR. Any changes to MBR (to load other OS) will prevent locked software from loading. Prevents tampering and reverse engineering e.g. software integrity on voting terminals! Web server: seal server s SSL private key Goal: only unmodified Apache can access SSL key Problem: updates to Apache or Apache config! General problem with software patches: Patch process must re-seal all blobs with new PCRs

A cloud application [JPBM 10] Client VM sealed to VMM VMM TPM cloud servers! Client seals VM to VMM measurement VM code and data is encrypted Can only be decrypted on valid cloud server Cloud operator cannot easily access data VMM TPM

Security?! Can attacker disable TPM until after boot, then extend PCRs with whatever he wants? Root of trust: BIOS boot block Defeated with one byte change to boot block [K 07]! Resetting TPM after boot (by sending TPM_Init on LPC bus) allows arbitrary values to be loaded onto PCR.! Other problems: role-back attack on encrypted blobs e.g. undo security patches without being noticed. Can be mitigated using Data Integrity Regs (DIR) Need OwnerPassword to write DIR

Better root of trust! DRTM Dynamic Root of Trust Measurement AMD: skinit Intel: senter Atomically does: Reset CPU. Reset PCR 17 to 0. Load given Secure Loader (SL) code into I-cache Extend PCR 17 with SL Jump to SL! BIOS boot loader is no longer root of trust! Avoids TPM_Init attack: TPM_Init sets PCR 17 to -1

Vista BitLocker drive encryption! tpm.msc: utility to manage TPM (e.g TakeOwnership) Auto generates 160-bit OwnerPassword Stored on TPM and in file computer_name.tpm! Volume Master Key (VMK) encrypts disk volume key VMK is sealed (encrypted) under TPM SRK using Master Boot Record (MBR) Code (PCR 4), NTFS Boot Sector (PCR 8), NTFS Boot Block (PCR 9), NTFS Boot Manager (PCR 10), and Volume Key and Critical Components (PCR 11) Note: VMK does not depend on BIOS PCRs

Vista BitLocker! Many options for VMK recovery Disk, USB, paper (all encrypted with password) Recovery needed after legitimate system change: Moving disk to a new computer Replacing system board containing TPM Clearing TPM! At system boot (before OS boot) Optional: BIOS requests PIN or USB key from user TPM unseals VMK, if PCR and PIN are correct TPM defends against dictionary attack on PIN

TPM Counters! TPM must support at least four hardware counters Increment rate: every 5 seconds for 7 years.! Applications: Provide time stamps on blobs. Supports music will pay for 30 days policy.

Attestation

Attestation: what it does! Goal: prove to remote party what software is running on my machine.! Good applications: Bank allows money transfer only if customer s machine runs up-to-date OS patches. Enterprise allows laptop to connect to its network only if laptop runs authorized software Quake players can join a Quake network only if their Quake client is unmodified.! DRM: MusicStore sells content for authorized players only.

Attestation: how it works! Recall: EK private key on TPM. Cert for EK public-key issued by TPM vendor.! Step 1: Create Attestation Identity Key (AIK) Details not important here AIK Private key known only to TPM AIK public cert issued only if EK cert is valid

Attestation: how it works! Step 2: sign PCR values (after boot) Call TPM_Quote (some) Arguments: keyhandle: which AIK key to sign with KeyAuth: Password for using key `keyhandle PCR List: Which PCRs to sign. Challenge: 20-byte challenge from remote server Prevents replay of old signatures. Userdata: additional data to include in sig. Returns signed data and signature.

Attestation: how it (should) work Attestation Request (20-byte challenge) App OS TPM Generate pub/priv key pair TPM_Quote(AIK, PcrList, chal, pub-key) Obtain cert (SSL) Key Exchange using Cert Communicate with app using SSL tunnel Validate: 1. Cert issuer, 2. PCR vals in cert PC Attestation must include key-exchange Remote Server App must be isolated from rest of system

Using Attestation

Attesting to VMs: Terra [SOSP 03] TVMM Provides isolation between attested applications application: secure login into a corporate network

Nexus OS (Sirer et al. 06)! Problem: attesting to hashed application/kernel code Too many possible software configurations! Better approach: attesting to properties Example: application never writes to disk! Supported in Nexus OS (Sierer et al. 06) General attestation statements: TPM says that it booted Nexus, Nexus says that it ran checker with hash X, checker says that IPD A has property P

EFF: Owner Override! TCG attestation: The good: enables user to prove to remote bank that machine is up-to-date The bad: content owners can release decryption key only to machines running authorized software. Stifles innovation in player design! EFF: allow users to inject chosen values into PCRs. Enables users to conceal changes to their computing environment Defeats malicious changes to computing platform

TCG Alternatives! IBM 4758: Supports all TCG functionality and more. Tamper resistant 486 100MhZ PCI co-processor. Programmable. but expensive ~ $2000. TPM ~ $7.! AEGIS System: Arbaugh, Farber, Smith 97: Secure boot with BIOS changes only. Cannot support sealed storage. Phoenix TrustConnector 2! SWATT: Seshadri et al., 2004 Attestation w/o extra hardware Server must know precise HW configuration

Attestation: challenges

1. Attesting to Current State! Attestation only attests to what code was loaded.! Does not say whether running code has been compromised. Problem: what if Quake vulnerability exploited after attestation took place?! Can we attest to the current state of a running system? or is there a better way?

2. Encrypted viruses! Suppose malicious music file exploits bug in Windows Media Player. Music file is encrypted. TCG prevents anyone from getting music file in the clear. Can anti-virus companies block virus without ever seeing its code in the clear?

3. TPM Compromise! Suppose one TPM Endorsement Private Key is exposed Destroys all attestation infrastructure: Embed private EK in TPM emulator. Now, can attest to anything without running it. Certificate Revocation is critical for TCG Attestation.

4. Private attestation! Attestation should not reveal platform ID. Recall Intel CPU-ID fiasco.! Private attestation: Remote server can validate trustworthiness of attestation but cannot tell what machine it came from.! TCG Solutions: Privacy CA: online trusted party Group sigs: privacy without trusted infrastructure

THE END

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information