Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sami Alsouri Özgür Dagdelen Stefan Katzenbeisser

Published byMyrtle Mosley Modified over 5 years ago

Similar presentations

Presentation on theme: "Sami Alsouri Özgür Dagdelen Stefan Katzenbeisser"— Presentation transcript:

1 Sami Alsouri Özgür Dagdelen Stefan Katzenbeisser
Group-Based Attestation: Enhancing Privacy and Management in Remote Attestation Sami Alsouri Özgür Dagdelen Stefan Katzenbeisser Trust 2010 1

2 Agenda Background and Problems Our approach Implementation
Chameleon Attestation I Chameleon Attestation II Implementation Experimental Results Conclusion 2

3 Trusted Computing Proposed by TCG
Integrity of a system (integrity measurement) Hardware Firmware OS Applications Trusted evidences (remote attestation) State of a systems Chain of Trust Static Dynamic Hardware root of trust (TPM) 3

4 TCG Integrity and Remote Attestation Process
Setup Phase: A trusted instance publishes reference measurement lists (RML) E.g. SW and HW vendors Integrity Measurement: „measure-then-load“ approach Every entity in a computer system is measured A measurement is performed using SHA-1 The hash value h extended to a register in the TPM logged in a Measurement Log (ML) Control is passed then the entity 4

5 TCG Integrity and Remote Attestation Process
Remote Attestation Phase: Challenger (C) Attested Plattform (AP) Attestation Service Nc, PCRNR Check Sig & Nc Recalculate the chain of trust S from Log Is S = PCR[]NR?  If yes, Log is untampered Compare Log with RML Sig{PCR[]NR, Nc}, Log TPM_Quote(Nc, PCRNR) Sig{PCR[]NR, Nc} S = SHA1(SHA1(SHA1(SHA1(BIOS)||SHA1(OS))||SHA1(SW1))||SHA1(SW2)) Reference Measurement List (RML) Name Version SHA-1 BIOS 1 ABC OS EFG SW1 123 2 586 3 AGZ 4 ZKL SW2 TUJ A11 TPM SHA-1 Engine RSA Engine Log ( ) Name Version SHA-1 BIOS 1 ABC OS EFG SW1 123 SW2 TUJ PCR 1 …. PCR[]NR 5

6 Problems with TCG Attestation
Privacy Configuration Privacy (CP) Identity Privacy is already solved, e.g. DAA Targeted Attacks Configuration is known  vulnerabilities are known Scalability Very large RMLs High communication & management efforts Sealing Updates hinder unsealing Reference Measurement List (RML) Name Version SHA1 BIOS 1 ABC OS EFG SW1 123 2 586 3 AGZ 4 ZKL 5 TUJ ... 6

7 Group-Based Attestation - Basic Idea
Illustrating the problems: Too many software and software versions Solution: Building “legal” groups E.g. V1, V2, etc. ∈ g1; SW3, SW4, etc. ∈ g2, etc. Elements in a group produce the same Chain of Trust (CoT) SS2 V1 SW3 SW4 V2 SWM SS1 SW1 SW2 Software Version Software Software Suits Manufacturer SS2 V1 SW3 SW4 V2 SWM SS1 SW1 SW2 Software Version Software Software Suits Manufacturer SS2 V1 SW3 SW4 V2 SWM SS1 SW1 SW2 Software Version Software Software Suits Manufacturer g1 g2  Huge databases, privacy & sealing problems 7

8 Group-Based Attestation - Basic Idea
Examples: S1 = SHA1(SHA1(SHA1(SHA1(BIOS_1)||SHA1(OS_1))||SHA1(SW1_1))||SHA1(SW2_1)) S2 = SHA1(SHA1(SHA1(SHA1(BIOS_1)||SHA1(OS_1))||SHA1(SW1_2))||SHA1(SW2_1)) But we need: Such a statement is possible by grouping Chameleon hashes Group signatures  S1 ≠ S2 ; because of SHA-1  S1 = S2 8

9 Chameleon Hashes First introduced by Krawczky and Rabin 3 algorithms:
Key generation (Kg)  sk, pk Hash function CH(pk, m, r)  h Forge Algorithm to produce randoms F(sk, m, m’, r)  r’ Collision-resistance against users without sk Two variants for remote attestation: Chameleon Attestation I (Ch performed on the attested platform) Chameleon Attestation II (Ch performed on the challenger system)  Ch(pk, m1, r) = Ch(pk, m2, r’) 9

10 Our Approach - Chameleon Attestation I
Setup Phase: Performed by a trusted instance (e.g. software vendor) Runs Kg  (sk, pk) Building a software group: Pick r for a software (sw1) Obtain h = Ch(pk, m, r); h is published to an RML To add a new software (sw2) to the group Use Forge to find a new r’ so that Ch(pk, sw1, r) = Ch(pk, sw2, r’) Integrity Measurement: Similar to TCG process a measurement is: performed using SHA-1 then CH(pk, SHA1(sw), r) = h h extended to a register in the TPM using SHA-1 logged in a Measurement Log (ML)  h is the hash value of all group members 10

11 Our Approach - Chameleon Attestation I (cont.)
Remote Attestation Phase: Challenger (C) Attested Plattform (AP) Attestation Service Nc, PCRNR Check Sig & Nc Recalculate the chain of trust S1 from Log Is S1 = PCR[]NR?  If yes, Log is untampered Compare Log with RML Sig{PCR[]NR, Nc}, Log TPM_Quote(Nc, PCRNR) Sig{PCR[]NR, Nc} S1 = SHA1(SHA1(SHA1(SHA1(BIOS)||SHA1(OS))||SHA1(Ch_SW1v.1))||SHA1(Ch_SW2)) S2 = SHA1(SHA1(SHA1(SHA1(BIOS)||SHA1(OS))||SHA1(Ch_SW1v.2)||SHA1(Ch_SW2)) Reference Measurement List (RML)  S1 = S2 Name Ch BIOS ABC OS EFG SW1 123 SW2 A11 TPM SHA-1 Engine RSA Engine Log ( ) Name Ch BIOS ABC OS EFG SW1 123 SW2 TUJ PCR 1 …. PCR[]NR 11

12 Chameleon Attestation I - Evaluation
Pros: Increasing configuration privacy because of grouping Significant reduction of entries in RMLs (experimental results later) Sealing problem avoided despite updates to new versions Cons: Grouping only by software vendors Privacy and control precision tradeoff Revocation of specific group members is not possible  Challenger must trust all group members SS2 V1 SW3 SW4 V2 SWM SS1 SW1 SW2 Software Version Software Software Suits Manufacturer Control Precision Privacy 12

13 Our Approach - Chameleon Attestation II
Setup Phase: Performed as in Chameleon Attestation I Integrity Measurement: Similar to TCG process a measurement is: performed using SHA-1 h extended to a register in the TPM logged in a Measurement Log (ML) 13

14 Our Approach - Chameleon Attestation II (cont.)
Remote Attestation Phase: Challenger (C) Attested Plattform (AP) Attestation Service Nc, PCRNR Check Sig & Nc Recalculate the chain of trust S from Log Is S = PCR[]NR?  If yes, Log is untampered Calculate Ch(pk, m, r) = h Compare h with RML Sig{PCR[]NR, Nc}, Log TPM_Quote(Nc, PCRNR) Sig{PCR[]NR, Nc} S = SHA1(SHA1(SHA1(SHA1(BIOS)||SHA1(OS))||SHA1(SW1))||SHA1(SW2)) Reference Measurement List (RML) Name pk Ch Status BIOS JGT ABC OS SVG EFG SW1 4HZ ZKL G6Z untrusted …. GBI revoked SW2 EE1 TUJ TPM SHA-1 Engine RSA Engine Log ( ) Name r SHA-1 BIOS GBH ABC OS ESV EFG SW1 HNJ 123 SW2 WKO TUJ PCR 1 …. PCR[]NR 14

15 Chameleon Attestation II - Evaluation
Pros: Significant reduction of entries in RMLs Excluding untrusted/revoked group members is possible Cons: Configuration privacy still a problem Sealing problem not solved 15

16 Our Approach - Attestation Based on Group Signatures
Setup Phase: Performed by a trusted instance (e.g. software vendor) Each member has gsk, all share the same gpk Building software groups: Software (sw) is hashed with SHA-1 and signed with gsk gpk is published to an RML Integrity Measurement: Minor changes to TCG process a measurement is: Signature verification instead of hashing gpk extended to a register in the TPM logged in a Measurement Log (ML) Remote Attestation Phase: Similar to Chameleon Attestation I 16

17 Group Signature Based Attestation - Evaluation
Pros: Increasing configuration privacy because of grouping Significant reduction of entries in RMLs Sealing problem avoided despite updates to new versions Revocation of specific group members is possible Nodes in the tree can have its own gsk Cons: Grouping only by software vendors Privacy and control precision tradeoff Challenger must trust all non-revoked members Bad performance of group signature 17

18 Implementation Trusted Platform Module Bootloader OS
Intel iTPM Bootloader TrustedGRUP OS Fedora 10 with Integrity Measurement Architecture (IMA) Trusted Software Stack jTSS Own client/server in Java RML using MySql 18

19 Experimental Results - Scalability of RMLs
Grouping by packages Fedora 10, e.g. kernel version updated to All packages: we only need to update 37 using grouping rather than 5,448 19

20 Future Research Distributing the private key based parameters
OS distributions often compile software Privacy and control precision tradeoff Grouping performed by software vendors Negotiation between challenger and the attested platform Approaches work only at OS level and above Static TPM functionalities  Hardware details are still released to the challenger 20

21 Conclusion Group-Based attestation Approach is feasible in practice
Privacy, targeted attacks Scalability Sealing Approach is feasible in practice Implementation successfully done Experimental results RML updates in TCG 5,448 vs. 37 in grouping  (147:1) ratio Limitations Privacy and control precision tradeoff Distributing parameters Currently only on software level 21

22 Thanks for your attention
22

23 Experimental Results - Performance
On a Lenovo W500 with: Intel CPU Core Ghz, 1066 Mhz FSB HD 250 GB 4 GB SD RAM 23

Download ppt "Sami Alsouri Özgür Dagdelen Stefan Katzenbeisser"

Similar presentations

Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.

Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.
Secure Naming structure and p2p application interaction IETF - PPSP WG July 2010 Christian Dannewitz, Teemu Rautio and Ove Strandberg.

Secure Naming structure and p2p application interaction IETF - PPSP WG July 2010 Christian Dannewitz, Teemu Rautio and Ove Strandberg.
Research & Development Workshop on e-Voting and e-Government in the UK - February 27, 2006 Votinbox - a voting system based on smart cards Sébastien Canard.

Research & Development Workshop on e-Voting and e-Government in the UK - February 27, 2006 Votinbox - a voting system based on smart cards Sébastien Canard.
Vpn-info.com.

Vpn-info.com.
 Alexandra Constantin  James Cook  Anindya De Computer Science, UC Berkeley.

 Alexandra Constantin  James Cook  Anindya De Computer Science, UC Berkeley.
LOGO Multi-user Broadcast Authentication in Wireless Sensor Networks ICU 20082065 Myunghan Yoo.

LOGO Multi-user Broadcast Authentication in Wireless Sensor Networks ICU Myunghan Yoo.
1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007.

1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
Using Secure Coprocessors to Protect Access to Enterprise Networks Dr. José Carlos Brustoloni Dept. Computer Science University of Pittsburgh

Using Secure Coprocessors to Protect Access to Enterprise Networks Dr. José Carlos Brustoloni Dept. Computer Science University of Pittsburgh
Enforcement of Security Policy Compliance in Virtual Private Networks Prof. José Carlos Brustoloni Dept. Computer Science University of Pittsburgh

Enforcement of Security Policy Compliance in Virtual Private Networks Prof. José Carlos Brustoloni Dept. Computer Science University of Pittsburgh
Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation Dane Brandon, Hardeep Uppal CSE551 University of Washington.

Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation Dane Brandon, Hardeep Uppal CSE551 University of Washington.
1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.

1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.
● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.

● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.
Bootstrapping Trust in Commodity Computers Bryan Parno, Jonathan McCune, Adrian Perrig 1 Carnegie Mellon University.

Bootstrapping Trust in Commodity Computers Bryan Parno, Jonathan McCune, Adrian Perrig 1 Carnegie Mellon University.
Trusted Computing BY: Sam Ranjbari Billy J. Garcia.

Trusted Computing BY: Sam Ranjbari Billy J. Garcia.
Trusted Computing Platform Alliance

Trusted Computing Platform Alliance
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Extending user controlled security domain.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Extending user controlled security domain.

Similar presentations

Ads by Google