2 Where are TPMs today?Over 1,000,000,000 shipped machines with TPMs in themAll business class machines (except Apple)Used by BitlockerMost are not turned onHard to turn on (BIOS controlled)Not FIPS (yet)SHA-1 is integral in design (expires end of 2013)TPM 2.0 fixes the problemsRequired for MS 8.0 phones / tablets
3 Outline How TPM 1.2 and 2.0 are the same How TPM 1.2 and 2.0 are differentAlgorithmsHierarchiesExtended AuthorizationPCR BrittlenessSessionsWorking with the SpecNew Use Cases
5 Comparison of capabilities (10,000 feet) CapabilityTPM 1.2TPM 2.0Root of trust for storageYesRNGSecure Key genSecure Key storeNVRAMAttestationAnti-hammerRTS – can keep root keys stored, which in turn can store other keys kept outside the TPMRNG = Random number generatorSecure Key gen – knows how to create RSA, ECC, and AES keysSecure Key store – can store keys encrypted with the RTS, or in NV on the device (if there is enough room)NVRAM – Non volatile random access memoryAttestation – PCRs + signaturesAnti-hammer – if you try too many times to guess a password, you go to time out.So what is the difference?
7 Differences are architectural (Code size reduced by almost a factor of 2) Architecture1.22.0AlgorithmsFixed: RSA2048/SHA-1Any: RSA/ECC SHA-1, SHA-2, AESAnti-hammerPrinciples enactedArchitected: Leaky bucketAuthorizationHMAC, PCR, Physical presenceExtended Authorization (more about this in later slides)Different for different objects in a TPMUnifiedDifficult to revoke keysRelatively easy to revoke keysDifficult to manage – owner_auth conflated with privacy authorization, TPM management, anti-hammering managementEasy to manage – authorization is separated out by what is being managed. Principle of Least Privilege followed
8 Differences are architectural Architecture1.22.0ManageabilityDifficultAlways “on”NVRAMFixedCan be used for counters, PCRs, authorization, storageObject referencesBy pointerBy name (no substitution attacks possible)Side channel attacksHMAC protected SRKKeys checked on loading before they are used; new forms of authorization;Types of keysFixed types (AIK, signing, Binding, etc.)Flexible types (But you can still make keys with 1.2-like behavior)FIPSableYes (level 1)Yes (level 2)PCRsBrittleEasily managedSingle Sign OnEasySRKsOne, RSA 2048As many as you want, you pick the algorithmHMACNot availableAvailable
9 Command family comparison (some 1 Command family comparison (some 1.2 functions not included as seldom used)Command FamilyNumber of Commands 1.2Number of Commands 2.0Self test3Sessions0 (in TPM mgmnt)2Key management1410 (EA reduction)Key use79 (symmetric keys)Random NumbersHash / Hmac3 (Hash only)8Integrity Collection and Attestation1110Authorization18 (EA)TPM management3328Clocks and Timers2 (timer only)4Non Volatile memory management14 (new functions)Total92108
11 Algorithm Differences Algorithm flexibility1.2: ONLY RSA (512, 1024, 2048); SHA-1; NO exposed symmetric2.0: Any Asymmetric, hash, or symmetric algorithmNeed to be approved by Technical Committee, Platform specRight now this means:RSA / ECC (curves under discussion)SHA-1 / SHA-2 (Russian, Chinese algorithms also likely)AES (GOST, SMS4 also likely)Accessible symmetric encryption1.2: Not available (export concerns)2.0: Available in specification. May or may not be in Platform specsEncryption / Decryption / HMAC (signing)
12 Symmetric Keys Bulk encryption May or may not be required by PC Spec Can be created as root keysHMAC signingUsed for key storage (when not duplicating)
14 Multiple Hierarchies One hierarchy for platform manufacturer For use by BIOS and SMM –only-Uses new authorization re-created at each bootLikely contains permanent keys– not to contain user infoPrivacy HierarchyEndorsement key controlCan have as many endorsement keys as you likeCan have as many keys below it as you would likeStorage HierarchyCan have as many SRKs as you likeNull HierarchyFor use of TPM as crypto acceleratorHierarchy disappears on TPM reset
15 Seed based hierarchies Random number seed for each hierarchyPrimary keys (SRK like, EK like) derived with KDFUse key description, seed as input to KDF (Key Derivation Function)Can add a salt if you wishPrimary keys can be re-generated or loaded in NVIf loaded in NV, they act like the 1.2 EKs or SRKsHandle picked by end user, not generated by TPMMultiple EKs, SRKs, allowed (like TPM 1.2 owner-evict keys)Limited NV likely availableSeeds may be replaced from RNGAutomatically evicts derived keys from NVDestroys hierarchy
17 Authorization 1.2: Everything a special case Keys: Authorized with HMAC, PCRs, Locality, Delegation tableAuthorization data changeable for use, but not migrationNVRAM could use owner_auth or different auth, PCRs, LocalityTPM functions – some owner_auth, some physical presenceCertified migratable keys – complicated authorization, including signatures2.0: Everything unifiedMany new kinds of authorizationAny can be used with any kind of entity
18 Extended Authorization You can make as simple or as complicated an authorization policy for an object as you wish.TypeExampleUse casePassword“cat”Entered during BIOS boot, from trusted pathHMACUsing SHA256Entered from remote devicePrivate keyCAC cardAdministrative featuresPrivate key plus dataSigned biometricIdentify fingerprint + reader it came from + freshnessPrivate Key plus dataLocationGPS location + GPS identity + freshnessCounterWhen 1<counter<6You can use this key exactly 4 timesTimer200<timer<600You can use this key for the next 400 secondsClockClock<1:30 12/21/2012You can use this key until 1:30 12/21/2012CommandSigning dataRestricting user rightsCopyMaking copy of keyRestricting administrative rightsCopy to targetCopy to a particular TPMBackup
19 Extended Authorization (continued You can make as simple or as complicated an authorization policy for an object as you wish.TypeExampleUse caseAuthorize different objectLink objects to use the same authorizationSingle Sign onPCRWhen PCR 0= ….You can only use this key if you booted correctlyLocalityWhen command comes from approved locationIntel / AMD virtualization modesDRTM (New localities: )Signed PolicyWhen an approved policy is metYou can only use this key if the Dell system booted from a BIOS signed by DELL as shown by PCR 0ANDRequire multiple authorizationsMulti-factor authenticationORAllow different authorizationsBob OR Sally OR Bill can use the object
20 Mix and match Bob authorizes with a password and CAC card Sally authorized with her iris scan and CAC cardBill authorized with his fingerprint, iris scan and passwordPolicy: Bob, Sally OR Bill can use this key.Use case: I create a policy called work_backup and another called work_NobackupMe: authorize with CAC card and passwordIT: authorized with CAC card and iris scan.Work_backup = Me –OR- ITWork_Nobackup = Me
21 Policy is represented by a single hash Things to keep in mind:Order *is* importantIn order to construct a policy, you must know all branchesIn order to fulfill a policy, you must additionally know the branch you are going to take.Policies look like a logical circuit diagramPolicies are built sort of like PCRsORAND
22 Policy is represented by a single hash Build a policy for : BillBill is authorized bya CAC card with public key A,an HMACand PCRs of the system being in a particular state.CAC cardANDHMACAuthorizedPCRS
23 A more complicated policy A Policy built for Bill OR SallyBill’s CAC cardANDBill’s HMACPCRSORSally’s CAC cardANDSally’s biometricPCRS
24 A Policy Hash with a single authentication based on a signature Authentication with a CAC card with public key AAlways start with all zeros (32 bytes of zero for SHA256) = P1CAC card authorization is representedP2= SHA256( P1|| TPM_CC_PolicySigned1 || SHA256(A) || label2)= SHA256(0x || TPM_CC_PolicySigned1 ||SHA256(A) || NULL)= SHA256(0x || 0x || SHA256(A) || 0x0000)Final Policy = P21 We look up TPM_CC_PolicySigned in Table 10 in Part 2 (Structures) Section 6.5.3of the spec and find it equals 0x2label is a reference so you know what you are authorizing.
25 Details of calculating the Policy Hash with AND CAC card AND HMAC AND PCRs Always start with all zeros (32 zeros for SHA256) = P1CAC card authorization is representedP2= SHA256(P1 || TPM_CC_PolicySigned || SHA256(A))CAC and HMAC is represented byP3= SHA256(P2 || TPM_CC_PolicyAuthValue )CAC and HMAC and PCRs is represented byP4 = SHA256(P3 ||TPM_CC_PolicyPCR || pcrs || digestTPM)CAC cardANDAuthorizedHMACPCRSFinal policy = P4AND is done with a kind of hash extend –like a PCR.
26 Details of satisfying this policy When you try to satisfy this policy you will do as follows:Step 1: Create a Session.The session will establish a policy buffer.The buffer starts out with 32 bytes of zeros in it = P1The session returns a nonceStep 2:Sign the nonce with the CAC card. Send the TPM a note:I am doing a TPM_PolicySign, here is the public key, here is the nonce signed with the corresponding private keyTPM verifies the signature, then extends TPM_CC_PolicySigned, P1, and the hash of the public key into its policy buffer.The policy buffer now contains P2
27 Details of what this policy means (continued) When you try to satisfy this policy you will do as follows:Step 3: Tell the TPM you will be using an hmac to authorize an object.The TPM extends TPM_CC_PolicyAuthValue into the policy buffer.The policy buffer now equals P3The TPM also sets a session HMAC flag that an hmac will be required for any executed command.Step 4: Tell the TPM you want it to extend certain specific PCR indexesinto the session policy buffer.The TPM extends TPM_CC_PolicyPCR, PCRs, digest of those PCRsThe policy buffer = p4The TPM sets a session PCR flag =0.If PCRs change now, the PCR flag will be incremented.Step 5: execute a command with an object.(Must include HMAC with command that uses the same authorizationdata as is in the object – because of the HMAC flag. )TPM checks the HMAC is correctTPM checks that the PCRs have not changed (PCR flag=0)TPM executes command
28 In pictures: Authenticate with a CAC card Start sessionTPMSign nonce, label with CAC cardSession Policy BufferSend signature to TPMfor verification.0x0xTPM calculates P2SignatureSession nonce “N”NNN=0xBB443FE5SHA256 (0x || TPM_CC_POLICYSIGN|| SHA256(A) ||0x01)0xA3B62234CAC public keyA=1011……………..1+label (0x01)labelSignature Verifies!Note: Signature includes label
29 In pictures: Authorizing with a CAC card policy Load Signing Key (not shown)TPMAsk TPM to sign “Hello” with KeySession Policy Buffer0xA3B622340x0xA3B62234TPM checks if policy Buffer matches key PolicyIf they match, it produces the signatureSigning Key policy = 0xA3B62234Signature of “Hello”“Hello”Key Policy matches Buffer!
30 In pictures: Authenticate with a CAC card and PCRs Start sessionTPMSign nonce, label with CAC cardSession Policy BufferSend signature to TPMfor verification.0x0xTPM calculates P2SignatureSession nonce “N”NNN=0xBB443FE5SHA256 (0x || TPM_CC_POLICYSIGN|| SHA256(A) ||0x0000)0xA3B62234CAC public keyA=1011……………..1+label (0x0000)labelSignature Verifies!Note: Signature includes label
31 In pictures: Authenticate with CAC card and PCRs Tell TPM to record current PCR 0,2,4,8 and 12 valuesTPMSession Policy BufferTPM pulls current PCR digest, calculates new policy buffer value0xA3B62234TPM establishes PCR state variable in session, sets it equal to zero.SHA256 (TPM_CC_POLICYPCR|| 0xA3B62234 || PCR || digest)0x0EE51220TPM replaces session buffer with new value.PCR state = 0Certain PCRs can be configured in the TPM to not trigger a PCR state change
32 In pictures: Authorizing with a CAC card and PCR policy Load Signing Key (not shown)TPMAsk TPM to sign “Hello” with KeySession Policy Buffer0x0EE512200xTPM checks if policy Buffer matches key PolicyIf they match, an PCR state=0, it produces the signatureSigning Key policy = 0x0EE51220Signature of “Hello”“Hello”Key Policy matches Buffer!PCR state = 0
33 Signing Key policy = 0x0EE51220 In pictures: What happens when a PCR changes after authentication, before authorization?PCR 0 is changedLoad Signing Key (not shown)TPMAsk TPM to sign “Hello” with KeySession Policy Buffer0x0EE512200xTPM checks if policy Buffer matches key PolicyThe policy Buffer matches the key’s policy, BUT PCR state is not 0! Therefore it does NOTHING.Key Policy matches BufferPCR state !=0 FAIL!!!Signing Key policy = 0x0EE51220“Hello”PCR state = 1PCR state = 0
34 A simple “OR” example: Matt OR Kathy Matt can authenticate with his CAC card, with public key AKathy can authenticate with her CAC card, with public key BMatt authenticating looks like:Start with all zeros (32 zeros for SHA256) = P1CAC card authorization is representedP2= SHA256(P1||TPM_CC_PolicySigned || SHA256(A)||label)Kathy authenticating looks like:Start with all zeros (32 zeros for SHA256) = P1CAC card authorization is representedP3= SHA256(P1 || TPM_CC_PolicySigned || SHA256(B) || label)Matt OR Kathy policy: authenticating looks like:P4 = SHA256(P1||TPM_CC_PolicyOr || 0x ||0x0020||P2 || 0x0020||P3)
35 SHA256 (0x00000000 || TPM_CC_POLICYSIGN|| SHA256(A) || 0x0000) Matt Authenticates with his CAC card P2=0xA3B62234, P3=0xD , P4=0x667FFE34TPMStart sessionSign nonce, label with CAC cardSession Policy BufferSend signature and Ato TPM for verification.0x0xTPM calculates P2SignatureOR command sentWith P2, P3Session nonce “N”NNN=0xBB443FE5TPM sees current valuematches P2!OR, 0xA3B62234, 0xDSHA256( P1||TPM_CC_PolicyOR||0xA3B62234||, 0xD )SHA256 (0x || TPM_CC_POLICYSIGN|| SHA256(A) || 0x0000)0xA3B622340x667FFE34CAC public keyP2 = 0xA3B62234!A=1011……………..1+ label (0x0000)labelSignature Verifies!TPM Calculates P4 and replaces buffer with P4
36 SHA256 (0x00000000 TPM_CC_POLICYSIGN|| SHA256(B) || 0x0000) Kathy Authenticates with her CAC card P2=0xA3B62234, P3=0xD , P4=0x667FFE34Start sessionTPMSign nonce with CAC cardSession Policy BufferSend signature and Bto TPM for verification.0x0xTPM calculates P3SignatureOR command sentWith P2, P3Session nonce “N”NNN=0x811662BATPM sees current valuematches P3!SHA256(TPM_CC_PolicyOR||0xA3B62234||, 0xD )SHA256 (0x TPM_CC_POLICYSIGN|| SHA256(B) || 0x0000)0xD0x667FFE34OR, 0xA3B62234, 0xDCAC public keyP3 = 0xD !B=1101……………..1 label=0x0000Signature Verifies!TPM Calculates P4 and replaces buffer with P4
37 Atomic authentication of PCRs In 1.2, PCRs were measured at the point a command was executed.In 2.0, PCRs are measured as part of the establishment of a session policy buffer.Isn’t this a problem?NO! When the PCRs are measured, a bit is created in the policy and set to zero. If –any– PCRs change after that point, the bit is flipped.If the bit is flipped, the command won’t execute.
38 How can you put an HMAC in a policy? The session doesn’t know what object you are going to authorize.If the authdata is part of the policy, that exposes information about the authdata.Isn’t this a problem?NO! The policy just says “I will authorize with HMAC at execution”If the bit is flipped, the command won’t execute unless it is provided an HMAC corresponding to the authorized object at execution.
39 Can’t anyone replace a biometric sensor? Aside from spoofing attacks, how do I prevent someone replacing my fingerprint reader with an identical model which they take ownership of?The Biometric sensor must have a public / private key pair, used to sign both the identified person, and the session nonce
40 Some additional comments Policies can be created and calculated without talking to the TPMPolicies can be re-usedPolicies can be broad: “Matt can do anything he wants with this key”OR
41 Policies can be Fine grained “Matt can sign with this key, but only Emily can copy it, and only James can certify it”Further, Matt can only sign this year, using his CAC card for authorizationEmily has to use both a biometric and a CAC card and be in a particular location (as measured by THIS GPS) to copy the key.James can only certify the key, and he must have the PC in a certain state (as measured by PCRs) as well a know a password and have a PIV card.
44 PCRs are brittle in 1.2. Are they different now? “Any problem in Computer science can be solved by adding a level of indirection” – Paul England (Microsoft)You can lock not just to a certain set of PCRs equals a certain valueYou can also lock to: “Any set of PCRs / values signed by an authority, as represented by this public key”Examples:You can lock to “PCR 0 (the BIOS) as signed by DELL”Thereafter upgrading your BIOS to a signed DELL BIOS won’t cause problems!You can lock to “PCR values signed by IT”Thereafter IT need only sign new values to make them useable
46 Sessions Password session Always considered created (Default handle) Does not encrypt passwords sent to TPMAuth sessionNeed to be createdCan be used for HMAC authorizationCan be used for Policy authorizationCan be encrypted and/or saltedAudit sessionNeed to be created as an auth sessionAre converted when used as audit sessionsCan be used in concert with auth sessionsTrial policy sessionsUsed as a helper to creating policies if you don’t want to use software
48 To build a command you use 1-3. Reading the SpecFour sections:1) ArchitectureHow sessions workHow commands are put together2) StructuresVarious data typesTables of constants3) CommandsAPIs4) SubroutinesTo build a command you use 1-3.
49 Build a command Write out the flow Sign with a key (commands – Part 3) Create a key (commands – Part 3)Need structures (Part 2)Need to load a parent or use Primary seed (command – part 3)Need to authorize loading a parent (sessions – Part 1)Need to a create a session or use straight password (commands – Part 3)Must load signing key (commands – Part 3)Need to authorize parent to load key (sessions – Part 1)Need to create a session (or re-use previous session) (Part 1 or Part 3)Must authorize signing data:Get a random numberUse the correct command for GetRandom (Part 3)
50 White papers Will be published synchronously with spec Give examples of how to use the specs to do useful thingsUsing a TPM to do Single Sign OnUsing an audit sessionBuilding a commandFlow charts for how a TPM worksWhat it does when you take ownershipSome are high levelSome give you the bits and bytes
51 New Use CasesSingle Sign onEphemeral KeysLocked KeysRevoking Keys
52 Single Sign onEstablish an NVRAM index with a restricted policy for writing: you must be able to use a private key, and also give it auth_dataThis makes the index’s name unique.Write something to itThis makes the index’s name unforgeableCreate a policy that points to the NVRAM index name’s auth_dataUse this policy when creating new keys / objectsAll these objects will use the NRAM index name’s auth_dataWhen the NVRAM index name’s auth_data changes, all keys/object linked to it will also have their auth_data effectively changedNo “left over” keys with the old password!
53 Temporary KeysEphemeral keys only exist between TPM resets (power on to power off)Keys can be created on the TPM, cached off the TPM, but will not be loadable again after the TPM is powered off.Part of the “Null” hierarchy
54 Locked KeysA locked key cannot be duplicated except by duplicating its parentSimilar to a non-migratable key in 1.2Useful for virtualizationParent is duplicated among trusted serversChild acts like a non-migratable key while on those servers
55 Revoking a key There are multiple ways of revoking a key Preventing the key from ever being re-loadedDestroying the parentChanging the hierarchy seed (nuclear option)Preventing the key (or its parent) from ever being usedUsing EA to require approval from a key signing daemon for useKilling the daemonRequiring a bit in NVRAM to be on for a particular user/useChanging the bitRequiring that a NVRAM HMAC key be usedDestroying the NVRAM named indexUsing an ephemeral keyPowering the TPM offJHUAPL