Presentation is loading. Please wait.

Presentation is loading. Please wait.

Vpn-info.com.

Published byLayne Andrew Modified over 9 years ago

Similar presentations

Presentation on theme: "Vpn-info.com."— Presentation transcript:

1 vpn-info.com

2 Introduction to Trusted Platform Module

3 Trusted computing Is specified by trusted Computing group (TCG) From Trusted computing group, NTRU Cryptosystems

4 Motivating examples for using TPM
How do I Store a key securely, so a user can access it with a password? Ensure that I am communicating with a particular user with access to a particular machine? Make sure my software only runs on a specific machine? Make sure my software runs only on machines in a specific state? TPM uses tamper-resistant hardware to ensure system integrity Systems containing TPM chips: Lenovo (IBM) Thinkpads and desktops Fujitsu lifebook HP desktop and notebooks TPM Chip vendors: (small inexpensive) Atmel, Infineon, National, STMicro Intel D875GRH motherboard

5 Boot-time checking App/lib OS OS App/lib Trusted boot or secure boot
invokes BIOS (FLASH) Boot loader OS BIOS (ROM) invokes invokes invokes A well-defined sequence of software modules get executed at boot time. BIOS (FLASH) Boot loader OS BIOS (ROM) Checks & invokes Checks & invokes Checks & invokes Checks & invokes Each element in the boot sequence checks the integrity of the next before invoking it App/lib Need to know the verification process succeeded Trusted boot or secure boot

6 TPM architecture From wikipedia TPM stores secret keys and releases them depending on the state info at PCRs

7 Platform configuration registers (PCRs)
PCRs are used to securely measure software (by computing hash) during boot Each PCR can contain an SHA-1 hash value (20byte) At least 16 PCRs PCRs are reset to 0 at boot time Write to a PCR # n by extending it – hash extension TPM_Extend(n,D): PCR[n]  SHA-1 ( PCR[n] || D ) For example OS OS computes h3 = SHA-1(module3); stores SHA-1(0,h3) -> PCR[3] Attacker substitutes module3 with module3’, h3’=SHA-1(module3’) Checks & invokes PCR[3] then contains SHA-1(0, h3’) Attacker cannot find v such that SHA-1(SHA-1(0, h3’), v) = SHA-1(0, h3) App/lib

8 At power-up PCR[n] initialized to 0 BIOS boot block executes
Calls PCR_Extend( n, <BIOS code> ) Then loads and runs BIOS post boot code BIOS executes: Calls PCR_Extend( n, <MBR code> ) Then runs MBR (master boot record). MBR executes: Calls PCR_Extend( n, <OS loader code, config params> ) Then runs OS loader Which PCRs to use is defined by specifications

9 Using PCR values after boot
Application 1: encrypted (a.k.a sealed) storage. Step 1: TPM_TakeOwnership( OwnerPassword, … ) Creates 2048-bit RSA Storage Root Key (SRK) on TPM Cannot run TPM_TakeOwnership again: Ownership Enabled flag  False Done once by IT department or computer owner. (optional) Step 2: TPM_CreateWrapKey Create more RSA keys on TPM certified by SRK Each key identified by 32-bit keyhandle OwnPass (Owner Password) can later be used to change owner. SRK key handle ID is 0x

10 Main Step: Encrypt data using RSA key on TPM
Protected Storage Main Step: Encrypt data using RSA key on TPM TPM_Seal (some) Arguments: keyhandle: which TPM key to encrypt with KeyAuth: Password for using key `keyhandle’ PcrValues: PCRs to embed in encrypted blob data block: at most 256 bytes (2048 bits) Used to encrypt symmetric key (e.g. AES) Returns encrypted blob. Main point: blob can only be decrypted with TPM_Unseal when PCR-reg-vals = PCR-vals in blob. TPM_Unseal will fail otherwise TPM_Seal: allows to specify arbitrary PCR values for unseal.

11 Protected Storage Embedding PCR values in blob ensures that only certain apps can decrypt data. e.g.: Messing with MBR or OS kernel will change PCR values. Why can’t attacker disable TPM until after boot, then extend PCRs with whatever he wants? Root of trust: BIOS boot block. Note: resetting TPM after boot (by physically sending TPM_Reset on LPC bus), allows arbitrary values to be loaded onto PCR. Need owner password to write to DIR. Anyone can read DIR. Stored in NV RAM.

12 PCR and attestation Tie a secret to a list of PCR values
TPM will use or reveal a stored secret only if PCRs have specific values PCRs reflect system configuration and state Application: Attestation – to prove to a remote party the legitimate version of software is running on a host E.g., a company allows computers to connect to its network only if they run “authorized” software E.g., content providers sell digital media only to authorized versions of players -- DRM

13 Endorsement key (EK) and attestation identity key (AIK)
Every TPM has a unique EK EK is the root of trust for identification EK is generated by manufacture, never leaves TPM Cert for EK public-key issued by TPM vendor, generated by a trusted CA For attestation, user first generates an attestation identity key Multiple AIKs may be generated Cert for AIK public key issued only if EK cert is valid AIK private key is only known to TPM

14 Attestation Local host answers challenges from a remote party by signing PCR values with AIK private key (after boot) Local host runs function TPM_Quote with inputs keyhandle: which AIK key to sign with KeyAuth: Password for using key `keyhandle’ PCR List: Which PCRs to sign. Challenge nonce: 20-byte challenge from remote server Prevents replay of old signatures. TPM_Quote returns signed data and signature. Remote party verifies the signature with AIK public key, verifies cert issuer, verifies PCR values in the signature

15 Attestation: how it works
Attestation Request (20-byte challenge) Generate pub/priv key pair TPM_Quote(AIK, PcrList, chal, pub-key) Obtain cert App (SSL) Key Exchange using Cert Validate: Cert issuer, PCR vals in cert OS Communicate with app using SSL tunnel TPM Remote Server PC

16 Some open questions relating to TPM
TPM provides the guarantee of load-time code integrity. It does not provide detection ability for run-time compromises such as buffer overflow attack Can the remote party attest to the current state of a running system? Active research on this topic, e.g., Flicker Suppose malicious music file exploits bug in Windows Media Player. Music file is encrypted. TCG prevents anyone from getting music file in the clear. Can anti-virus companies block virus without ever seeing its code in the clear? Example from Dan Boneh

17 Slides credits Dan Boneh Danfeng Yao Sean Smith

Download ppt "Vpn-info.com."

Similar presentations

Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.

Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.
Eran Tromer Slides credit: Dan Boneh, Stanford course CS155

Eran Tromer Slides credit: Dan Boneh, Stanford course CS155
Trusted Platform Module

Trusted Platform Module
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
TCPA TCPA TCPA T rusted C omputing P latform A lliance Saurabh Phansalkar.

TCPA TCPA TCPA T rusted C omputing P latform A lliance Saurabh Phansalkar.
Hardware Security: Trusted Platform Module Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources.

Hardware Security: Trusted Platform Module Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007.

1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007.
1 Bootstrapping Trust in a “Trusted” Platform Carnegie Mellon University November 11, 2008 Bryan Parno.

1 Bootstrapping Trust in a “Trusted” Platform Carnegie Mellon University November 11, 2008 Bryan Parno.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
Copyright© 2005-2006 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.
Using Secure Coprocessors to Protect Access to Enterprise Networks Dr. José Carlos Brustoloni Dept. Computer Science University of Pittsburgh

Using Secure Coprocessors to Protect Access to Enterprise Networks Dr. José Carlos Brustoloni Dept. Computer Science University of Pittsburgh
Enforcement of Security Policy Compliance in Virtual Private Networks Prof. José Carlos Brustoloni Dept. Computer Science University of Pittsburgh

Enforcement of Security Policy Compliance in Virtual Private Networks Prof. José Carlos Brustoloni Dept. Computer Science University of Pittsburgh
Trusted Disk Loading in the Emulab Network Testbed Cody Cutler, Mike Hibler, Eric Eide, Rob Ricci 1.

Trusted Disk Loading in the Emulab Network Testbed Cody Cutler, Mike Hibler, Eric Eide, Rob Ricci 1.
Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation Dane Brandon, Hardeep Uppal CSE551 University of Washington.

Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation Dane Brandon, Hardeep Uppal CSE551 University of Washington.
Trusted Computing Initiative Beyond trustworthy. Trusted Computing  Five Key Concepts >Endorsement Key >Secure Input and Output >Memory Curtain / Protected.

Trusted Computing Initiative Beyond trustworthy. Trusted Computing  Five Key Concepts >Endorsement Key >Secure Input and Output >Memory Curtain / Protected.
Class on Security Raghu. Current state of Security Cracks appear all the time Band Aid solutions Applications are not designed properly OS designs are.

Class on Security Raghu. Current state of Security Cracks appear all the time Band Aid solutions Applications are not designed properly OS designs are.
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture notes.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture notes.

Similar presentations

Ads by Google