Presentation is loading. Please wait.

Presentation is loading. Please wait. Introduction to Trusted Platform Module.

Similar presentations

Presentation on theme: " Introduction to Trusted Platform Module."— Presentation transcript:


2 Introduction to Trusted Platform Module

3 From Trusted computing group, NTRU Cryptosystems Trusted computing Is specified by trusted Computing group (TCG)

4 Motivating examples for using TPM  How do I  Store a key securely, so a user can access it with a password?  Ensure that I am communicating with a particular user with access to a particular machine?  Make sure my software only runs on a specific machine?  Make sure my software runs only on machines in a specific state?  TPM uses tamper-resistant hardware to ensure system integrity  Systems containing TPM chips:  Lenovo (IBM) Thinkpads and desktops  Fujitsu lifebook  HP desktop and notebooks  TPM Chip vendors: (small inexpensive) Atmel, Infineon, National, STMicro Intel D875GRH motherboard

5 Boot-time checking BIOS (ROM) BIOS (FLASH) Boot loader OS invokes A well-defined sequence of software modules get executed at boot time. BIOS (ROM) BIOS (FLASH) Boot loader OS Checks & invokes Checks & invokes Checks & invokes Each element in the boot sequence checks the integrity of the next before invoking it App/lib invokes App/lib Checks & invokes Trusted boot or secure boot Need to know the verification process succeeded

6 TPM architecture From wikipedia TPM stores secret keys and releases them depending on the state info at PCRs

7 Platform configuration registers (PCRs)  PCRs are used to securely measure software (by computing hash) during boot  Each PCR can contain an SHA-1 hash value (20byte)  At least 16 PCRs  PCRs are reset to 0 at boot time  Write to a PCR # n by extending it – hash extension TPM_Extend(n,D): PCR[n]  SHA-1 ( PCR[n] || D ) OS App/lib Checks & invokes For example OS computes h3 = SHA-1(module3); stores SHA-1(0,h3) -> PCR[3] Attacker substitutes module3 with module3’, h3’=SHA-1(module3’) PCR[3] then contains SHA-1(0, h3’) Attacker cannot find v such that SHA-1(SHA-1(0, h3’), v) = SHA-1(0, h3)

8  At power-up PCR[n] initialized to 0  BIOS boot block executes  Calls PCR_Extend( n, )  Then loads and runs BIOS post boot code  BIOS executes:  Calls PCR_Extend( n, )  Then runs MBR (master boot record).  MBR executes:  Calls PCR_Extend( n, )  Then runs OS loader Which PCRs to use is defined by specifications

9 Using PCR values after boot  Application 1: encrypted (a.k.a sealed) storage.  Step 1: TPM_TakeOwnership( OwnerPassword, … )  Creates 2048-bit RSA Storage Root Key (SRK) on TPM  Cannot run TPM_TakeOwnership again: Ownership Enabled flag  False  Done once by IT department or computer owner.  (optional) Step 2: TPM_CreateWrapKey  Create more RSA keys on TPM certified by SRK  Each key identified by 32-bit keyhandle

10 Protected Storage  Main Step: Encrypt data using RSA key on TPM  TPM_Seal (some) Arguments: keyhandle: which TPM key to encrypt with KeyAuth: Password for using key `keyhandle’ PcrValues: PCRs to embed in encrypted blob data block: at most 256 bytes (2048 bits) –Used to encrypt symmetric key (e.g. AES)  Returns encrypted blob.  Main point: blob can only be decrypted with TPM_Unseal when PCR-reg-vals = PCR-vals in blob.  TPM_Unseal will fail otherwise

11 Protected Storage  Embedding PCR values in blob ensures that only certain apps can decrypt data.  e.g.: Messing with MBR or OS kernel will change PCR values.  Why can’t attacker disable TPM until after boot, then extend PCRs with whatever he wants?  Root of trust: BIOS boot block.

12 PCR and attestation  Tie a secret to a list of PCR values  TPM will use or reveal a stored secret only if PCRs have specific values  PCRs reflect system configuration and state  Application: Attestation – to prove to a remote party the legitimate version of software is running on a host  E.g., a company allows computers to connect to its network only if they run “authorized” software  E.g., content providers sell digital media only to authorized versions of players -- DRM

13 Endorsement key (EK) and attestation identity key (AIK)  Every TPM has a unique EK  EK is the root of trust for identification  EK is generated by manufacture, never leaves TPM  Cert for EK public-key issued by TPM vendor, generated by a trusted CA  For attestation, user first generates an attestation identity key  Multiple AIKs may be generated  Cert for AIK public key issued only if EK cert is valid  AIK private key is only known to TPM

14 Attestation  Local host answers challenges from a remote party by signing PCR values with AIK private key (after boot)  Local host runs function TPM_Quote with inputs  keyhandle: which AIK key to sign with  KeyAuth: Password for using key `keyhandle’  PCR List: Which PCRs to sign.  Challenge nonce: 20-byte challenge from remote server Prevents replay of old signatures.  TPM_Quote returns signed data and signature.  Remote party verifies the signature with AIK public key, verifies cert issuer, verifies PCR values in the signature

15 Attestation: how it works Remote Server PC TPM OS App Generate pub/priv key pair TPM_Quote(AIK, PcrList, chal, pub-key) Obtain cert Attestation Request (20-byte challenge) (SSL) Key Exchange using Cert Validate : 1.Cert issuer, 2.PCR vals in cert Communicate with app using SSL tunnel

16 Some open questions relating to TPM  TPM provides the guarantee of load-time code integrity.  It does not provide detection ability for run-time compromises such as buffer overflow attack  Can the remote party attest to the current state of a running system?  Active research on this topic, e.g., Flicker  Suppose malicious music file exploits bug in Windows Media Player.  Music file is encrypted.  TCG prevents anyone from getting music file in the clear.  Can anti-virus companies block virus without ever seeing its code in the clear? Example from Dan Boneh

17 Slides credits  Dan Boneh  Danfeng Yao  Sean Smith

Download ppt " Introduction to Trusted Platform Module."

Similar presentations

Ads by Google