3 Trusted computingIs specified by trustedComputing group (TCG)From Trusted computing group, NTRU Cryptosystems
4 Motivating examples for using TPM How do IStore a key securely, so a user can access it with a password?Ensure that I am communicating with a particular user with access to a particular machine?Make sure my software only runs on a specific machine?Make sure my software runs only on machines in a specific state?TPM uses tamper-resistant hardware to ensure system integritySystems containing TPM chips:Lenovo (IBM) Thinkpads and desktopsFujitsu lifebookHP desktop and notebooksTPM Chip vendors: (small inexpensive)Atmel, Infineon, National, STMicroIntel D875GRH motherboard
5 Boot-time checking App/lib OS OS App/lib Trusted boot or secure boot invokesBIOS(FLASH)BootloaderOSBIOS(ROM)invokesinvokesinvokesA well-defined sequence of software modules get executed at boot time.BIOS(FLASH)BootloaderOSBIOS(ROM)Checks& invokesChecks& invokesChecks& invokesChecks& invokesEach element in the boot sequence checks the integrity of the next before invoking itApp/libNeed to know the verification process succeededTrusted boot or secure boot
6 TPM architectureFrom wikipediaTPM stores secret keys and releases them depending on the state info at PCRs
7 Platform configuration registers (PCRs) PCRs are used to securely measure software (by computing hash) during bootEach PCR can contain an SHA-1 hash value (20byte)At least 16 PCRsPCRs are reset to 0 at boot timeWrite to a PCR # n by extending it – hash extensionTPM_Extend(n,D): PCR[n] SHA-1 ( PCR[n] || D )For exampleOSOS computes h3 = SHA-1(module3); stores SHA-1(0,h3) -> PCRAttacker substitutes module3 with module3’, h3’=SHA-1(module3’)Checks& invokesPCR then contains SHA-1(0, h3’)Attacker cannot find v such thatSHA-1(SHA-1(0, h3’), v) = SHA-1(0, h3)App/lib
8 At power-up PCR[n] initialized to 0 BIOS boot block executes Calls PCR_Extend( n, <BIOS code> )Then loads and runs BIOS post boot codeBIOS executes:Calls PCR_Extend( n, <MBR code> )Then runs MBR (master boot record).MBR executes:Calls PCR_Extend( n, <OS loader code, config params> )Then runs OS loaderWhich PCRs to use is defined by specifications
9 Using PCR values after boot Application 1: encrypted (a.k.a sealed) storage.Step 1: TPM_TakeOwnership( OwnerPassword, … )Creates 2048-bit RSA Storage Root Key (SRK) on TPMCannot run TPM_TakeOwnership again:Ownership Enabled flag FalseDone once by IT department or computer owner.(optional) Step 2: TPM_CreateWrapKeyCreate more RSA keys on TPM certified by SRKEach key identified by 32-bit keyhandleOwnPass (Owner Password) can later be used to change owner.SRK key handle ID is 0x
10 Main Step: Encrypt data using RSA key on TPM Protected StorageMain Step: Encrypt data using RSA key on TPMTPM_Seal (some) Arguments:keyhandle: which TPM key to encrypt withKeyAuth: Password for using key `keyhandle’PcrValues: PCRs to embed in encrypted blobdata block: at most 256 bytes (2048 bits)Used to encrypt symmetric key (e.g. AES)Returns encrypted blob.Main point: blob can only be decrypted with TPM_Unseal when PCR-reg-vals = PCR-vals in blob.TPM_Unseal will fail otherwiseTPM_Seal: allows to specify arbitrary PCR values for unseal.
11 Protected StorageEmbedding PCR values in blob ensures that only certain apps can decrypt data.e.g.: Messing with MBR or OS kernel will change PCR values.Why can’t attacker disable TPM until after boot, then extend PCRs with whatever he wants?Root of trust: BIOS boot block.Note: resetting TPM after boot (by physically sending TPM_Reset on LPC bus), allows arbitrary values to be loaded onto PCR.Need owner password to write to DIR. Anyone can read DIR. Stored in NV RAM.
12 PCR and attestation Tie a secret to a list of PCR values TPM will use or reveal a stored secret only if PCRs have specific valuesPCRs reflect system configuration and stateApplication: Attestation – to prove to a remote party the legitimate version of software is running on a hostE.g., a company allows computers to connect to its network only if they run “authorized” softwareE.g., content providers sell digital media only to authorized versions of players -- DRM
13 Endorsement key (EK) and attestation identity key (AIK) Every TPM has a unique EKEK is the root of trust for identificationEK is generated by manufacture, never leaves TPMCert for EK public-key issued by TPM vendor, generated by a trusted CAFor attestation, user first generates an attestation identity keyMultiple AIKs may be generatedCert for AIK public key issued only if EK cert is validAIK private key is only known to TPM
14 AttestationLocal host answers challenges from a remote party by signing PCR values with AIK private key (after boot)Local host runs function TPM_Quote with inputskeyhandle: which AIK key to sign withKeyAuth: Password for using key `keyhandle’PCR List: Which PCRs to sign.Challenge nonce: 20-byte challenge from remote serverPrevents replay of old signatures.TPM_Quote returns signed data and signature.Remote party verifies the signature with AIK public key, verifies cert issuer, verifies PCR values in the signature
15 Attestation: how it works Attestation Request (20-byte challenge)Generate pub/priv key pairTPM_Quote(AIK, PcrList, chal, pub-key)Obtain certApp(SSL) Key Exchange using CertValidate:Cert issuer,PCR vals in certOSCommunicate with appusing SSL tunnelTPMRemote ServerPC
16 Some open questions relating to TPM TPM provides the guarantee of load-time code integrity.It does not provide detection ability for run-time compromises such as buffer overflow attackCan the remote party attest to the current state of a running system?Active research on this topic, e.g., FlickerSuppose malicious music file exploits bug in Windows Media Player.Music file is encrypted.TCG prevents anyone from getting music file in the clear.Can anti-virus companies block virus without ever seeing its code in the clear?Example from Dan Boneh