©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Trusted Computing Yaron Sheffer Manager, Standards.

Slides:



Advertisements
Similar presentations
Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.
Advertisements

Copyright© 2006 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Trusted Computing David Grawrock TPM.
Ljubomir Ivaniš CPU d.o.o.
Vpn-info.com.
Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 3 02/14/2010 Security and Privacy in Cloud Computing.
 Alexandra Constantin  James Cook  Anindya De Computer Science, UC Berkeley.
Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
Trusted Computing Platforms Blessing or Curse? by Bastian Sopora, Seminar DRM 2006.
1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007.
1 Bootstrapping Trust in a “Trusted” Platform Carnegie Mellon University November 11, 2008 Bryan Parno.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.
Enforcement of Security Policy Compliance in Virtual Private Networks Prof. José Carlos Brustoloni Dept. Computer Science University of Pittsburgh
Using Cryptographic ICs For Security and Product Management Misconceptions about security Network and system security Key Management The Business of Security.
Ragib Hasan Johns Hopkins University en Spring 2010 Lecture 5 03/08/2010 Security and Privacy in Cloud Computing.
Trusted Computing Initiative Beyond trustworthy. Trusted Computing  Five Key Concepts >Endorsement Key >Secure Input and Output >Memory Curtain / Protected.
SEC316: BitLocker™ Drive Encryption
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.
Trusted Computing Platform Alliance – Introduction and Technical Overview – Joe Pato HP Labs MIT 6.805/ October 2002.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Securing Information Transfer in Distributed Computing Environments AbdulRahman A. Namankani.
©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone Endpoint Security Current portfolio and looking forward October 2010.
©2010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties MORE, BETTER, SIMPLER Security Oded Gonda.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Best Practices in Deploying a PKI Solution BIEN Nguyen Thanh Product Consultant – M.Tech Vietnam
Hands-On Microsoft Windows Server 2008
Trusted Computing BY: Sam Ranjbari Billy J. Garcia.
Week #7 Objectives: Secure Windows 7 Desktop
Chapter 6 Operating System Support. This chapter describes how middleware is supported by the operating system facilities at the nodes of a distributed.
Trusted Computing Platform Alliance
Architecture for Protecting Critical Secrets in Microprocessors Ruby Lee Peter Kwan Patrick McGregor Jeffrey Dwoskin Zhenghong Wang Princeton Architecture.
An approach to on the fly activation and deactivation of virtualization-based security systems Denis Efremov Pavel Iakovenko
Trusted Computing Or How I Learned to Stop Worrying and Love the MPAA.
1 NEW GENERATION SECURE COMPUTING BASE. 2 INTRODUCTION  Next Generation Secure Computing Base,formerly known as Palladium.  The aim for palladium is.
Compatibility and Interoperability Requirements
PAPER PRESENTATION ON NETWORK SECURITY ISSUES BY M.D SAMEER YASMEEN SULTHANA.
Cosc 4765 Trusted Platform Module. What is TPM The TPM hardware along with its supporting software and firmware provides the platform root of trust. –It.
Section 11: Implementing Software Restriction Policies and AppLocker What Is a Software Restriction Policy? Creating a Software Restriction Policy Using.
1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.
Virtual Workspaces Kate Keahey Argonne National Laboratory.
An Introduction to Trusted Platform Technology Siani Pearson Hewlett Packard Laboratories, UK
Merkle trees Introduced by Ralph Merkle, 1979 An authentication scheme
Trusted Computing and the Trusted Platform Module Bruce Maggs (with some slides from Bryan Parno)
Trusted Infrastructure Xiaolong Wang, Xinming Ou Based on Dr. Andrew Martin’s slides from TIW 2013.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Wireless and Mobile Security
Trusted Computing and the Trusted Platform Module Bruce Maggs (with some slides from Bryan Parno)
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
1 Information Security – Theory vs. Reality , Winter Lecture 12: Trusted computing architecture (cont.), Eran Tromer Slides credit:
VPN. CONFIDENTIAL Agenda Introduction Types of VPN What are VPN Tokens Types of VPN Tokens RSA How tokens Work How does a user login to VPN using VPN.
What is BitLocker and How Does It Work? Steve Lamb IT Pro Evangelist, Microsoft Ltd
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
Key management issues in PGP
Trusted Computing and the Trusted Platform Module
Trusted Infrastructure
Securing the Network Perimeter with ISA 2004
Trusted Computing and the Trusted Platform Module
Outline What does the OS protect? Authentication for operating systems
Outline What does the OS protect? Authentication for operating systems
TERRA Authored by: Garfinkel, Pfaff, Chow, Rosenblum, and Boneh
Building hardware-based security with a Trusted Platform Module (TPM)
Intel Active Management Technology
TPM, UEFI, Trusted Boot, Secure Boot
Erica Burch Jesse Forrest
Bruce Maggs (with some slides from Bryan Parno)
Bruce Maggs (with some slides from Bryan Parno)
Presentation transcript:

© Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Trusted Computing Yaron Sheffer Manager, Standards and VPN Technologies Check Point Jan. 2008

2 © Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Agenda  A few words about Check Point  Why Trusted Computing  The Trusted Computing Architecture  Uses of Trusted Computing  Issues with Trusted Computing  Trusted Computing in practice  Details: 3 rd party attestation  The TC ecosystem: related and competing work, NAC

3 © Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. A Global Security Leader * Frost & Sullivan Global leader in firewall/VPN* and mobile data encryption More than 100,000 protected businesses More than 60 million consumers 100% of Fortune 100 as customers 100% security 100% focus on information security >1,000 dedicated security experts Protecting networks and enterprise data Global ~ 2,000 employees 69 offices, 28 countries 2,200 partners, 88 countries HQ in Israel and U.S.A. Leader Revenue Net Profit

4 © Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. SMART Security Management Architecture Unified Security Architecture Management Data leakage Compliance Port controlReporting Disk Encryption Monitoring Media Encryption IPS Personal firewall UTM Disk Encryption VPNAnti-Virus FirewallVPN Client Always Anticipating New Security Needs

5 © Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Agenda  A few words about Check Point  Why Trusted Computing  The Trusted Computing Architecture  Uses of Trusted Computing  Issues with Trusted Computing  Trusted Computing in practice  Details: 3 rd party attestation  The TC ecosystem: related and competing work, NAC

6 © Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Trusted Computing  Trust (RFC 4949): A feeling of certainty (sometimes based on inconclusive evidence) either (a) that the system will not fail or (b) that the system meets its specifications (i.e., the system does what it claims to do and does not perform unwanted functions)  When approaching a PC, do we have this feeling?  Something is rotten in the state of Denmark

7 © Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Lack of Trust  Mutability –Data –Applications and libraries –Device drivers –Kernel components –And… the BIOS  “Least privilege” principle is ignored –Administrator privileges  Huge amounts of trusted code  Secure development principles are not applied

8 © Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Trusted Computing Group  [An] organization formed to develop, define, and promote open standards for hardware-enabled trusted computing and security technologies, including hardware building blocks and software interfaces, across multiple platforms, peripherals, and devices  Implicitly: software alone will not do  Established (as TCPA) 1999  TPM 1.0 published Feb  TNC work started 2004  Around 200 member companies 

9 © Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Agenda  A few words about Check Point  Why Trusted Computing  The Trusted Computing Architecture  Uses of Trusted Computing  Issues with Trusted Computing  Trusted Computing in practice  Details: 3 rd party attestation  The TC ecosystem: related and competing work, NAC

10 © Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Trusted Computing Architecture TPM (Trusted Platform Module): a tamper-resistant hardware module mounted in a platform. Responsible for: measurement, storage, reporting and policy enforcement Protected Code TPM Boot Process Operating System App1App2App3 Encrypted Files

11 © Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Roots of Trust  A Root of Trust is a component that must behave as expected, because its misbehaviour cannot be detected –A piece of code  Root of Trust for Measurement: the component that can be trusted to reliably measure and report to the Root of Trust for Reporting what software executes at the start of platform boot  Root of Trust for Reporting: the component that can be trusted to report reliable information about the platform  Root of Trust for Storage: the component that can be trusted to securely store any quantity of information

12 © Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. A Chain of Trust  The core idea of the Trusted Computing architecture  Each stage measures and validates the next one –Measurements go into Platform Configuration Registers (PCRs) on the TPM  The chain starts with the hardware TPM  Then software: –RTM, TPM Software Stack, BIOS, kernel –Applications?  At the end, the entire platform is verified to be in a trusted state

13 © Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. TC Cryptographic Capabilities  SHA-1, HMAC –Hashed message authentication code  Physical random number generation –An important feature in itself  Asymmetric key generation –2048-bit RSA  Asymmetric crypto encryption/decryption and signing –RSA PKCS#1  Bulk symmetric crypto is performed off-chip –For example, disk encryption  Reasons: price, export considerations  This is no high performance crypto chip!

14 © Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Agenda  A few words about Check Point  Why Trusted Computing  The Trusted Computing Architecture  Uses of Trusted Computing  Issues with Trusted Computing  Trusted Computing in practice  Details: 3 rd party attestation  The TC ecosystem: related and competing work, NAC

15 © Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Uses of Trusted Computing  Data protection: storage of secrets –TPM unseals storage keys only if the platform is in a trusted state  Detecting unwanted changes to a machine’s configuration –Secure boot  The next three require “3rd party attestation” –Protocol described later  Checking client integrity on a local network –E.g. before the client is allowed into the network –Or by each network server  Verifying the trustworthiness of a “kiosk” –By a remote server –By a local smartcard  Machine authentication for remote access

16 © Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Authentication and Privacy: A Contradiction?  When you digitally sign a measurement report, you potentially reveal your identity!  The architecture provides for the TPM to have control over “multiple pseudonymous attestation identities” – next slide  TPM attestation identities do not contain any owner/user related information –A platform identity attests to platform properties  No single TPM “identity” is ever used to digitally sign data –Privacy protection  TPM Identity certification is required to attest to the fact that they identify a genuine TC platform  The TPM Identity creation protocol allows for choosing different Certification Authorities (Privacy CA) to certify each TPM identity –Prevent correlation

17 © Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Multiple Pseudonymous Attestation Identities… Host being verifiedVerifier Host Identity CA Name1Name2 Certified by… Trusts…

18 © Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Issues with Trusted Computing  TC is happening very slowly –A mixture of technical, business and perceptual issues  Can a large and not-so-well-designed OS ever become trustworthy? –Intel’s current direction might point to a solution  The distinction between platform owner and data owner –Can Sony prevent you from playing their songs? – DRM is evil! –Can Sony prevent you from reading their confidential financial data? – Enterprise DRM is ??? –But hey, we’ve had DRM long before TPM!  Allowing an “open” software ecosystem –For proprietary software –For open source software –For open source software that refuses to “play by the rules”

19 © Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Trusted Computing in Practice  TPM exists on a very large percentage of desktops and laptops –On your computer, too  But it is disabled by default  So it is rarely used –Even innocuous functionality like RNG is blocked!  Microsoft was expected to enhance TC functionality in Vista –But only made a small step with BitLocker  Apple used TPM once to ensure its new OS only runs on its own “beta” machines –But this is the wrong way around!

20 © Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Agenda  A few words about Check Point  Why Trusted Computing  The Trusted Computing Architecture  Uses of Trusted Computing  Issues with Trusted Computing  Trusted Computing in practice  Details: 3 rd party attestation  The TC ecosystem: related and competing work, NAC

21 © Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Remote Attestation  Three phases  Measurement: machine to be attested must measure its properties locally  Attestation: transfer measurements from machine being attested to remote machine  Verification: remote machine examines measurements transferred during attestation and decides whether they are valid and acceptable

22 © Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Linux Integrity Measurement

23 © Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Linux Attestation

24 © Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Linux Verification

25 © Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Agenda  A few words about Check Point  Why Trusted Computing  The Trusted Computing Architecture  Uses of Trusted Computing  Issues with Trusted Computing  Trusted Computing in practice  Details: 3rd party attestation  The TC ecosystem: related and competing work, NAC

26 © Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Network Access Control (NAC)  Two separate goals: –Ensure computers are “clean”, and running an authorized configuration –Ensure only “good” computers connect to the LAN  We could have done #1 with TC, but TC is not happening  So we just ask the computer nicely, and believe the response…  NAC is important in the marketplace  Being standardized within TCG –Under the name Trusted Network Connect, TNC  It might converge with TC some day

27 © Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. TC: Related and Competing Initiatives  Microsoft Next Generation Secure Computing Base (NGSCB), formerly Palladium –Uses TPM to create a secure OS partition –Was expected to go into Vista –Apparently dead now –Microsoft’s Bitlocker disk encryption survived into Vista  ARM TrustZone  Intel Trusted Execution Technology –Next slide

28 © Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Intel Trusted Execution Technology  A recent initiative, an extension of the vPro architecture  Relies on TPM  Focused on virtualization: partitioning of virtual machines  Requires an “enabled” OS and applications  Provides: –Protected (partitioned) execution – partitions are full virtual machines, each running its own OS –Sealed storage –Protected input (e.g. from USB devices) –Protected graphics –Software measurement and protected launch of OS components  Consists of: –CPU extensions –Chipset enhancements, e.g. to partition physical memory –TPM

29 © Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Summary  Trusted Computing tries to solve one of the top problems in today’s computing  It builds a complex and interesting architecture, using innovative hardware components  The in-built conflict between proven security and privacy has not been resolved, and maybe cannot be  TC is making small steps forward, will it ever see widespread use?

30 © Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Further Reading    Pearson et al., Trusted Computing Platforms, Hewlett Packard and Prentice Hall 2003  David Grawrock, The Intel Safer Computing Initiative. Intel Press 2006.

© Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Thank You!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.