Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.

Slides:

Advertisements

Similar presentations

MicroKernel Pattern Presented by Sahibzada Sami ud din Kashif Khurshid.

Advertisements

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

Technical Presentation AIAC Group 11. System Rationale System Architecture Secure Channel Establishment Username/Password Cartão Cidadão Digital.

Secure Virtual Machine Execution Under an Untrusted Management OS Chunxiao Li Anand Raghunathan Niraj K. Jha.

Toward Practical Public Key Anti- Counterfeiting for Low-Cost EPC Tags Alex Arbit, Avishai Wool, Yossi Oren, IEEE RFID April

Trusted Data Sharing over Untrusted Cloud Storage Provider Gansen Zhao, Chunming Rong, Jin Li, Feng Zhang, and Yong Tang Cloud Computing Technology and.

FIPS 201 Framework: Special Pubs ,76,78 Jim Dray HSPD-12 Workshop May 4/5, 2005.

Trusted Symbol of the Digital Economy 1 Bill Holmes – VP Marketing ID Platform - Smart Cards.

Trusted Platform Module

Slide 14-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 5 14 Protection and Security.

Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 3: Operating Systems Computer Science: An Overview Tenth Edition.

Securing Critical Unattended Systems with Identity Based Cryptography A Case Study Johannes Blömer, Peter Günther University of Paderborn Volker Krummel.

Lecture 5: Cryptographic Hashes

Copyright © 2005 David M. Wheeler, All Rights Reserved Desert Code Camp: Introduction to Cryptography David M. Wheeler May 6 th 2006 Phoenix, Arizona.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

6/1/20151 Digital Signature and Public Key Infrastructure Course:COSC Instructor:Professor Anvari Student ID: Name:Xin Wen Date:11/25/00.

Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation Dane Brandon, Hardeep Uppal CSE551 University of Washington.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

Edward Tsai – CS 239 – Spring 2003 Strong Security for Active Networks CS 239 – Network Security Edward Tsai Tuesday, May 13, 2003.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.

Figure 1.1 Interaction between applications and the operating system.

Cryptography and Network Security Chapter 15 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Lecture 9: Security via PGP CS 436/636/736 Spring 2012 Nitesh Saxena.

Electronic Mail Security

Securing Applications With Firmware (Going Beyond TCPA Platform Security) Dr. Robert W. Baldwin Chief Scientist.

Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.

Trusted Computing Platform Alliance

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 3: VPN and Encryption Technology.

Solutions for Secure and Trustworthy Authentication Ramesh Kesanupalli

Architecture for Protecting Critical Secrets in Microprocessors Ruby Lee Peter Kwan Patrick McGregor Jeffrey Dwoskin Zhenghong Wang Princeton Architecture.

Security.  is one of the most widely used and regarded network services  currently message contents are not secure may be inspected either.

Key Management Workshop November 1-2, Cryptographic Algorithms, Keys, and other Keying Material  Approved cryptographic algorithms  Security.

Proposal for device identification PAR. Scope Unique per-device identifiers (DevID) Method or methods for authenticating that device is bound to that.

Cryptography and Network Security (CS435) Part Twelve (Electronic Mail Security)

Cosc 4765 Trusted Platform Module. What is TPM The TPM hardware along with its supporting software and firmware provides the platform root of trust. –It.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 Module 3 City College of San.

Middleware for Secure Environments Presented by Kemal Altıntaş Hümeyra Topcu-Altıntaş Osman Şen.

An Introduction to Trusted Platform Technology Siani Pearson Hewlett Packard Laboratories, UK

Trusted Computing and the Trusted Platform Module Bruce Maggs (with some slides from Bryan Parno)

Security Using PGP - Prajakta Bahekar. Importance of Security is one of the most widely used network service on Computer Currently .

Trusted Infrastructure Xiaolong Wang, Xinming Ou Based on Dr. Andrew Martin’s slides from TIW 2013.

Wireless and Mobile Security

Trusted Computing and the Trusted Platform Module Bruce Maggs (with some slides from Bryan Parno)

© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.

1 Information Security – Theory vs. Reality , Winter Lecture 12: Trusted computing architecture (cont.), Eran Tromer Slides credit:

Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).

TCS Internal Security. 2 TCS Internal Objective Objective :  Android Platform Security Architecture.

What is BitLocker and How Does It Work? Steve Lamb IT Pro Evangelist, Microsoft Ltd

By Marwan Al-Namari & Hafezah Ben Othman Author: William Stallings College of Computer Science at Al-Qunfudah Umm Al-Qura University, KSA, Makkah 1.

Technical Security Issues in Cloud Computing By: Meiko Jensen, Jorg Schwenk, Nils Gruschka, Luigi Lo Lacono Presentation by: Winston Tong 2009 IEEE.

Computer Security module October 2009 Mark D. Ryan University of Birmingham Trusted Platform Module (TPM) introduction.

Web Applications Security Cryptography 1

Hardware-rooted Trust for Secure Key Management & Transient Trust

Trusted Computing and the Trusted Platform Module

Trusted Infrastructure

Chapter 1: Introduction

Trusted Computing and the Trusted Platform Module

TERRA Authored by: Garfinkel, Pfaff, Chow, Rosenblum, and Boneh

IBM Z Dataset Encryption: How does the mechanism encryption function?

User-mode Secret Protection (SP) architecture

Public Key Infrastructure

Presentation transcript:

Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies

© Copyright 2004 Phoenix Technologies Ltd 2 Objectives for DevID Provide strong means to identify and authenticate the identity of devices in a network – including during initial provisioning (possibly remotely) Identity is permanently bound to device Each identity is unique Centralized infrastructure not required for DevID to be usable

© Copyright 2004 Phoenix Technologies Ltd 3 Phoenix Security Architecture Security Architecture provides secure cryptographic operations and the ability to bind applications and data to a specific device Operations done in Secure SMI Environment Caller Validation provides extra protection Binding to device via Secure Storage

© Copyright 2004 Phoenix Technologies Ltd 4 Phoenix Security Framework Core System Software Power-on Application OS Kernel Application Ring 3 Application privilege Ring 0 OS privilege System Management Mode (Highest privilege on the CPU) Security Driver SMM CSS privilege Caller Validation Device Key in Secure Silicon

© Copyright 2004 Phoenix Technologies Ltd 5 Secure Storage Nonvolatile memory Hardware-Based OAR-Locking (Open at Reset) Offline storage of Device Key (DK) 20 Bytes = 16 byte DK + 4 byte status Retrieved at BIOS reset Contents transferred to SMRAM Locked until next reset Examples – CMOS, FWH, EC, …

© Copyright 2004 Phoenix Technologies Ltd 6 Device Key (DK) 128-bit Advanced Encryption Standard (AES) Systems typically ship with no DK DK randomly generated on first use of a cME Security application DK unique to that specific device (motherboard) Never exposed outside of SMI for StrongROM

© Copyright 2004 Phoenix Technologies Ltd 7 Device Key Handling

© Copyright 2004 Phoenix Technologies Ltd 8 StrongROM Embedded Crypto Engine StrongROM provides: Secure Storage and DK access General Crypto Caller Validation Runs in SMM (System Management Mode) SMRAM (Locked, Paged in by hardware) Time-slicing for compute-intensive operations

© Copyright 2004 Phoenix Technologies Ltd 9 StrongROM Algorithms SHA bit AES 128-bit HMAC-SHA RSA bit PRNG SHA-1 Based NIST Approved

© Copyright 2004 Phoenix Technologies Ltd 10 Caller Validation Inter-module communication involves checking caller against a signature driver-to-StrongROM application-to-driver Requires that calling applications are Signed Authorized Undamaged Protects against debug attacks

© Copyright 2004 Phoenix Technologies Ltd 11 Caller Validation (cont.) Portion of executables in-memory image is hashed into an Owners Code Digest (OCD) OCD is signed by Phoenix Phoenix maintains hierarchy of keys in a secure location with root key protected by Verisign Caller validation compares in-memory image of calling application against signature

© Copyright 2004 Phoenix Technologies Ltd 12 Caller Validation

© Copyright 2004 Phoenix Technologies Ltd 13 Security Services Data Protection and Binding to Device Seal / Unseal AppContainer using Device Key Data accessed by authorized application on authorized platform RSA Key Protection and Binding to Device Special AppContainer storing keys Private Keys are not exposed outside of SMM Platform Identifier Platform ID = HMAC (DK, OCD || Usage Flags)

© Copyright 2004 Phoenix Technologies Ltd 14 Phoenix Security Strengths Unique DK – limits class attacks DK Handled in a secure environment Secure Storage variety (as opposed to homogenous storage) Caller validation Privacy – Limited exposure of the DK Basic building blocks for applications (ex. Client-server application)

© Copyright 2004 Phoenix Technologies Ltd 15 DevID with Phoenix Framework Use the Platform ID as a DevID Statistically unique credential bound to the device Derive a new credential unique to DevID, unrelated to the Device Key except by platform association presumably stored as a protected BLOB outside of StrongROM

© Copyright 2004 Phoenix Technologies Ltd 16 Summary Phoenix Security Framework provides the necessary components to implement DevID strong asymmetric crypto secure hashing integrated secure storage Platform ID by itself meets the needs of DevID Phoenix Security Framework could be optimized for variety device classes