Presentation is loading. Please wait.

Presentation is loading. Please wait.

Virtual Monotonic Counters and Count-Limited Objects Using a TPM without a Trusted OS Luis F. G. Sarmenta Joint work with: Marten van Dijk.

Published byDoreen Lloyd Modified over 10 years ago

Similar presentations

Presentation on theme: "Virtual Monotonic Counters and Count-Limited Objects Using a TPM without a Trusted OS Luis F. G. Sarmenta Joint work with: Marten van Dijk."— Presentation transcript:

1 Virtual Monotonic Counters and Count-Limited Objects Using a TPM without a Trusted OS Luis F. G. Sarmenta (lfgs@mit.edu) Joint work with: Marten van Dijk (marten@mit.edu), Charles W. O’Donnell, Jonathan Rhodes, and Srini Devadas MIT Computer Science and A.I. Laboratory (CSAIL) University of Waterloo December 13, 2006 * This work was funded by Quanta Corporation as part of the MIT-Quanta T-Party project.

2 Luis F. G. Sarmenta, University of Waterloo, 12/13/06, (slide 2) Virtual Monotonic Counters and Count-Limited Objects using a TPM T-Party @ MIT Project sponsored by Quanta Computer of Taiwan –one of world’s largest manufacturers of laptops, blade servers, etc. Goal: Develop “revolutionary” new technologies that will change the way computers will be designed and used in the future Main sub-projects –Natural Human Interaction / Interfaces –T-Net (“Flattening the Internet”) –JustPlay (automatically connecting and configuring devices) –Trusted Computing and Virtual Storage

3 Luis F. G. Sarmenta, University of Waterloo, 12/13/06, (slide 3) Virtual Monotonic Counters and Count-Limited Objects using a TPM Our Project Our Project: Trusted Computing and Virtual Storage Goal: Computing power and storage from anywhere, everywhere, from any device –computing power and storage is “out there in the ether” –can possibly use other users’ machines or third-party servers –user can be mobile and intermittently offline/online Challenges: –Availability, Scalability, Privacy, Personal Freedom, and Security –In particular, security and privacy, even when interacting with or using untrusted users’ machines (e.g., in a P2P system)

4 Luis F. G. Sarmenta, University of Waterloo, 12/13/06, (slide 4) Virtual Monotonic Counters and Count-Limited Objects using a TPM Trusted Computing and TPMs Trusted Computing –use trusted hardware to assure correct execution Trusted Platform Module (TPM) –by Trusted Computing Group (consortium) –Features *Hardware-based Crypto Engine *Secure storage for keys Attestation Identity Keys (AIKs) Storage Root Key (SRK) –encrypts personal keys, which are stored in external storage *Supports Trusted Boot together with secure BIOS and CPU, can attest to remote parties that a particular (trusted) OS is running can prevent certain data (e.g., keys or passwords) from being used or decrypted unless a particular trusted OS is running Note: TPM does not prevent you from booting code of your choice on your PC

5 Luis F. G. Sarmenta, University of Waterloo, 12/13/06, (slide 5) Virtual Monotonic Counters and Count-Limited Objects using a TPM Trusted Computing Everywhere: An Opportunity TPMs will be everywhere –New commodity laptops and PCs already include them *Note: U.S. military is now requiring TPM –Future Versions for phones, servers, and other devices Opportunity: Massively Scalable Secure Computing without an Online Trusted 3rd Party Before: secure computing usually done by contacting online TTP –e.g., credit card transactions Now/Future: If all user devices have a trusted chip, then no need for online contact with TTP –place trust in the chip itself instead –allows for OFFLINE and P2P transactions –More scalability, availability, freedom, privacy –e.g., difference between credit cards vs. cash

6 Luis F. G. Sarmenta, University of Waterloo, 12/13/06, (slide 6) Virtual Monotonic Counters and Count-Limited Objects using a TPM Our Focus: Freshness and Secure Counting Major problem in offline computing: Replay Attacks –without online TTP to keep track of things, malicious users can rewind their state and/or try to re-use certain limited-use data What we need is a way to: –ensure freshness of state –securely count usage of critical objects Example Applications –Trusted Storage on Untrusted Servers –Offline Payment Transactions (e.g., e-cash) *need to avoid “double-spending” –Delegation (e.g., stock broker) *preferably one-time or time-limited –Permissions management for shared data *e.g., DRM, but also personal “DRM”

7 Luis F. G. Sarmenta, University of Waterloo, 12/13/06, (slide 7) Virtual Monotonic Counters and Count-Limited Objects using a TPM Our Solution: Virtual Monotonic Counters Monotonic Counter –A counter whose value cannot be reversed to an old value –even if an adversary has complete control of the host machine containing the counter mechanism Virtual Monotonic Counters –Use a small finite-sized secure module (e.g., TPM) –together with an unlimited amount of untrusted storage –to implement an unlimited number of tamper-evident monotonic counters Count-Limited / Counter-Linked Objects and Operations (clobs & clops) –objects and operations whose usage depends on a dedicated virtual monotonic counter Our work: Virtual monotonic counters using a TPM without a Trusted OS –More secure and more immediately implementable (on any OS) –Leads to practical and more secure forms of clobs and clops

8 Luis F. G. Sarmenta, University of Waterloo, 12/13/06, (slide 8) Virtual Monotonic Counters and Count-Limited Objects using a TPM Count-Limited / Counter-Linked Objects and Operations Objects or commands which an untrusted host can successfully use/execute only a limited number of times –even if host can keep and replay old objects and data Examples and Applications –n-time-use delegated signing/encryption keys *Alice gives Bob a token which allows Bob to sign/encrypt using Alice’s key n times *Enables n-time offline authorization, authentication, encryption *Potential: e-tickets, e-cash, etc. –n-time-use decryption keys *Bob can decrypt using Alice’s key n times *Potential: DRM, Personal DRM

9 Luis F. G. Sarmenta, University of Waterloo, 12/13/06, (slide 9) Virtual Monotonic Counters and Count-Limited Objects using a TPM Count-Limited / Counter-Linked Objects and Operations shared-counter limited-use objects/operations –Several different objects share the same counter –n-out-of-a-group operations –Interval-limited (including time-limited) operations –sequenced and generating clobs/clops n-copy migratable / circulatable objects –Users can transfer an object to another user –BUT only at most n users can use the object at a time –Potential: circulatable DRM tokens, e-cash, etc. count-limited or counter-linked operations –Operations / functions / algorithms in general whose behavior and output depend on certain monotonic counters –Potential: secure delegated time-stamping, mobile agents, outsourced execution, etc.

10 Luis F. G. Sarmenta, University of Waterloo, 12/13/06, (slide 10) Virtual Monotonic Counters and Count-Limited Objects using a TPM How Can We Implement Count-Limited Objects? Three general approaches –Online Trusted Third Party *Used in software/media licensing, online payments, etc. *Not always possible. Not scalable. This is what we want to avoid. –Cryptography *Detect and trace double-spending (> n-times use) *Works for certain applications (e.g., e-cash, n-time anonymous authentication, etc.) *But, cannot prevent double-spending at time of offline transaction –Using Trusted Component *Require trusted component to produce/process data can be hardware, software or combination *Trusted component securely counts usage of object *Actually prevents double-spending at time of offline transaction *But, assumes trusted component is not compromised We follow the third approach, but using only a TPM –Minimize trusted computing base

11 Luis F. G. Sarmenta, University of Waterloo, 12/13/06, (slide 11) Virtual Monotonic Counters and Count-Limited Objects using a TPM Count-Limited Objects and Monotonic Counters Note: We need to keep trusted independent state for each object Specifically … a dedicated monotonic counter per object –Irreversible, non-volatile register –Needs to be implemented using secure internal non-volatile memory Problem: –It is hard to have a lot of secure NVRAM in a small secure chip *small space inside trusted chip *wear-out problem –So, existing secure chips only support a few monotonic counters Example: Built-in (aka Physical) Monotonic Counters in TPM 1.2 –TPM 1.2 chips can create and keep track of at least 4 independent monotonic counters –BUT … can only increment 1 per boot cycle (!) –Allowed to throttle increments to once every 5 seconds, good for 7 years

12 Luis F. G. Sarmenta, University of Waterloo, 12/13/06, (slide 12) Virtual Monotonic Counters and Count-Limited Objects using a TPM Virtual Monotonic Counters with Trusted OS If we have a trusted OS or trusted software, then keeping a large number of monotonic counters is straightforward Example: TCG/Microsoft scheme for “virtual monotonic counters” –Trusted OS keeps track of an arbitrary number of virtual counters using TPM’s single built-in monotonic counter –To increment a virtual counter: *OS increments TPM’s global built-in counter *OS “seals” the virtual counters’ new collective state together with counter’s value as timestamp “seal” means it is encrypted so that it can only be decrypted by TPM when Trusted OS is running) *OS stores sealed data on untrusted disk *OS can detect replay attacks by comparing timestamp with current value of global counter Trusted OS can also enforce Count-Limited Objects/Operations –Trusted OS checks the virtual counters before executing clobs/clops Current DRM-enabled devices do something similar (but not using TPM) –either using trusted firmware, or obfuscated software as trusted component

13 Luis F. G. Sarmenta, University of Waterloo, 12/13/06, (slide 13) Virtual Monotonic Counters and Count-Limited Objects using a TPM Problems with depending on Trusted OS Problem: Trusted OS is a BIG requirement –requires TPM –requires trusted BIOS (CRTM) –requires trusted CPU (with special features) –requires other hardware support –requires specific new OS, which must be fully tested –If memory can be hacked at runtime (e.g., via DMA), then security is broken Can we implement trusted virtual monotonic counters using just a TPM, but without a trusted OS? Note: Today, most real-world TPM apps that ordinary people actually use do not use trusted boot –most use ability of TPM to protect and use encrypted keyblobs Our Thesis: VMCs and Clobs are fundamental primitives that should also be supported without requiring Trusted OS –people should be able to use them right away with any OS –(Also, can even help in implementing Trusted OS’s)

14 Luis F. G. Sarmenta, University of Waterloo, 12/13/06, (slide 14) Virtual Monotonic Counters and Count-Limited Objects using a TPM Our Solutions Using TPM 1.2 : Log-Based Scheme –Use one built-in monotonic counter –Use log of increment operations as a freshness proof –Good enough for useful applications *implementing trusted storage on untrusted servers *n-time-use certificates –Advantage: works with existing hardware –But has drawbacks Better (for future TPMs): Hash-tree based scheme –Use Merkle Hash Tree –Simple Proposed additional TPM functionality *1 new TPM command *1 word (160-bits) of secure NVRAM space for root hash –Advantages *More efficient *Enables count-limited objects and operations (with simple additional changes to other operations)

15 Luis F. G. Sarmenta, University of Waterloo, 12/13/06, (slide 15) Virtual Monotonic Counters and Count-Limited Objects using a TPM Log-Based Scheme (Using TPM 1.2) Idea: Use one built-in monotonic counter as global counter On increment of virtual counter A –TPM does “increment-and-sign” of global counter *nonce = H(virtual counter ID A | client’s random nonce) –produces “increment certificate” On read of virtual counter A, client gets –Signed current global counter value –Latest increment certificate for virtual counter A –Log of inc certificates between A and current time –Client checks that no other increments on A were done in between –Virtual counter value is defined as value of global counter at time of latest increment *note: monotonic but non-deterministic Global counter value 106 Current time 101 Inc c = 101 vctrID = B Sig AIK (…) 102 Inc c = 102 vctrID = A Sig AIK (…) 103 Inc c = 103 vctrID = C Sig AIK (…) 104 Inc c = 104 vctrID = B Sig AIK (…) 105 Inc c = 105 vctrID = C Sig AIK (…) 106 Inc c = 106 vctrID = B Sig AIK (…) “Read certificate” for virtual counter A at time 106 Inc c = 102 vctrID = A Sig AIK (…) Latest inc of A Value of virtual counter A at time 106 is 102 Inc c = 103 vctrID = C Sig AIK (…) Inc c = 104 vctrID = B Sig AIK (…) Inc c = 105 vctrID = C Sig AIK (…) Inc c = 106 vctrID = B Sig AIK (…) Log of other inc’s up to current time (verify that this doesn’t include A) Read c = 106 nonce Sig AIK (…) Cur time cert

16 Luis F. G. Sarmenta, University of Waterloo, 12/13/06, (slide 16) Virtual Monotonic Counters and Count-Limited Objects using a TPM Log-Based Scheme (Using TPM 1.2) Advantage: Useful now! –for time-stamping and checking freshness  trusted storage –1-time-use and n-time-use certificates  delegation, payments, etc. Drawbacks –Non-deterministic values *Monotonic but goes up by unpredictable amounts –Log grows linearly in time *If a certain counter is not used while others are used a lot, then freshness proof for that counter can be very long –Cannot do arbitrary count-limited operations since TPM does not limit execution 106 Global counter value 101102103104105106 Current time Inc c = 101 vctrID = B Sig AIK (…) Inc c = 102 vctrID = A Sig AIK (…) Inc c = 103 vctrID = C Sig AIK (…) Inc c = 104 vctrID = B Sig AIK (…) Inc c = 105 vctrID = C Sig AIK (…) Inc c = 106 vctrID = B Sig AIK (…) “Read certificate” for virtual counter A at time 107 Inc c = 102 vctrID = A Sig AIK (…) Inc c = 103 vctrID = C Sig AIK (…) Inc c = 104 vctrID = B Sig AIK (…) Inc c = 105 vctrID = C Sig AIK (…) Inc c = 106 vctrID = B Sig AIK (…) Read c = 106 nonce Sig AIK (…) Value of virtual counter A at time 107 is 102 Latest inc of A Log of other inc’s up to current time (verify that this doesn’t include A) Cur time cert

17 Luis F. G. Sarmenta, University of Waterloo, 12/13/06, (slide 17) Virtual Monotonic Counters and Count-Limited Objects using a TPM Hash-Tree based scheme Each Leaf contains an individual virtual counter’s state –Virtual Counter ID –Current Counter Value –Other meta-data Leaves and nodes are stored by untrusted OS in untrusted storage –Note: Hashes for empty subtrees are well-known, so need not be stored *Allows for sparse trees Root hash is kept by TPM in trusted internal NVRAM All reads, updates, and secure use of virtual counters must invoke TPM as final step countValuedataauthDataBlobcounterID TPM_COUNTER_BLOB addressrandomID TPM_COUNTER_ID rootHash h 10 h 11 h 1100 h 110 h 1101 h 111 c 1101 c 1100 c 1011 c 1010 c 1001 c 1000 c 1110 c 1111 Hash Tree State (volatile) newCounterBlob curPosition curOrigHash mode curNewHash nonce rootHash NVRAM TPM chip aikHandle UNTRUSTED STORAGE (TRUSTED)

18 Luis F. G. Sarmenta, University of Waterloo, 12/13/06, (slide 18) Virtual Monotonic Counters and Count-Limited Objects using a TPM Proposed New Command: TPM_ExecHashTree

19 Luis F. G. Sarmenta, University of Waterloo, 12/13/06, (slide 19) Virtual Monotonic Counters and Count-Limited Objects using a TPM Proposed New Command: TPM_ExecHashTree Inputs –AIK handle –mode (Read, Inc, Inc&Exec, Create,...) –anti-replay nonce –Counter Blob –Internal hash tree nodes –Optional: Wrapped command Output –“Execution Certificate” signed by AIK –OR, output of wrapped command Relatively Easy to Implement –1 new TPM command *plus backward-compatible modification to count-limitable operations and data structures –20 bytes (160-bits) of secure NVRAM for root hash –All internal operations required here are already supported by TPM (e.g., hash) countValuedataauthDataBlobcounterID TPM_COUNTER_BLOB addressrandomID TPM_COUNTER_ID rootHash h 10 h 11 h 1100 h 110 h 1101 h 111 c 1101 c 1100 c 1011 c 1010 c 1001 c 1000 c 1110 c 1111 Hash Tree State (volatile) newCounterBlob curPosition curOrigHash mode curNewHash nonce rootHash NVRAM TPM chip aikHandle UNTRUSTED STORAGE (TRUSTED)

20 Luis F. G. Sarmenta, University of Waterloo, 12/13/06, (slide 20) Virtual Monotonic Counters and Count-Limited Objects using a TPM countValuedataauthDataBlobcounterID TPM_COUNTER_BLOB addressrandomID TPM_COUNTER_ID rootHash h 10 h 11 h 1100 h 110 h 1101 h 111 c 1101 c 1100 c 1011 c 1010 c 1001 c 1000 c 1110 c 1111 Read Virtual Counter Host feeds TPM –Counter blob –Internal hashes *Sibling hashes on path to root TPM computes root hash based on input –O( log N max ) internal hashing operations If computed root hash matches trusted stored root hash, –then TPM outputs certificate (signature by AIK) certifying virtual counter blob as being fresh Note: If adversary rewinds or modifies leaves or internal nodes –root hash will be different –TPM will detect and abort h 10 h 1100 Hash Tree State (volatile) newCounterBlob curPosition curOrigHash mode curNewHash nonce rootHash NVRAM TPM chip aikHandle ( aikHandle, mode, nonce, c1101, [ h 1100, h 111, h 10 ] ) TPM_ExecHashTree h 10 h 1100 c 1101 TPM_HASHTREE _EXEC_CERT newCounterBlob signature mode nonce Is Computed root same as stored root? UNTRUSTED STORAGE (TRUSTED)

21 Luis F. G. Sarmenta, University of Waterloo, 12/13/06, (slide 21) Virtual Monotonic Counters and Count-Limited Objects using a TPM countValuedataauthDataBlobcounterID TPM_COUNTER_BLOB addressrandomID TPM_COUNTER_ID rootHash h 10 h 11 h 1100 h 110 h 1101 h 111 c 1101 c 1100 c 1011 c 1010 c 1001 c 1000 c 1110 c 1111 Increment Virtual Counter Same inputs as Read Difference: As TPM goes up tree, it computes two sets of hashes based on two counter values –The current value –The new value *(based on counter value + 1) If computed root hash based on current value matches trusted stored root hash, then: –TPM updates internal rootHash with computed root hash based on new counter value –TPM outputs certificate (signature by AIK) *certifying that inc was done *Indicating and certifying new counter value h 10 h 1100 Hash Tree State (volatile) newCounterBlob curPosition curOrigHash mode curNewHash nonce rootHash NVRAM TPM chip aikHandle ( aikHandle, mode, nonce, c1101, [ h 1100, h 111, h 10 ] ) TPM_ExecHashTree h 10 h 1100 c 1101 TPM_HASHTREE _EXEC_CERT newCounterBlob signature mode nonce Is Computed orig root same as stored root? Orig rootHashNew rootHash countValue +1 dataauthDataBlobcounterID TPM_COUNTER_BLOB (TRUSTED)

22 Luis F. G. Sarmenta, University of Waterloo, 12/13/06, (slide 22) Virtual Monotonic Counters and Count-Limited Objects using a TPM Count-Limited Operations Same input as above PLUS wrapped command –Sort of like transport session Mode specifies Read or Increment –Normally, use increment –Read mode allows for objects which can be used unlimitedly until something else increments the same counter *e.g., revocable key delegation If computed orig root hash does not match stored root, then fail If it matches, then –perform increment (if desired), –verify that (new) current counter value satisfies count-limit conditions of command / object –if so, execute command –Output output of command directly *Optionally, wrap output in exec. cert. rootHash NVRAM TPM chip ( aikHandle, mode, nonce, c1101, [ h 1100, h 111, h 10 ], TPM_ExecHashTree { TPM_Sign(…) } ) Output Of TPM_Sign {…}

23 Luis F. G. Sarmenta, University of Waterloo, 12/13/06, (slide 23) Virtual Monotonic Counters and Count-Limited Objects using a TPM Example: Count-Limited Keys Existing TPM feature: wrapped keys –Alice can give Bob encrypted blob containing her PK-SK keypair –Alice encrypts blob using Bob’s TPM’s storage key’s PK *SK of storage keypair is never revealed outside the TPM *So, only TPM can decrypt and use Alice’s SK in the blob –To use: *Use TPM_LoadKey to load blob into TPM  returns key handle *Use TPM_Sign, etc. with key handle –Note: currently, wrapped keys are NOT count-limited Modifications to TPM –Add count-limit condition field to wrapped key *Includes virtual counter ID, valid range, and allowed/required modes *Put in a variable-length field where PCR configuration is now –When key is loaded, condition is remembered –Upon doing a TPM_Sign using that key, check condition

24 Luis F. G. Sarmenta, University of Waterloo, 12/13/06, (slide 24) Virtual Monotonic Counters and Count-Limited Objects using a TPM Using Count-Limited Keys Scenario: Alice wants to give Bob a 1-time key –Allows Bob to sign using Alice’s private key, but only once Issuing (Alice and Bob) –Step 1: Alice certifies Bob’s TPM and gets Bob’s storage key *e.g., check Bob’s AIK’s PK vs. known/certified value or via DAA –Step 2: Alice creates a new virtual counter on Bob’s host *Bob executes TPM_ExecHashTree *gives new counter ID and exec certificate to Alice who verifies it –Step 3: Alice encrypts a key blob using Bob’s storage key containing her keypair and gives to Bob *include count-limit condition Virtual counter ID, required mode=Increment, and valid range (in this case “1”) Use (Bob alone, offline from Alice) –Step 1: Bob uses TPM_LoadKey on encrypted key blob –Step 2: Bob calls TPM_ExecHashTree with wrapped TPM_Sign/TPM_Unbind/etc *gets relevant hash tree nodes from his storage *Calls TPM_ExecHashTree *Computes and stores new counter value and new hash tree nodes

25 Luis F. G. Sarmenta, University of Waterloo, 12/13/06, (slide 25) Virtual Monotonic Counters and Count-Limited Objects using a TPM Applications of Count-Limited Keys n-time authentication / authorization / certification –Authority gives Bob a wrapped count-limited signing keypair PK-SK *where SK is unknown to Bob, *and PK is certified and verifiable as coming from the Authority *count-limited to n –When Bob needs to prove certification to Charlie *Charlie gives Bob a random nonce *Bob uses count-limited signing key to sign nonce *Charlie verifies Authority’s signature on nonce –Bob can only do this at most n times This leads to many potential applications* –Offline payment: Authority is Bank, signature has cash value –E-tickets (probably more feasible) –etc. * Caveat on privacy and resiliency

26 Luis F. G. Sarmenta, University of Waterloo, 12/13/06, (slide 26) Virtual Monotonic Counters and Count-Limited Objects using a TPM Caveats Note: Anonymity can be preserved because the final output contains nothing from Bob –Only Charlie’s nonce, and Authority’s signature –(Note: Charlie does not need to verify/identify Bob, because Authority’s signature is enough proof) Caveats –#1: If Authority uses single global key, then TPMs must never broken *If a single TPM is broken, Authority’s private key is revealed. Very bad! –#2: If Authority uses multiple keys, then anonymity may be compromised *At time of issuing, Authority may give Bob a unique key, and be able to link the key to Bob’s AIK (used by Authority to verify Bob’s TPM) *Solution (?): Use DAA (Direct Anonymous Attestation) at time of issuing so Authority can’t link AIK to Bob *Also note that this may not be too bad  Note that in real-life, bank can theoretically track serial numbers of bills that you get from ATM

27 Luis F. G. Sarmenta, University of Waterloo, 12/13/06, (slide 27) Virtual Monotonic Counters and Count-Limited Objects using a TPM Caveats Probably the best solution for critical apps (e.g., real e-cash) is to use crypto-based n-time-use techniques, but use virtual monotonic counters to count-limit these in hardware –e.g., implement a TPM command for Brand’s e-cash scheme [Brands93], but store the e-coin as a count-limited object outside the TPM *Provides hardware-based prevention of double-spending, assuming TPM is not broken, AND also provides eventual traceability, in case TPM is broken –Our advantage is we can handle an unlimited number of e-coins Note: simple schemes based on count-limited generic RSA signing operations may still be useful in non-critical applications –(i.e., where the cost of breaking a TPM would be much more than the potential gain one can get by doing so) –Advantage is that minimal change is needed in the TPM, and no need to define special-purpose commands/algorithms for each application Also: migratability may help privacy, even if anonymity is not perfect –Note that in real-life, bank can track serial numbers of bills given to you –But people don’t worry about this because cash is easily circulatable

28 Luis F. G. Sarmenta, University of Waterloo, 12/13/06, (slide 28) Virtual Monotonic Counters and Count-Limited Objects using a TPM Other Variations on Clobs shared-counter limited-use objects/operations –e.g., Alice generates several different wrapped objects depending on the same virtual counter ID –Possibilities *N-times-within-a-group operations *Interval-limited operations Can translate to time-limited if trusted clock increments counter n-copy migratable objects –TPM already has a migrate key feature –Idea: count-limit the migration *Assume that usage of key reads but does not increment counter *But migration of key increments counter *If Alice migrates a key to Bob, then Alice’s counter gets incremented, so Alice can’t use her copy anymore *On Bob’s side, Bob gets a new key tied to a virtual counter on his TPM *Bob can use it until he migrates it to someone else (possibly Alice!) –“Lendable” objects  circulatable DRM, e-cash, etc. –Possible to make n-copy (not just 1-copy) circulatable objects *Circulatable but at most only n copies at any given time are usable –Challenge: Verification must be done by TPM (not host) *Verification key must be included in blob Others –See our MIT CSAIL Technical Report, Sept. 2006

29 Luis F. G. Sarmenta, University of Waterloo, 12/13/06, (slide 29) Virtual Monotonic Counters and Count-Limited Objects using a TPM Other Variations on Hash-Tree based scheme Split TPM_ExecHashTree into 2 commands –Start() command, followed by Step() command for each level of tree –Advantage: no need to feed all internal tree node hashes (sibling hashes) to the TPM at once *works even if TPM only has small input buffer space –Note: internal volatile memory requirement of TPM does NOT grow *computation of hashes and updating of state is done at each step *no need to remember all the node hashes *Hash tree state is constant-sized –Note: Failure before the end is not a security problem *TPM state is only changed at the very last step if everything succeeds –However, not clear whether splitting is even necessary *we can handle 32 levels (2 32 virtual counters) with only 20 * 32 = 640 bytes for the sibling hashes Even with other input data, total input size would still be much less than 4K typical input buffer space of TPM 1.2 chips *maybe it can be useful for 160-bit (unique) virtual counter ID’s Other Variants –Multiple root hashes (allows independent hash trees, possibly of different depths) –Dynamically growing hash trees –Caching –Have TPM_ExecHashTree support operations other than increment *“mode” field can indicate different kinds of operations *e.g., Extend (i.e., one-way hash) can lead to unlimited PCR-like “hash clocks” *e.g., Read,Update Virtual Trusted Memory *This is why we recommend keeping the command name TPM_ExecHashTree generic it’s not limited to just monotonic counters –Multiple counter operations per TPM_ExecHashTree invocation *e.g., increment several counters with one TPM_ExecHashTree invocation *saves on time for signature operation in the end, and also saves on wear out of root hash NVRAM –VMCs and count-limited objects/operations using physical monotonic counters –Count-limited wrapped commands *Encrypted TPM commands with a count-limit condition field –Count-limited general-purpose commands See MIT CSAIL TR 2006-064 (Sept. 2006) for details

30 Luis F. G. Sarmenta, University of Waterloo, 12/13/06, (slide 30) Virtual Monotonic Counters and Count-Limited Objects using a TPM Related Work Of course, general idea of n-time-use operations is an old idea Some interesting/relevant related work –“Consumable Credentials” (Bauer et al. 2006) *Logic for analyzing/modeling systems whose security depend on limited-use credentials *Currently, they assume an online trusted third party, though –Cryptographic Techniques *Classic e-cash, etc.: Chaum82, Brands, etc. *Lots of other recent work: E.g., n-time anonymous authentication, etc. (e.g., CHKLM, ACM CCS 06) –Using Trusted Component *Practically all DRM systems fall under this category today –Using combination of Crypto and Trusted Hardware *e.g., Brands93 talks about “observer” that stores a special value per e-coin in trusted memory and forgets it after using the e-coin once *Our approach can be used with this algorithm, and would allow a much larger number of values to be remembered using very little trusted NVRAM –One-time or n-time arbitrary programs using very simple hardware *Slightly prior to us, Goldwasser et al. have proposed a theoretical scheme using very simple hardware (not a secure processor like TPM). (Not yet published.)

31 Luis F. G. Sarmenta, University of Waterloo, 12/13/06, (slide 31) Virtual Monotonic Counters and Count-Limited Objects using a TPM Ongoing / Future Work Applications –Virtual Storage, Offline Payments, etc. –(We’re starting with what we can do withTPM 1.2) CLAMs – counter-linkage modules –implement VMCs and clobs/clops mechanisms and ideas using other secure components in general, not just TPM –using other trusted hardware (e.g., smart cards, IBM 4758, AEGIS, SecureBlue, etc.) –or, potentially even CLAMs using obfuscated software and/or trusted OS *less secure but more immediately implementable and useful How can having VMCs and clobs/clops as a primitive help improve the design of future trusted modules, platforms, and software?

32 Luis F. G. Sarmenta, University of Waterloo, 12/13/06, (slide 32) Virtual Monotonic Counters and Count-Limited Objects using a TPM Conclusions Virtual Monotonic Counters and Count-Limited/Linked Objects are small and simple primitives, but potentially very powerful and useful We have presented 2 solutions –Using TPM 1.2 log-based (can be used now) –Hash-tree based scheme (better) We can start implementing applications using TPM 1.2 It would be great if TCG incorporates hash-tree scheme and clobs/clops functionality into the next TPM Also examine incorporating this functionality in other secure chips (e.g., smartcards, etc.)

33 Luis F. G. Sarmenta, University of Waterloo, 12/13/06, (slide 33) Virtual Monotonic Counters and Count-Limited Objects using a TPM TPM/J Java API for TPM Object-Oriented API for TPM using Java Not compliant with TCG’s TSS specifications But meant to be more easily/immediately usable by researchers Cross-platform –works with built-in Linux TPM driver (/dev/tpm0) –works with Windows systems with ifxtpm.dll –can be made to work with other platforms as well Some other features –monotonic counters and transport sessions *needed for our virtual monotonic counters implementation, but not provided by earlier APIs You’re welcome to try it and/or contribute! –BSD/MIT-style license Download at http://projects.csail.mit.edu/tc/tpmj

34 Luis F. G. Sarmenta, University of Waterloo, 12/13/06, (slide 34) Virtual Monotonic Counters and Count-Limited Objects using a TPM For more info Email: –Luis Sarmenta (lfgs@mit.edu)lfgs@mit.edu *http://people.csail.mit.edu/lfgshttp://people.csail.mit.edu/lfgs –Marten van Dijk (marten@mit.edu)marten@mit.edu Web site (under construction): –http://projects.csail.mit.edu/tchttp://projects.csail.mit.edu/tc –TPM/J: http://projects.csail.mit.edu/tc/tpmj/http://projects.csail.mit.edu/tc/tpmj/ Papers –paper in ACM Scalable Trusted Computing Workshop (STC ’06) (under CCS) –MIT CSAIL TR 2006-064 (Sept. 2006) has some more details *http://hdl.handle.net/1721.1/33966http://hdl.handle.net/1721.1/33966

Download ppt "Virtual Monotonic Counters and Count-Limited Objects Using a TPM without a Trusted OS Luis F. G. Sarmenta Joint work with: Marten van Dijk."

Similar presentations

Secure Naming structure and p2p application interaction IETF - PPSP WG July 2010 Christian Dannewitz, Teemu Rautio and Ove Strandberg.

Secure Naming structure and p2p application interaction IETF - PPSP WG July 2010 Christian Dannewitz, Teemu Rautio and Ove Strandberg.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Vpn-info.com.

Vpn-info.com.
Physical Unclonable Functions and Applications

Physical Unclonable Functions and Applications
 Alexandra Constantin  James Cook  Anindya De Computer Science, UC Berkeley.

 Alexandra Constantin  James Cook  Anindya De Computer Science, UC Berkeley.
Hardware Security: Trusted Platform Module Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources.

Hardware Security: Trusted Platform Module Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Software Certification and Attestation Rajat Moona Director General, C-DAC.

Software Certification and Attestation Rajat Moona Director General, C-DAC.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Offline Untrusted Storage with Immediate Detection of Forking and Replay Attacks Marten van Dijk, Jonathan Rhodes, Luis Sarmenta Srini Devadas MIT Computer.

Offline Untrusted Storage with Immediate Detection of Forking and Replay Attacks Marten van Dijk, Jonathan Rhodes, Luis Sarmenta Srini Devadas MIT Computer.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
1 Bootstrapping Trust in a “Trusted” Platform Carnegie Mellon University November 11, 2008 Bryan Parno.

1 Bootstrapping Trust in a “Trusted” Platform Carnegie Mellon University November 11, 2008 Bryan Parno.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)

CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation Dane Brandon, Hardeep Uppal CSE551 University of Washington.

Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation Dane Brandon, Hardeep Uppal CSE551 University of Washington.
User Managed Privacy Using Distributed Trust Privacy and Security Research Workshop Carnegie Mellon University May 29-30, 2002 Lark M. Allen / Wave Systems.

User Managed Privacy Using Distributed Trust Privacy and Security Research Workshop Carnegie Mellon University May 29-30, 2002 Lark M. Allen / Wave Systems.
Trusted Computing Initiative Beyond trustworthy. Trusted Computing  Five Key Concepts >Endorsement Key >Secure Input and Output >Memory Curtain / Protected.

Trusted Computing Initiative Beyond trustworthy. Trusted Computing  Five Key Concepts >Endorsement Key >Secure Input and Output >Memory Curtain / Protected.
Mar 11, 2003Mårten Trolin1 Previous lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Mar 11, 2003Mårten Trolin1 Previous lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

Similar presentations

Ads by Google