Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright© 2006 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Trusted Computing David Grawrock TPM.

Published byOlivia O'Rourke Modified over 10 years ago

Similar presentations

Presentation on theme: "Copyright© 2006 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Trusted Computing David Grawrock TPM."— Presentation transcript:

1 Copyright© 2006 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Trusted Computing David Grawrock TPM Workgroup Chair

2 Copyright© 2006 Trusted Computing Group - Other names and brands are properties of their respective owners. © 2006 Intel Corporation 15 May 2007Trust 1012 Trusted Computing Brief History TCPA forms in January 1999 –HP, IBM, Intel, Microsoft and others…. –Trusted platforms are those containing a h/w based subsystem devoted to maintaining trust and security between machines. Trusted Platform Design Features –Includes most cryptographic primitives (not bulk crypto) –Privacy enabled (fully opt-in) –No global secrets (crack one, get just one) –Low cost (not a crypto-coprocessor) –Ubiquity (low cost and exportable) February 2001 release of first Trusted Platform Module specifications –Protected non-volatile storage, protected execution, RNG and crypto services, tamper resistance

3 Copyright© 2006 Trusted Computing Group - Other names and brands are properties of their respective owners. © 2006 Intel Corporation 15 May 2007Trust 1013 Trusted Computing Brief History 2003-2004 TCPA formally becomes TCG In 2004 TCG defines trust: –An entity can be trusted if it always behaves in the expected manner for the intended operation. Today: –~100 companies are members of TCG –Multiple TPM providers Infineon, Natl Semi, and others –Multiple platform vendors Dell, HP, Lenovo, and others –Usage models coming to market Trusted Network Connect Verified boot / Trusted boot

4 Copyright© 2006 Trusted Computing Group - Other names and brands are properties of their respective owners. © 2006 Intel Corporation 15 May 2007Trust 1014 Local Computing Environment Printer Subordinat e LAN Vulnerability Scanner Local Area Network Certificate Service Shared Application Servers Virus Protection Directory Services Protected Application Servers Intrusion Detection LAN Management Workstation Inside & Outside Source: IATF Release 3.0 The outside box is the enclave

5 Copyright© 2006 Trusted Computing Group - Other names and brands are properties of their respective owners. © 2006 Intel Corporation 15 May 2007Trust 1015 Chain of Trust Goal is to gain trust in Entity C Operational standpoint is that A launches B and B launches C –To trust C one must trust B –To trust B one must trust A A to B to C creates a Chain of Trust Another term in use for this is Transitive Trust –Trust is transitive from A to B to C –It does not invert, trusting A does NOT imply that I must trust C –Trusting C REQUIRES me to trust A and B Entity AEntity BEntity C

6 Copyright© 2006 Trusted Computing Group - Other names and brands are properties of their respective owners. © 2006 Intel Corporation 15 May 2007Trust 1016 Chain Measurement What does one need to trust the chain –The identity of each item in the chain –From definitions identity = measurement –Therefore A measures B before passing control to B –B measures C before passing control to C Generic flow is –Receive control –Measure next entity –Pass control to entity That works for the chain but who measured A? Entity AEntity BEntity C

7 Copyright© 2006 Trusted Computing Group - Other names and brands are properties of their respective owners. © 2006 Intel Corporation 15 May 2007Trust 1017 Root of Trust A Root of Trust is an entity that must be trusted as there is no mechanism available to measure the entity When creating a chain of measurements the first entity in the chain MUST be the Root of Trust for Measurement (RTM) –Becomes the anchor of the chain A platform may have more than one RTM available –The Static RTM (SRTM) gains control on each boot of the platform –The Dynamic RTM (DRTM) gains control upon invocation of a specific platform operation If more than one RTM is available it means that more than one trust chain is possible RTMEntity BEntity C

8 Copyright© 2006 Trusted Computing Group - Other names and brands are properties of their respective owners. © 2006 Intel Corporation 15 May 2007Trust 1018 Recap of the Basics Recap –Trusting C requires trust in B and the RTM (formerly A) –Links in the chain come from measurement (digital hash) of the entity –First link in the chain is the Root of Trust for Measurement RTMEntity BEntity C

9 Copyright© 2006 Trusted Computing Group - Other names and brands are properties of their respective owners. © 2006 Intel Corporation 15 May 2007Trust 1019 Static RTM On A PC The RTM gains control after platform reset The chain of trust starts then starts with reset and measures all of the components to the OS Blue lines indicate measurements Brown lines indicate extend operations The CRTM measures the BIOS and stores the measurement in the Trusted Platform Module (TPM) –Measurement storage uses the special TPM operation of Extend The other components measure the next link in the chain and also extend those measurements into the TPM RTM BIOS TPM Platform Reset MBR OS Loader Option ROM

10 Copyright© 2006 Trusted Computing Group - Other names and brands are properties of their respective owners. © 2006 Intel Corporation 15 May 2007Trust 10110 Dynamic RTM On A PC The RTM gains control upon execution of specific CPU instruction The Measured Launch Environment (MLE) gains control after the CPU RTM instruction completes the measurement of the MLE Typical MLE environments would be a Virtual Machine Monitor (VMM) or other specific security environments Blue lines indicate measurements Brown lines indicate extend operations The MLE can establish additional environments and also provide measurements of the those additional environments Note that the dynamic RTM provides a simpler trust chain then the static RTM RTM MLE TPM CPU Instruction

11 Copyright© 2006 Trusted Computing Group - Other names and brands are properties of their respective owners. © 2006 Intel Corporation 15 May 2007Trust 10111 Trusting The Enclave Now how does one trust the entities in the secure enclave? The answer comes from knowing how each entity is executing Knowing how each entity is executing comes from the measurement process (static, dynamic, or both) Each device may have a different RTM and there needs to be information as to what represents a trustable platform Printer Subordinat e LAN Vulnerability Scanner Local Area Network Certificate Service Shared Application Servers Virus Protection Directory Services Protected Application Servers Intrusion Detection LAN Management Workstation Inside & Outside

12 Copyright© 2006 Trusted Computing Group - Other names and brands are properties of their respective owners. © 2006 Intel Corporation 15 May 2007Trust 10112 Items Not Covered Today RTM definitions –Covered by platform type Already understood for PC and cell phones more coming Dynamic RTM processes –One example is Intel ® Trusted Execution Technology (formerly LaGrande Technology) All of the measurement values necessary to understand a platform state –Work ongoing with the TCG Infrastructure Workgroup

Download ppt "Copyright© 2006 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Trusted Computing David Grawrock TPM."

Similar presentations

Operating-System Structures

Operating-System Structures
Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.

Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.
1Copyright © 2010, Printer Working Group. All rights reserved. PWG Plenary TCG Activity Summary December 2010 Irvine, CA – PWG Meeting Ira McDonald (High.

1Copyright © 2010, Printer Working Group. All rights reserved. PWG Plenary TCG Activity Summary December 2010 Irvine, CA – PWG Meeting Ira McDonald (High.
1Copyright © 2010, Printer Working Group. All rights reserved. PWG Plenary and IDS WG TCG Activity Summary August 2010 Bagsvaerd, Denmark – PWG Meeting.

1Copyright © 2010, Printer Working Group. All rights reserved. PWG Plenary and IDS WG TCG Activity Summary August 2010 Bagsvaerd, Denmark – PWG Meeting.
1Copyright © 2010, Printer Working Group. All rights reserved. PWG Plenary TCG Activity Summary 10 June 2010 Rochester, NY – PWG F2F Meeting Ira McDonald.

1Copyright © 2010, Printer Working Group. All rights reserved. PWG Plenary TCG Activity Summary 10 June 2010 Rochester, NY – PWG F2F Meeting Ira McDonald.
1Copyright © 2010, Printer Working Group. All rights reserved. PWG Plenary TCG Activity Summary 7 April 2010 Camas, WA – PWG F2F Meeting Ira McDonald (High.

1Copyright © 2010, Printer Working Group. All rights reserved. PWG Plenary TCG Activity Summary 7 April 2010 Camas, WA – PWG F2F Meeting Ira McDonald (High.
1Copyright © 2011, Printer Working Group. All rights reserved. PWG Plenary TCG Activity Summary May 2011 Webster, NY – PWG Meeting Ira McDonald (High North.

1Copyright © 2011, Printer Working Group. All rights reserved. PWG Plenary TCG Activity Summary May 2011 Webster, NY – PWG Meeting Ira McDonald (High North.
Thomas S. Messerges, Ezzat A. Dabbish Motorola Labs Shin Seung Uk.

Thomas S. Messerges, Ezzat A. Dabbish Motorola Labs Shin Seung Uk.
Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
Vpn-info.com.

Vpn-info.com.
1 Trusted Systems in Networking Infrastructure Rafael Mantilla Montalvo Cisco Systems June 2013.

1 Trusted Systems in Networking Infrastructure Rafael Mantilla Montalvo Cisco Systems June 2013.
A Logic of Secure Systems and its Application to Trusted Computing Anupam Datta, Jason Franklin, Deepak Garg, and Dilsun Kaynar Carnegie Mellon University.

A Logic of Secure Systems and its Application to Trusted Computing Anupam Datta, Jason Franklin, Deepak Garg, and Dilsun Kaynar Carnegie Mellon University.
 Alexandra Constantin  James Cook  Anindya De Computer Science, UC Berkeley.

 Alexandra Constantin  James Cook  Anindya De Computer Science, UC Berkeley.
Hardware Security: Trusted Platform Module Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources.

Hardware Security: Trusted Platform Module Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources.
Hardware-Rooted Security in Mobile Devices Andrew Regenscheid Lead, Hardware-Rooted Security Computer Security Division.

Hardware-Rooted Security in Mobile Devices Andrew Regenscheid Lead, Hardware-Rooted Security Computer Security Division.
1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007.

1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007.
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Putting Trust into the Network: Securing.

Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Putting Trust into the Network: Securing.
Copyright© 2005-2006 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.
Using Secure Coprocessors to Protect Access to Enterprise Networks Dr. José Carlos Brustoloni Dept. Computer Science University of Pittsburgh

Using Secure Coprocessors to Protect Access to Enterprise Networks Dr. José Carlos Brustoloni Dept. Computer Science University of Pittsburgh
Enforcement of Security Policy Compliance in Virtual Private Networks Prof. José Carlos Brustoloni Dept. Computer Science University of Pittsburgh

Enforcement of Security Policy Compliance in Virtual Private Networks Prof. José Carlos Brustoloni Dept. Computer Science University of Pittsburgh

Similar presentations

Ads by Google