Trusted Computing

TC/TCG/TCPA

Reinhard Hutterreinhard.hutter@gmail.com

Terms and definitions

� TC = Trusted Computing

� TCG = Trusted Computing Group, group of

companies developing the TC specs

� TCPA = Trusted Computing Platform Alliance,

predecessor of TCG

� TPM = Trusted Platform Module, the hardware

� Palladium, LaGrande,… = implementations from

various companies, are not always covered by

TCG specs, but are very close

What is trust?

� Trust does NOT equal goodness!

� Trust means that the entity does what it is

supposed to do

� Trust an e-banking software to perform financial

operations correctly

� But also trust a trojan horse to talk to the villain

� Official definition by the TCG: An entity can

be trusted if it always behaves in the

expected manner for the intended purpose.

TC fundamentals

� TCG works in workgroups, suppliesspecifications, others implement them�TPM hardware specs, trusted storage specs,

trusted network connect, software stack specs,…

� on a PC a TC system consists of hardware and software:�TPM, the core hardware device

�TSS, the TC software stack, the API for developerstaking use of an TPM

�(and an OS/application using them)

�Basic functionality: store, measure, report/attest identity

The hardware: TPM (1/3)

� Low cost chip permanently bound to a platform(PC, cell phone, PDA,…)

� Provides a random number generator, a RSA engine (up to 2048 bit), a SHA1 engine, a limited, limited secure volatile storage (platformconfiguration registers (PCR) & slots for RSA keys) and a very limited non-volatile storage (forspecial keys and passwords)

� Is a slave device: does not perform any actionswithout being asked for it; neither has it accessto any system resources;

The hardware: TPM (2/3)

�TPM memory is a „shielded location“: datacannot be accessed/manipulated from theoutside

�TPM provides „protected capabilities“: on-chip functions to operate on shieldedlocations and perform operationsnecessary for all TC subsystems

�Assumption: it is much harder to manipulate

hardware than software

The hardware: TPM (3/3)

�Current Version: TPM 1.2, partlyincompatible to TPM 1.1 (which were thefirst actually sold TPMs), TPM next (= v1.3) to be released soon

�Manufacturers: Infineon, Atmel, ST Microelectronincs,…

�Mostly found on newer laptops, can beturned on via BIOS, although mostly notused at all

The software: TSS

� „Low level“ API for programmers to take

advantage of a TPM, „talks“ to the TPM

� has to overcome the limitations of the TPM (e.g.

swapping keys in & out, encrypting & storing

data on HDD using the TPMs keys)

� build into Windows Vista, but Vista‘s

implementation differs from the official TCG spec

� „High level“ Java wrapper library available from

IAIK

Taking ownership of a TPM

� TPM is shipped in an unknown state, owner of the platform has to execute the TakeOwnership-command by setting the password

� This creates the Storage Root Key, a RSA keywho never leaves the TPM; all other keys/data(e.g. the RSA key you use for e-banking) areprotected by this key

� Certain operations require the SRK = require theowner password

� SRK is one of the few keys that are storeddirectly on the non-volatile storage of the TPM

Chain of trust

�TC uses a „chain of trust“: Root A istrusted a priori, A signs(measures/protects) B, B signs(measures/protects) C,…

� If I trust A (the TPM), and the chain is notbroken, I can trust C

�Different chains of trust for storage, formeasurement, for reporting

Storage (1/2)

�root of trust for storage is the SRK

�all data/keys are in a hierarchical order with the SRK on top

� two methods of storage:

�Binding: storing data outside the TPM using

public keys from the TPM

�Sealing: combines external data with the state

of the system -> encrypt data with a reference

to the state of the system

Storage (2/2)

Measurement (1/2)

� Intention: measure state of the system/platform

and store it as hash values into a PCR

� does NOT prevent the system to run malware,

but owner or verifyer can deny the execution of

your program/function

� Root of trust for measurement on PCs: the BIOS

� Big drawback: nobody knows how to measure

the state of a big system like a PC (how do I

measure Windows XP? Patches, drivers,…)

Measurement (2/2)

Reporting / Attestation / Privacy (1/2)

� every TPM is a unique device, identifyable to others bythe Endorsement Key (EK)

� EK is „injected“ by the manufacturer of the TPM, manufacturer has to supply (a X509) certificate for the(RSA) EK

� uniqueness of EK means privacy problems, ownerbecomes trackable

� Solution: owner can create Attestation Identy Keys (AIK); a trusted third party supplies a certificate validating yourAIKs

� Using the unique EK and the EK certificate, a user cancreate different AIKs, signed by a trusted third party, butstill can prove that he is operating on a trusted platform

Reporting / Attestation / Privacy (2/2)

Common criticism

�Even owner does not get private SRK

�TPM does nothing until specifically askedfor it – but will developers/companiesmake use of it their own interests? (thinkof DRM, copy protection, customeridentification,…)

�Technical problem: how do we measurethe state of a large system?

Trusted Network Connect

� for secure endpoint communication (e.g. a homeworker accessing his corporate‘snetwork)

�does not require a explicitly require a TPM, but is a useful application for it

Aim / Purpose

� Platform authentication�Requestor has to prove platform identity and platform

integrity

� Endpoint Policy Compliance�Requestor has to establish a level of trust (e.g. firewall

present, antivirus up-to-date,...)

�Policy compliance can be used for authorization whenplatform integrity is used for the authorization decision

� Assessment, Isolation and Remediation�Platforms that don‘t fullfil policies can be isolated from

the rest of the network

TNC Architecture (1/2)

�Access Requestor (AR)

�Entity that wants access to a protected network

(„the client“, „the caller“)

�Policy Enforcement Point (PEP)

�Grants network access / enforces policies by

consulting the PDP

�Policy Decision Point (PDP)

�The entity that grants/declines the AR‘s request

(„the server“, „the callee“)

TNC Architecture (2/2)

Open discussion

�Applications?

�Privacy?

�DRM?

�Treacherous computing?

�…

References

� Literature:

�www.trustedcomputing.org

�www.iaik.tugraz.at/teaching/04_trustedcomputing/index.php

� Software:

�TPM Emulator for Linux: http://developer.berlios.de/projects/tpm-emulator/

�Trousers TSS: http://sourceforge.net/

projects/trousers/

�Java-Trousers-Wrapper: trustedjava.sf.net

Questions

�When speaking of Trusted Computing: What is trust?

�See slide nr. 3

�What does „chain of trust“ mean?

�See slide nr. 10

�Example on slide nr. 12