acn trusted computing - zcu.czledvina/dht/tugraz/trusted_computing.pdf · 2008. 3. 6. · see slide...
TRANSCRIPT
Terms and definitions
� TC = Trusted Computing
� TCG = Trusted Computing Group, group of
companies developing the TC specs
� TCPA = Trusted Computing Platform Alliance,
predecessor of TCG
� TPM = Trusted Platform Module, the hardware
� Palladium, LaGrande,… = implementations from
various companies, are not always covered by
TCG specs, but are very close
What is trust?
� Trust does NOT equal goodness!
� Trust means that the entity does what it is
supposed to do
� Trust an e-banking software to perform financial
operations correctly
� But also trust a trojan horse to talk to the villain
� Official definition by the TCG: An entity can
be trusted if it always behaves in the
expected manner for the intended purpose.
TC fundamentals
� TCG works in workgroups, suppliesspecifications, others implement them�TPM hardware specs, trusted storage specs,
trusted network connect, software stack specs,…
� on a PC a TC system consists of hardware and software:�TPM, the core hardware device
�TSS, the TC software stack, the API for developerstaking use of an TPM
�(and an OS/application using them)
�Basic functionality: store, measure, report/attest identity
The hardware: TPM (1/3)
� Low cost chip permanently bound to a platform(PC, cell phone, PDA,…)
� Provides a random number generator, a RSA engine (up to 2048 bit), a SHA1 engine, a limited, limited secure volatile storage (platformconfiguration registers (PCR) & slots for RSA keys) and a very limited non-volatile storage (forspecial keys and passwords)
� Is a slave device: does not perform any actionswithout being asked for it; neither has it accessto any system resources;
The hardware: TPM (2/3)
�TPM memory is a „shielded location“: datacannot be accessed/manipulated from theoutside
�TPM provides „protected capabilities“: on-chip functions to operate on shieldedlocations and perform operationsnecessary for all TC subsystems
�Assumption: it is much harder to manipulate
hardware than software
The hardware: TPM (3/3)
�Current Version: TPM 1.2, partlyincompatible to TPM 1.1 (which were thefirst actually sold TPMs), TPM next (= v1.3) to be released soon
�Manufacturers: Infineon, Atmel, ST Microelectronincs,…
�Mostly found on newer laptops, can beturned on via BIOS, although mostly notused at all
The software: TSS
� „Low level“ API for programmers to take
advantage of a TPM, „talks“ to the TPM
� has to overcome the limitations of the TPM (e.g.
swapping keys in & out, encrypting & storing
data on HDD using the TPMs keys)
� build into Windows Vista, but Vista‘s
implementation differs from the official TCG spec
� „High level“ Java wrapper library available from
IAIK
Taking ownership of a TPM
� TPM is shipped in an unknown state, owner of the platform has to execute the TakeOwnership-command by setting the password
� This creates the Storage Root Key, a RSA keywho never leaves the TPM; all other keys/data(e.g. the RSA key you use for e-banking) areprotected by this key
� Certain operations require the SRK = require theowner password
� SRK is one of the few keys that are storeddirectly on the non-volatile storage of the TPM
Chain of trust
�TC uses a „chain of trust“: Root A istrusted a priori, A signs(measures/protects) B, B signs(measures/protects) C,…
� If I trust A (the TPM), and the chain is notbroken, I can trust C
�Different chains of trust for storage, formeasurement, for reporting
Storage (1/2)
�root of trust for storage is the SRK
�all data/keys are in a hierarchical order with the SRK on top
� two methods of storage:
�Binding: storing data outside the TPM using
public keys from the TPM
�Sealing: combines external data with the state
of the system -> encrypt data with a reference
to the state of the system
Storage (2/2)
Measurement (1/2)
� Intention: measure state of the system/platform
and store it as hash values into a PCR
� does NOT prevent the system to run malware,
but owner or verifyer can deny the execution of
your program/function
� Root of trust for measurement on PCs: the BIOS
� Big drawback: nobody knows how to measure
the state of a big system like a PC (how do I
measure Windows XP? Patches, drivers,…)
Measurement (2/2)
Reporting / Attestation / Privacy (1/2)
� every TPM is a unique device, identifyable to others bythe Endorsement Key (EK)
� EK is „injected“ by the manufacturer of the TPM, manufacturer has to supply (a X509) certificate for the(RSA) EK
� uniqueness of EK means privacy problems, ownerbecomes trackable
� Solution: owner can create Attestation Identy Keys (AIK); a trusted third party supplies a certificate validating yourAIKs
� Using the unique EK and the EK certificate, a user cancreate different AIKs, signed by a trusted third party, butstill can prove that he is operating on a trusted platform
Reporting / Attestation / Privacy (2/2)
Common criticism
�Even owner does not get private SRK
�TPM does nothing until specifically askedfor it – but will developers/companiesmake use of it their own interests? (thinkof DRM, copy protection, customeridentification,…)
�Technical problem: how do we measurethe state of a large system?
Trusted Network Connect
� for secure endpoint communication (e.g. a homeworker accessing his corporate‘snetwork)
�does not require a explicitly require a TPM, but is a useful application for it
Aim / Purpose
� Platform authentication�Requestor has to prove platform identity and platform
integrity
� Endpoint Policy Compliance�Requestor has to establish a level of trust (e.g. firewall
present, antivirus up-to-date,...)
�Policy compliance can be used for authorization whenplatform integrity is used for the authorization decision
� Assessment, Isolation and Remediation�Platforms that don‘t fullfil policies can be isolated from
the rest of the network
TNC Architecture (1/2)
�Access Requestor (AR)
�Entity that wants access to a protected network
(„the client“, „the caller“)
�Policy Enforcement Point (PEP)
�Grants network access / enforces policies by
consulting the PDP
�Policy Decision Point (PDP)
�The entity that grants/declines the AR‘s request
(„the server“, „the callee“)
TNC Architecture (2/2)
Open discussion
�Applications?
�Privacy?
�DRM?
�Treacherous computing?
�…
References
� Literature:
�www.trustedcomputing.org
�www.iaik.tugraz.at/teaching/04_trustedcomputing/index.php
� Software:
�TPM Emulator for Linux: http://developer.berlios.de/projects/tpm-emulator/
�Trousers TSS: http://sourceforge.net/
projects/trousers/
�Java-Trousers-Wrapper: trustedjava.sf.net
Questions
�When speaking of Trusted Computing: What is trust?
�See slide nr. 3
�What does „chain of trust“ mean?
�See slide nr. 10
�Example on slide nr. 12