TPM: Trusted Platform Module

Sumeet Bajaj sbajaj@cs.stonybrook.edu

9 Feb 2011 CSE 408

Introduction

Verifier Platform

Attestation of Remote Platform • Identify specific platform • Verify software stack on remote platform

verification request

verification data

Use Case

Verify user system

Corporate Network

Connect

TPM

Trusted Platform Module • Secure crypto-processor

Uses • Remote Attestation • Binding, Sealing : Data encryption Applications • Platform Integrity • Disk Encryption • Password Protection • Digital Rights Management • Software Licenses

Verifier Platform

verification data

verification request

TPM deployed on remote platform

TPM Specification

TPM Specification

Design Structure Commands

TPM Chips

No TPMS China, Russia, Belarus, Kazakhstan

TPM Example

300 Million PCs have shipped with a chip called the Trusted Platform Module (TPM)

TPM Specification v1.1 (184 pages)

• FIPS 140-2 certification. • Commands for all operations, e.g. Key generation, PCR extension • Processes for Key generation & management • Cryptographic processes e.g. Random number generation • TPM Architecture • TPM operation including initialization, self-test modes, startup, enabling, disabling etc

FIPS 140-2 Level 1 The lowest, imposes very limited requirements; loosely, all components must be "production-grade" FIPS 140-2 Level 2 Adds requirements for physical tamper-evidence and role-based authentication. FIPS 140-2 Level 3 Adds requirements for physical tamper-resistance (making it difficult for attackers to gain access to sensitive information contained in the module) and identity-based authentication, and for a physical or logical separation between the interfaces by which "critical security parameters" enter and leave the module, and its other interfaces. FIPS 140-2 Level 4 Makes the physical security requirements more stringent, and requires robustness against environmental attacks.

FIPS: Federal Information Processing Standard

TPM Architecture

PCR (Platform Configuration Register)

Problem! Scale, collusion

PCR

160 bits

PCRi New = HASH ( PCRi Old value || value to add)

• Minimum of 16 PCRs • Store integrity metrics • Avoid overwriting

• Unlimited number of measurements • Measurements are ordered • If disable extending PCR still works, but return 0s

Platform

TCG Boot Process

BIOS Boot Block

BIOS

MBR/OS Loader

Operating System

PCR_Extend(n, <BIOS CODE>)

PCR0 = 0

PCR1 = H(PCR0 || <BIOS Code>)

PCR_Extend(n, <MBR CODE>) PCR2 = H(PCR1 || <MBRCode>)

PCR_Extend(n, <OS CODE>) PCR3 = H(PCR2 || <OS Code>)

Application

PCR_Extend(n, <APP CODE>) PCR4 = H(PCR3 || <APP Code>)

H : SHA-1

Root of Trust

BIOS Boot Block

BIOS MBR/OS Loader

Operating System

Application

Root of Trust in Integrity Measurement

Measuring

Extending PCS

Root of Trust in Integrity Reporting

Simple Attestation Method

Platform

TPM

Verifier (PKTPM) Application A generates PKA & SKA

2) {PCR} SKAIK

3) Cert{PKAIK}SKTPM {PCR}SKAIK

6) looks up #A in DB

5) verifies the signature

7) ...

PKTPM & SKTPM (Endorsement key)

1) Read_PCR

DB

Lookup PCR “ok”

PKAIK & SKAIK

(Attestation Identity Key)

Problem! Does not protect user privacy

EK is one-time unique per TPM AIK can be used anew for each attestation

4) Cert{PKAIK} SKTPM , {PCR}SKAIK

Solution : Single key pair for all TPMs

TPM SKTPM

Manufacturer

PKTPM & SKTPM

TPM SKTPM

TPM SKTPM

……..

Verifier

Problem! Identify legitimate TPMs from fake

Solution : Certificate Authority (TPM v1.1)

Problem! Scale, collusion

TPM

PKTPM & SKTPM (Endorsement key)

Privacy Certification Authority (CA) PKTPM1 & SKTPM1

PKTPM2 & SKTPM2 ……….. PKTPMn & SKTPMn

PKAIK & SKAIK (Attestation key)

Verifier

1. Cert{PKAIK } SKTPM

2. Searches PKTPM

3. Cert{PKAIK } SKCA

4. Verification Request

5. Cert{PKAIK } SKCA

Remove rogue TPM key from list

Direct Anonymous Attestation (DAA) – TPM Spec 1.2

• Ernie Brickell (Intel), Jan Camenisch (IBM), Liqun Chen (HP) • Based on Camenisch-Lysyanskaya anonymous credential system

Direct : Without a TTP Anonymous : Does not reveal signer’s identity Attestation : claim from a TPM

TPM

Verifier1

SKAIK1

SKAIK2 Verifier2

DAA{SKAIK1}

DAA{SKAIK2}

Can tell SKAIK1 is from a TPM But not which one

Can tell SKAIK2 is from a TPM But not which one

Cannot tell if SKAIK1 & SKAIK12 Are from the same TPM

Direct Anonymous Attestation (Join)

TPM Issuer Commit to

Derive from issuer’s name by TPM

Proves that

Signature on

Secret

Public

DAA certificate

Direct Anonymous Attestation (Verification)

TPM Verifier1

Zero knowledge proof protocol

TPM proves it knows

TPM Proves the exponent is related

• Used for blacklisting • Used for linking transactions from the same TPM

Secure Storage

TPM_Seal(Blob, PCR’)

SKENC

Blob’ = {Blob || PCR’} SKENC Stores Blob’

TPM_UnSeal(Blob’) Checks if Current PCR = PCR’ in Blob If true Blob = Decrypt{Blob’} SKENC

If false return failure

• OS & Apps sealed with MBR’s PCR • Seal Web Server’s SSL Key • Microsoft BitLocker • Blob size is 256 bytes

DRM – E.g. using TPM counters

TPM_Seal(Blob, PCR’)

SKENC, COUNTER = 0

Blob’ = {Blob || PCR’} SKENC Stores Blob’

TPM_UnSeal(Blob’) Checks if Current PCR = PCR’ in Blob If true Blob = Decrypt{Blob’} SKENC

&& COUNTER < N COUNTER++ If false return failure

• Music can be played for 30 days only

Application : Media Player

Trusted Software Stack (TSS)

• Standard API for accessing functions of the TPM • OS Agnostic

http://www.trustedcomputinggroup.org/resources/tcg_software_stack_tss_specification

DATABASE

SERVER TRUSTED HW

6000 PCI 4764/65 SafeXcel

Trusted by the clients Performs or aids query processing Can provide Tamper Proofing / Detection Supports Cryptographic functions (software or hardware based) Commonly used as accelerators

Trusted Hardware : Introduction

21

IBM 4764 Function (OpenSSL 0.9.7f)

Context IBM 4764 (per second)

P4 @ 3.4 GHz (per second)

RSA signature 1024 bits 848 261 2048 bits 316 – 470 43

RSA verification 1024 bits 1157 – 1242 5324 2048 bits 976-1087 1613

SHA-1 1 KB 1.42 MB 80 MB 64 KB 18.6 MB 120 + MB 1 MB 21 – 24 MB

3 DES 1 KB 1.08 MB 18 MB 64 KB 7.73 MB 17 MB 1 MB 8.56 MB 15 MB

AES 128 1 KB 14+ MB 100+ MB DMA xfer end-to-end 75 – 90 MB 1+ GB

Processor 233 MHz PowerPC Memory 32 MB Crypto H/W engines

AES256, DES, TDES, DSS, SHA-1, MD5, RSA

Tamper resistant and responsive design, FIPS level 4 certified Limited resources Synchronous communication channel with host Hardware crypto engine

Trusted Hardware : Benefits & Limitations

22

SCPU - 4764

TrustedDB – Layer 3

PKTDB SKTDB KDATA

OS – Layer 2

PKOS SKOS

Miniboot 1 – Layer 1

PKDEV SKDEV

Miniboot 0 – Layer 0

PKMAN SKMAN

CLIENT

PKCMAN

KDATA

1. Request

2. OA Certificate

3. OA Certificate

PKTDB H(L3CODE) SKOS

PKOS H(L2CODE)

PKDEV H(L1CODE)

SKMAN PKMAN H(L0CODE)

SKDEV

SKCMAN

Outbound Authentication Certificate

PKA : Public Key of A SKA : Private Key of A H(M) : Hash of message M

Outbound Authentication [Smith et. al]

23 SIGMOD 2011 : TrustedDB

Thankyou

Sumeet Bajaj sbajaj@cs.stonybrook.edu

9 Feb 2011 CSE 408