ACN Trusted Computing - Zcu.cz

Trusted ComputingTC/TCG/TCPAReinhard Hutterreinhard.hutter@gmail.com

Terms and definitions TC Trusted Computing TCG Trusted Computing Group, group ofcompanies developing the TC specs TCPA Trusted Computing Platform Alliance,predecessor of TCG TPM Trusted Platform Module, the hardware Palladium, LaGrande, implementations fromvarious companies, are not always covered byTCG specs, but are very close

What is trust? Trust does NOT equal goodness! Trust means that the entity does what it issupposed to do Trust an e-banking software to perform financialoperations correctly But also trust a trojan horse to talk to the villain Official definition by the TCG: An entity canbe trusted if it always behaves in theexpected manner for the intended purpose.

TC fundamentals TCG works in workgroups, suppliesspecifications, others implement them TPM hardware specs, trusted storage specs,trusted network connect, software stack specs, on a PC a TC system consists of hardware andsoftware: TPM, the core hardware device TSS, the TC software stack, the API for developerstaking use of an TPM (and an OS/application using them) Basic functionality: store, measure,report/attest identity

The hardware: TPM (1/3) Low cost chip permanently bound to a platform(PC, cell phone, PDA, ) Provides a random number generator, a RSAengine (up to 2048 bit), a SHA1 engine, alimited, limited secure volatile storage (platformconfiguration registers (PCR) & slots for RSAkeys) and a very limited non-volatile storage (forspecial keys and passwords) Is a slave device: does not perform any actionswithout being asked for it; neither has it accessto any system resources;

The hardware: TPM (2/3) TPM memory is a „shielded location“: datacannot be accessed/manipulated from theoutside TPM provides „protected capabilities“: onchip functions to operate on shieldedlocations and perform operationsnecessary for all TC subsystems Assumption: it is much harder to manipulatehardware than software

The hardware: TPM (3/3) Current Version: TPM 1.2, partlyincompatible to TPM 1.1 (which were thefirst actually sold TPMs), TPM next ( v1.3) to be released soon Manufacturers: Infineon, Atmel, STMicroelectronincs, Mostly found on newer laptops, can beturned on via BIOS, although mostly notused at all

The software: TSS „Low level“ API for programmers to takeadvantage of a TPM, „talks“ to the TPM has to overcome the limitations of the TPM (e.g.swapping keys in & out, encrypting & storingdata on HDD using the TPMs keys) build into Windows Vista, but Vista‘simplementation differs from the official TCG spec „High level“ Java wrapper library available fromIAIK

Taking ownership of a TPM TPM is shipped in an unknown state, owner ofthe platform has to execute the TakeOwnershipcommand by setting the password This creates the Storage Root Key, a RSA keywho never leaves the TPM; all other keys/data(e.g. the RSA key you use for e-banking) areprotected by this key Certain operations require the SRK require theowner password SRK is one of the few keys that are storeddirectly on the non-volatile storage of the TPM

Chain of trust TC uses a „chain of trust“: Root A istrusted a priori, A signs(measures/protects) B, B signs(measures/protects) C, If I trust A (the TPM), and the chain is notbroken, I can trust C Different chains of trust for storage, formeasurement, for reporting

Storage (1/2) root of trust for storage is the SRK all data/keys are in a hierarchical orderwith the SRK on top two methods of storage: Binding: storing data outside the TPM usingpublic keys from the TPM Sealing: combines external data with the stateof the system - encrypt data with a referenceto the state of the system

Storage (2/2)

Measurement (1/2) Intention: measure state of the system/platformand store it as hash values into a PCR does NOT prevent the system to run malware,but owner or verifyer can deny the execution ofyour program/function Root of trust for measurement on PCs: the BIOS Big drawback: nobody knows how to measurethe state of a big system like a PC (how do Imeasure Windows XP? Patches, drivers, )

Measurement (2/2)

Reporting / Attestation / Privacy (1/2) every TPM is a unique device, identifyable to others bythe Endorsement Key (EK) EK is „injected“ by the manufacturer of the TPM,manufacturer has to supply (a X509) certificate for the(RSA) EK uniqueness of EK means privacy problems, ownerbecomes trackable Solution: owner can create Attestation Identy Keys (AIK);a trusted third party supplies a certificate validating yourAIKs Using the unique EK and the EK certificate, a user cancreate different AIKs, signed by a trusted third party, butstill can prove that he is operating on a trusted platform

Reporting / Attestation / Privacy (2/2)

Common criticism Even owner does not get private SRK TPM does nothing until specifically askedfor it – but will developers/companiesmake use of it their own interests? (thinkof DRM, copy protection, customeridentification, ) Technical problem: how do we measurethe state of a large system?

Trusted Network Connect for secure endpoint communication (e.g. ahomeworker accessing his corporate‘snetwork) does not require a explicitly require aTPM, but is a useful application for it

Aim / Purpose Platform authentication Requestor has to prove platform identity and platformintegrity Endpoint Policy Compliance Requestor has to establish a level of trust (e.g. firewallpresent, antivirus up-to-date,.) Policy compliance can be used for authorization whenplatform integrity is used for the authorization decision Assessment, Isolation and Remediation Platforms that don‘t fullfil policies can be isolated fromthe rest of the network

TNC Architecture (1/2) Access Requestor (AR) Entity that wants access to a protected network(„the client“, „the caller“) Policy Enforcement Point (PEP) Grants network access / enforces policies byconsulting the PDP Policy Decision Point (PDP) The entity that grants/declines the AR‘s request(„the server“, „the callee“)

TNC Architecture (2/2)

Open discussion Applications? Privacy? DRM? Treacherous computing?

References Literature: www.trustedcomputing.org www.iaik.tugraz.at/teaching/04 trustedcomputing/index.php Software: TPM Emulator for Linux: http://developer.berlios.de/projects/tpm-emulator/ Trousers TSS: http://sourceforge.net/projects/trousers/ Java-Trousers-Wrapper: trustedjava.sf.net

Questions When speaking of Trusted Computing:What is trust? See slide nr. 3 What does „chain of trust“ mean? See slide nr. 10 Example on slide nr. 12

TC Trusted Computing TCG Trusted Computing Group, group of companies developing the TC specs TCPA Trusted Computing Platform Alliance, predecessor of TCG TPM Trusted Platform Module, the hardware Palladium, LaGrande, implementations from various companies, are not always