TPM: Trusted Platform Module

Sumeet Bajaj sbajaj@cs.stonybrook.edu

9 Feb 2011 CSE 408

Introduction

verification request

verification data

Verifier
Attestation of Remote Platform Identify specific platform Verify software stack on remote platform

Platform

Use Case

Corporate Network

Connect Verify user system

TPM
Trusted Platform Module Secure crypto-processor

Uses Remote Attestation Binding, Sealing : Data encryption

Applications Platform Integrity Disk Encryption Password Protection Digital Rights Management Software Licenses
verification request

verification data

Verifier

Platform

TPM deployed on remote platform

TPM Specification

TPM Specification

Design Structure Commands

No TPMS China, Russia, Belarus, Kazakhstan

TPM Chips

TPM Example

300 Million PCs have shipped with a chip called the Trusted Platform Module (TPM)

TPM Specification v1.1 (184 pages)

FIPS 140-2 certification. Commands for all operations, e.g. Key generation, PCR extension Processes for Key generation & management Cryptographic processes e.g. Random number generation TPM Architecture TPM operation including initialization, self-test modes, startup, enabling, disabling etc FIPS 140-2 Level 1 The lowest, imposes very limited requirements; loosely, all components must be "production-grade" FIPS 140-2 Level 2 Adds requirements for physical tamper-evidence and role-based authentication. FIPS 140-2 Level 3 Adds requirements for physical tamper-resistance (making it difficult for attackers to gain access to sensitive information contained in the module) and identity-based authentication, and for a physical or logical separation between the interfaces by which "critical security parameters" enter and leave the module, and its other interfaces. FIPS 140-2 Level 4 Makes the physical security requirements more stringent, and requires robustness against environmental attacks.
FIPS: Federal Information Processing Standard

TPM Architecture

PCR (Platform Configuration Register)

PCR
160 bits Minimum of 16 PCRs Store integrity metrics Avoid overwriting

PCRi New = HASH ( PCRi Old value || value to add)

Unlimited number of measurements Measurements are ordered If disable extending PCR still works, but return 0s

Problem! Scale, collusion

TCG Boot Process

Application Operating System

Platform

PCR_Extend(n, <APP CODE>)

PCRx = H(PCRx || <APP Code>)

MBR/OS Loader

PCR_Extend(n, <OS CODE>)

PCRx = H(PCRx || <OS Code>)

BIOS

PCR_Extend(n, <MBR CODE>)

PCRx = H(PCRx || <MBRCode>)

BIOS Boot Block

PCR_Extend(n, <BIOS CODE>)

PCRx = H(PCRx || <BIOS Code>) PCRx = 0

H : SHA-1

Root of Trust
Root of Trust in Integrity Measurement

BIOS Boot Block

BIOS

MBR/OS Loader

Operating System

Application

Measuring Extending PCS

Root of Trust in Integrity Reporting

Simple Attestation Method

Platform Application A
generates PKA & SKA

3) Cert{PKAIK} SKTPM , {PCT}SKAIK

Verifier
7) ...

1) Read_PCR

3) Cert{PKAIK}SKTPM {PCT}SKAIK
2) {PCR} SKAIK

5) verifies the signature 6) looks up #A in DB

Lookup PCR

ok

TPM

PKTPM & SKTPM (Endorsement key) PKAIK & SKAIK (Attestation Identity Key)

DB

EK is one-time unique per TPM AIK can be used anew for each attestation

Problem! Does not protect user privacy

Solution : Single key pair for all TPMs

TPM
SKTPM

Manufacturer
PKTPM & SKTPM

TPM
SKTPM
..

Verifier

TPM
SKTPM
Problem! Identify legitimate TPMs from fake

Solution : Certificate Authority (TPM v1.1)

Privacy Certification Authority (CA) PKTPM1 & SKTPM1 PKTPM2 & SKTPM2 .. PKTPMn & SKTPMn

2. Searches PKTPM

TPM
PKTPM & SKTPM (Endorsement key)

1. Cert{PKAIK } SKTPM

Remove rogue TPM key from list

3. Cert{PKAIK } SKCA 4. Verification Request 5. Cert{PKAIK } SKCA

PKAIK & SKAIK (Attestation key)

Verifier

Problem! Scale, collusion

Direct Anonymous Attestation (DAA) TPM Spec 1.2

Ernie Brickell (Intel), Jan Camenisch (IBM), Liqun Chen (HP) Based on Camenisch-Lysyanskaya anonymous credential system Direct Anonymous Attestation : Without a TTP : Does not reveal signers identity : claim from a TPM

Can tell SKAIK1 is from a TPM But not which one

DAA{SKAIK1}

Verifier1

TPM

SKAIK1 SKAIK2

Cannot tell if SKAIK1 & SKAIK12 Are from the same TPM

Can tell SKAIK2 is from a TPM But not which one

DAA{SKAIK2}

Verifier2

Direct Anonymous Attestation (Join)

TPM

Commit to

Issuer

Proves that

Signature on DAA certificate Secret Public

Derive from issuers name by TPM

Direct Anonymous Attestation (Verification)

Zero knowledge proof protocol

TPM

TPM proves it knows

Verifier1

TPM Proves the exponent is related Used for blacklisting Used for linking transactions from the same TPM

Secure Storage
SKENC
TPM_Seal(Blob, PCR)

Stores Blob

Blob = {Blob || PCR} SKENC

TPM_UnSeal(Blob)

Checks if Current PCR = PCR in Blob

If true Blob = Decrypt{Blob} SKENC

If false return failure
OS & Apps sealed with MBRs PCR Seal Web Servers SSL Key Microsoft BitLocker Blob size is 256 bytes

DRM E.g. using TPM counters

Application : Media Player

SKENC, COUNTER = 0

TPM_Seal(Blob, PCR)

Stores Blob

Blob = {Blob || PCR} SKENC

TPM_UnSeal(Blob)

Checks if Current PCR = PCR in Blob

If true Blob = Decrypt{Blob} SKENC && COUNTER < N COUNTER++ If false return failure
Music can be played for 30 days only

Trusted Software Stack (TSS)

Standard API for accessing functions of the TPM OS Agnostic

http://www.trustedcomputinggroup.org/resources/tcg_software_stack_tss_specification

Trusted Hardware : Introduction

6000 PCI 4764/65 SafeXcel

Trusted by the clients

Performs or aids query processing

DATABASE

Can provide Tamper Proofing / Detection Supports Cryptographic functions (software or hardware based)

SERVER

TRUSTED HW

Commonly used as accelerators

21

Trusted Hardware : Benefits & Limitations

Processor Memory Crypto H/W engines 233 MHz PowerPC 32 MB AES256, DES, TDES, DSS, SHA-1, MD5, RSA

Function Context (OpenSSL 0.9.7f) RSA signature 1024 bits 2048 bits RSA verification 1024 bits 2048 bits SHA-1 1 KB 64 KB 1 MB 3 DES 1 KB 64 KB 1 MB AES 128 1 KB DMA xfer end-to-end

IBM 4764 (per second) 848 316 470 1157 1242 976-1087 1.42 MB 18.6 MB 21 24 MB 1.08 MB 7.73 MB 8.56 MB 14+ MB 75 90 MB

P4 @ 3.4 GHz (per second) 261 43 5324 1613 80 MB 120 + MB

18 MB 17 MB 15 MB 100+ MB 1+ GB

IBM 4764
Tamper resistant and responsive design, FIPS level 4 certified Limited resources Synchronous communication channel with host Hardware crypto engine
22

Outbound Authentication [Smith et. al]

CLIENT
PKCMAN KDATA
3. OA Certificate 1. Request 2. OA Certificate

TrustedDB Layer 3 PKTDB SKTDB KDATA OS Layer 2 PKOS SKOS

PKTDB H(L3CODE)
SKOS

Miniboot 1 Layer 1 PKDEV SKDEV

SKDEV
SKMAN

PKOS H(L2CODE) PKDEV H(L1CODE) PKMAN H(L0CODE)

SKCMAN

Miniboot 0 Layer 0

PKMAN SKMAN
SCPU - 4764
PKA : Public Key of A SKA : Private Key of A H(M) : Hash of message M
23

Outbound Authentication Certificate

SIGMOD 2011 : TrustedDB

Thankyou
Sumeet Bajaj sbajaj@cs.stonybrook.edu

9 Feb 2011 CSE 408