Trusted Computing

Agenda

Why Trusted Computing

The Trusted Computing Architecture

Uses of Trusted Computing

Issues with Trusted Computing

Trusted Computing in practice

Details: 3rd party attestation

Agenda

Why Trusted Computing

The Trusted Computing Architecture

Uses of Trusted Computing

Issues with Trusted Computing

Trusted Computing in practice

Details: 3rd party attestation

Trusted Computing

Trust (RFC 4949): A feeling of certainty (sometimes

based on inconclusive evidence) either (a) that the

system will not fail or (b) that the system meets its

specifications (i.e., the system does what it claims to do

and does not perform unwanted functions)

When approaching a PC, do we have this feeling?

Lack of Trust

Mutability

– Data

– Applications and libraries

– Device drivers

– Kernel components

– And… the BIOS

“Least privilege” principle is ignored

– Administrator privileges

Huge amounts of trusted code

Secure development principles are not applied

Trusted Computing Group

[An] organization formed to develop, define, and promote open standards for hardware-enabled trusted computing and security technologies, including hardware building blocks and software interfaces, across multiple platforms, peripherals, and devices

Implicitly: software alone will not do

Established (as TCPA) 1999

TPM 1.0 published Feb. 2001

TNC work started 2004

Around 200 member companies

www.trustedcomputing.org

Agenda

Why Trusted Computing

The Trusted Computing Architecture

Uses of Trusted Computing

Issues with Trusted Computing

Trusted Computing in practice

Details: 3rd party attestation

Trusted Computing Architecture

TPM (Trusted Platform Module): a tamper-resistant hardware module

mounted in a platform.

Responsible for: measurement, storage, reporting and policy enforcement

Protected

Code TPM

Boot Process

Operating System

App1 App2 App3

Encrypted

Files

Roots of Trust

A Root of Trust is a component that must behave as

expected, because its misbehavior cannot be detected

– A piece of code

Root of Trust for Measurement: the component that can

be trusted to reliably measure and report to the Root of Trust

for Reporting what software executes at the start of platform

boot

Root of Trust for Reporting: the component that can be

trusted to report reliable information about the platform

Root of Trust for Storage: the component that can be

trusted to securely store any quantity of information

A Chain of Trust (Illustrate with Possible

Attack Scenarios)

The core idea of the Trusted Computing architecture

Each stage measures and validates the next one

– Measurements go into Platform Configuration Registers

(PCRs) on the TPM

The chain starts with the hardware TPM

Then software:

– RTM, TPM Software Stack, BIOS, kernel

– Applications?

At the end, the entire platform is verified to be in a

trusted state

TC Cryptographic Capabilities

SHA-1, HMAC – Hashed message authentication code

Physical random number generation – An important feature in itself

Asymmetric key generation – 2048-bit RSA

Asymmetric crypto encryption/decryption and signing – RSA PKCS#1

Bulk symmetric crypto is performed off-chip – For example, disk encryption

Reasons: price, export considerations

This is no high performance crypto chip!

Agenda

Why Trusted Computing

The Trusted Computing Architecture

Uses of Trusted Computing

Issues with Trusted Computing

Trusted Computing in practice

Details: 3rd party attestation

Uses of Trusted Computing

Data protection: storage of secrets

– TPM unseals storage keys only if the platform is in a trusted state

Detecting unwanted changes to a machine’s configuration

– Secure boot

The next three require “3rd party attestation”

– Protocol described later

Checking client integrity on a local network

– E.g. before the client is allowed into the network

– Or by each network server

Verifying the trustworthiness of a “kiosk”

– By a remote server

– By a local smartcard

Machine authentication for remote access

Trusted Computing in Practice

TPM exists on a very large percentage of desktops and

laptops

– On your computer, too

But it is disabled by default

So it is rarely used

– Even innocuous functionality like RNG is blocked!

Microsoft was expected to enhance TC functionality in Vista

– But only made a small step with BitLocker

– Better with Windows 7 and 8

Apple used TPM once to ensure its new OS only runs on its

own “beta” machines

– But this is the wrong way around!

Agenda

Why Trusted Computing

The Trusted Computing Architecture

Uses of Trusted Computing

Issues with Trusted Computing

Trusted Computing in practice

Details: 3rd party attestation

Remote Attestation

Three phases

Measurement: machine to be attested must measure its

properties locally

Attestation: transfer measurements from machine being

attested to remote machine

Verification: remote machine examines measurements

transferred during attestation and decides whether they

are valid and acceptable

Linux Integrity Measurement

What is the Purpos of Nonce? (Important)

Linux Verification

Dynamic Root of Trust (During

Runtime)

Special CPU instruction

Reset PCRs

First measurement made by hardware

Check if correct and proceed in further measurements

Otherwise DRT was modified and not safe to use

Used for run trusted Virtual Machine, since measuring

all of software during startup is impossible and the same

software can be attacked later

Summary

Trusted Computing tries to solve one of the top

problems in today’s computing

It builds a complex and interesting architecture, using

innovative hardware components

The in-built conflict between proven security and privacy

has not been resolved, and maybe cannot be

TC is making small steps forward, will it ever see

widespread use?