CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page CSE 543 - Computer SecurityLecture 16 - Trusted ComputingOctober 23, 2007URL: http://www.cse.psu.edu/~tjaeger/cse543-f0/CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page What is Trust?•dictionary.com–Firm reliance on the integrity, ability, or character of a person or thing.•What do you trust?–Trust Exercise•Do we trust our computers?2CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Trust•“a system that you are forced to trust because you have no choice” -- US DoD•“A ‘trusted’ computer does not mean a computer is trustworthy” -- B. Schneier3CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Trusted Computing Base•Trusted Computing Base (TCB)–Hardware, Firmware, Operating System, etc•There is always a level at which we must rely on trust•How can we shrink the TCB?4CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Trustworthy Computing•Microsoft Palladium (NGSCB)5CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Example of FUD•Trusted Computing: An Animated Short - http://www.lafkon.net/tc/6CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Trusted Computing•Components (according to Wikipedia)–Secure I/O–Memory Curtaining–Sealed Storage–Remote Attestation•Requires hardware support7CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Trusted Platform Module•The Trusted Platform Module (TPM) provides hardware support for sealed storage and remote attestation•What else can it do?–www.trustedcomputinggroup.org8CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Where are the TPMs?9CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page TPM Component Architecture10Non-Volatile StoragePlatform Configuration Register (PCR)Attestation Identity Key (AIK)Program CodeRandom Number GeneratorSHA-1 EngineKey GenerationRSA EngineOpt-InExec EngineI/OCSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page TPM Discrete Components•Input/Output (I/O)–Allows the TPM to communicate with the rest of the system•Non-Volatile Storage–Stores long term keys for the TPM•Platform Configuration Registers (PCRs)–Provide state storage•Attestation Identity Keys (AIKs)–Public/Private keys used for remote attestation•Program Code–Firmware for measuring platform devices•Random Number Generator (RNG)–Used for key generation, nonce creation, etc11CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page TPM Discrete Components•SHA-1 Engine–Used for computing signatures, creating key Blobs, etc•RSA Key Generation–Creates signing keys, storage keys, etc. (2048 bit)•RSA Engine–Provides RSA functions for signing, encryption/decryption•Opt-In–Allows the TPM to be disabled•Execution Engine–Executes Program Code, performing TPM initialization and measurement taking12CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Tracking State•Platform Configuration Registers (PCRs) maintain state values.•A PCR can only be modified through the Extend operation–Extend(PCR[i], value) :•PCR[i] = SHA1(PCR[i] . value)•The only way to place a PCR into a state is to extend it a certain number of times with specific values13BIOS Self MeasurementOS Loader CodeOS CodeApplication CodeMeasurement Flow(Transitive Trust)CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Secure vs. Authenticated Boot•Secure boot stops execution if measurements are not correct•Authenticated boot measures each boot state and lets remote systems determine if it is correct•The Trusted Computing Group architecture uses authenticated boot14CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Protected Storage•The TPM has limited storage capacity–Key pairs are commonly stored on the system, but are encrypted by a storage key•Users can protect data by allowing the TPM to control access to the symmetric key•Access to keys can be sealed to a particular PCR state15CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Public/Private Keys•Endorsement Key (EK)–Only one EK pair for the lifetime of the TPM–Usually set by manufacturer–Private portion never leaves the TPM•Storage Root Key (SRK)–Created as part of creating a new platform owner–Used for protected storage–Manages other keys, e.g., storage keys–Private portion never leaves the TPM•Attestation Identity Keys (AIKs)–Used for remote attestation–The TPM may have multiple AIKs16CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Key Distribution•Before remote attestation can occur, the challenger must have either knowledge of the public portion of an AIK, or a CA’s public key•Old standards required the Privacy CA to know the TPM’s PUBlic Endorsement Key (PUBEK)•Direct Anonymous Attestation (DAA), added to the latest specifications, uses a zero-knowledge proof to ensure the TPM is real17TPM Privacy CAChallengerAIK+SigCA- {AIK+, ...}{CA+}SigAIK- {PCR}, SigCA- {AIK+, ...}2314CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Using TCG•Justify System Integrity•Approaches–Trusted Platform on Demand (TPoD)•IBM Research Tokyo–Linux Integrity Measurement Architecture•Sailer et. al. (USENIX Security 2004)–BIND: A Fine-grained Attestation Service for Secure Distributed Systems•Shi et. al. (IEEE S&P 2005)•Network Authentication–Trusted Network Connect (TNC)•www.trustedcomputinggroup.org18CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Integrity Measurement Problem•IPsec and SSL provide secure communication–But with whom am I talking?19 Secure Channel On-Demand / GridSecure DomainsB2B ApplicationThin-ClientCSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Integrity Measurement Architecture20ExecutionFlowMeasurementFlowDefined by TCG(Platform specific)Defined by Grub(IBM Tokyo Research Lab)Platform Configuration Registers 0-23TCG-based Integrity Measurement Architecture0-7 4-7 >= 8CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Basic Idea21 Analysis System-RepresentationSigned TPM Aggregate SHA1(Boot
View Full Document
Unlocking...