1TCG:Trusted Computing GroupDan BonehCS 155Spring 2006BackgroundTCG consortium. Founded in 1999 as TCPA. Main players (promotors): (>200 members) AMD, HP, IBM, Infineon, Intel, Lenovo, Microsoft, SunGoals: Hardware protected (encrypted) storage: Only “authorized” software can decrypt data e.g.: protecting key for decrypting file system Secure boot: method to “authorize” software Attestation: Prove to remote server what software is running on my machine.TCG: changes to PC or cell phoneExtra hardware: TPM Trusted Platform Module (TPM) chip Single 33MhZ clock. TPM Chip vendors: (~7$) Atmel, Infineon, National, STMicro Intel D875GRH motherboardSoftware changes: BIOS OS and AppsTPMs in the real worldSystems containing TPM chips: Lenovo (IBM) Thinkpads and desktops Fujitsu lifebook HP desktop and notebooksSoftware using TPMs: File/disk encryption: Vista, IBM, HP, Softex Attestation for enterprise login: Cognizance, Wave Client-side single sign on: IBM, Utimaco, WaveTPM 101 What the TPM does How to use itComponents on TPM chipI/OCrypto Engine:RSA, SHA-1, HMAC, RNGNon Volatile Storage(> 1280 bytes)PCR Registers(≥16 registers)OtherJunkRSA: 1024, 2048 bit modulusSHA-1: Outputs 20 byte digest2PCR: the heart of the matterPCR: Platform Configuration Registers Lots of PCR registers on chip (at least 16) Register contents: 20-byte SHA-1 digest (+junk)Updating PCR #n : TPM_Extend(n,D): PCR[n] ← SHA-1 ( PCR[n] || D ) TPM_PcrRead(n): returns value(PCR(n))PCRs initialized to default value (e.g. 0) at boot time TPM can be told to restore PCR values viaTPM_SaveState and TPM_Startup(ST_STATE)Using PCRs: the TCG boot processAt power-up PCR[n] initialized to 0BIOS boot block executes Calls PCR_Extend( n, <BIOS code> ) Then loads and runs BIOS post boot codeBIOS executes: Calls PCR_Extend( n, <MBR code> ) Then runs MBR (master boot record), e.g. GRUB.MBR executes: Calls PCR_Extend( n, <OS loader code, config> ) Then runs OS loader…and so onIn a diagramBIOS boot blockBIOSOS loaderOSApplicationTPMHardwareRoot of trust in integrity measurementRoot of trust in integrity reportingmeasuringExtend PCR• After boot, PCRs contain hash chain of booted software• Collision resistance of SHA1 (?) ensures commitmentExample: Trusted GRUB (IBM’05)What PCR # to use and what to measure specified in GRUB config fileUsing PCR values after bootApplication 1: encrypted (a.k.a sealed) storage.Step 1: TPM_TakeOwnership( OwnerPassword, … ) Creates 2048-bit RSA Storage Root Key (SRK) on TPM Cannot run TPM_TakeOwnership again: Ownership Enabled flag ← False Done once by IT department or laptop owner.(optional) Step 2: TPM_CreateWrapKey Create more RSA keys on TPM certified by SRK Each key identified by 32-bit keyhandleProtected StorageMain Step: Encrypt data using RSA key on TPM TPM_Seal (some) Arguments: keyhandle: which TPM key to encrypt with KeyAuth: Password for using key `keyhandle’ PcrValues: PCRs to embed in encrypted blob data block: at most 256 bytes (2048 bits) Used to encrypt symmetric key (e.g. AES) Returns encrypted blob.Main point: blob can only be decrypted with TPM_Unseal when PCR-reg-vals = PCR-vals in blob. TPM_Unseal will fail othrwise3Protected StorageEmbedding PCR values in blob ensures that only certain apps can decrypt data. e.g.: Messing with MBR or OS kernel will change PCR values.Why can’t attacker disable TPM until after boot, then extend PCRs with whatever he wants? Root of trust: BIOS boot block.Gaping hole: role-back attack on encrypted blobs e.g. undo security patches without being noticed. Can be mitigated using Data Integrity Regs (DIR)Sealed storage: applicationsLock software on machine: OS and apps sealed with MBR’s PCR. Any changes to MBR (to load other OS) will prevent locked software from loading. Prevents reverse-engineeringWeb server: seal server’s SSL private key Goal: only unmodified Apache can access SSL key Problem: updates to Apache, config, or contentGeneral problem with software patches: When updating MBR, must re-seal blobs Not a simple process …TPM CountersTPM must support at least four hardware counters Increment rate: every 5 seconds for 7 years.Applications: Provides time stamps on blobs. Supports “music will pay for 30 days” policy.Non-volatile TPM memoryStores: Storage Root Key (SRK) Owner Password Endorsement Key (EK) Created once for the life of the TPM Certificate for EK issued by TPM vendor Basis of attestation Persistent flags (e.g. ownership flag)Generated whenuser takes ownershipAttestationAttestation: what it doesGoal: prove to remote party what software is running on my machine.Good applications: Bank allows money transfer only if customer’s machine runs “up-to-date” OS patches. Enterprise allows laptop to connect to its network only if laptop runs “authorized” software Quake players can join a Quake network only if their Quake client is unmodified.DRM: MusicStore sells content for authorized players only.4Attestation: how it worksRecall: EK private key on TPM. Cert for EK public-key issued by TPM vendor.Step 1: Create Attestation Identity Key (AIK) Details not important. AIK Private key known only to TPM AIK public cert issued only if EK cert is validAttestation: how it worksStep 2: sign PCR values (after boot) Call TPM_Quote (some) Arguments: keyhandle: which AIK key to sign with KeyAuth: Password for using key `keyhandle’ PCR List: Which PCRs to sign. Challenge: 20-byte challenge from remote server Prevents replay of old signatures. Userdata: additional data to include in sig. Returns signed data and signature.Attestation: how it (should) workRemoteServerPCTPMOSApp• Generate pub/priv key pair• TPM_Quote(AIK, PcrList, chal, pub-key)•Obtain certAttestation Request (20-byte challenge)(SSL) Key Exchange using CertValidate:1. Certissuer,2. PCR valsin certCommunicate with appusing SSL tunnel• Attestation should include key-exchange• App must be isolated from rest of systemUsing AttestationAttesting to VMs: Terra [SOSP’03]TVMM Provides isolation between attested applicationsNexus OS (Sirer et al.
View Full Document
Unlocking...