Beruflich Dokumente
Kultur Dokumente
There has been a great deal of talk about computer security in recent years as more and
more systems gain access to the Internet. Worms, viruses, trojans, spyware, and other
kinds of malware that seem to work their way through many lines of defense can make
using and maintaining a connected computer quite a chore. Due to this, a variety of
companies, consortia, and standards bodies exist with the expressed purpose of
developing solutions to make our computing experience safer and more confidential.
Trusted computing, one of the more contentious realms within this broad field, received a
lot of negative attention with the announcement of Microsoft's Palladium initiative (now
called the Next Generation Secure Computing Base, or NGSCB) a few years ago. The
Trusted Platform Module (henceforth TPM), a hardware chip developed by the Trusted
Computing Group (henceforth TCG), provides many of the security and confidentiality
features essential to the initiative.
Business and commerce depend on trust. With the growth of the Internet, wireless
communication technologies and connected mobile computing, trust has become a
pivotal issue for e-Commerce. Since notebook PCs are increasingly used for eCommerce, there is a growing need to make the notebook platform more trustworthy. As
the mobility of the platform increases, it becomes more and more susceptible to theft.
Stolen data is often regarded as being more valuable than the notebook hardware itself.
Thus, the need to protect user data and secrets is underscored in a mobile computing
environment.
instantiation of the TCPA specification. The current revision of the TCPA main
specification is version 1.1a.
To provide this
protection the TPM effectively puts "locks" around the data. Just like physical
ocks, if keys or combinations are lost, the assets (i.e., data) may be inaccessible
not only to adversaries, but also to asset owner/user.
The TPM provides two classes of keys: migratable and non-migratable.
Migratable keys are designed to protect data that can be used (i.e.,
unencrypted) on more than one platform. This has the advantage of allowing
the key data to be replicated (backed-up and restored) to another platform.
This may be because
platform, or the data needs to be available to more than one person operating
on different platforms). This type of key also has the advantage in that it can
be backed-up and restored from a defective platform onto a new platform.
However, migratable keys may not be the appropriate level of protection (e.g.,
the user wants the data restricted to a
the platform is calculated by the TPM software stack and stored into the Platform
Configuration Registers (PCR) available within the TPM. While binding secret data to
the platform, the TPM merges the data together with the values contained in one or more
PCR registers and then encrypts the combination as a whole. At a later time, when the
secret data needs to be accessed, the values of the necessary platform configurations are
calculated and the data is released for use only if the calculated and stored values match.
The TPM itself consists of several major components, as depicted below. A rief
description of each follows, with a more detailed explanation of each part available from
the specification itself.
I/O Controller The I/O Controller is a fairly simple component and has a fairly loose specification. It
manages the TPM's interface and communication to the outside platform as well as
controlling and routing internal signals. Additionally, it enforces all the access control
required by the opt-in mechanism and other components.
10
Cryptographic Co-Processor The Cryptographic Co-Processor (CCP), a major subdivision of the TPM, contains the
various cryptographic engines used by the TPM as well as the Random Number
Generator vital to these components. Its functionality must include at least RSA key
generation, RSA encryption/decryption, SHA-1 hashing, and random number generation
for the sake of interoperability. However, the specification explicitly allows other
asymmetric algorithms such as DSA or elliptic curve. All storage keys and identity keys
must at least match the strength of a 2048 bit RSA key, which should be enough to offer
sufficient protection from malicious access. One important distinction to make is that the
CCP is not a cryptographic accelerator, and no minimum throughput numbers appear at
any point in the specification.
RSA Engine The RSA Engine must support 512, 768, 1024, and 2048 bit keys, with a minimum
recommended size of generated keys being 2048 bits. The specification does not require
any particular implementation of RSA, which allows the implementer some flexibility. It
does specify a public exponent of 216 + 1. All signing done within the TPM must use
RSA encryption or risk the signature not being accepted by other TPM devices.
SHA-1 Engine The SHA-1 Engine provides the primary hash algorithm used by the TPM and requires
160-bit keys. The HMAC Engine, whose implementation is dictated in RFC 2104 and
involves turning a keyless hash function into a keyed hash by incorporating a
cryptographic key, allows the chip to detect proof of knowledge of AuthData (discussed
later) and proof that incoming requests are authorized and have not been tampered with
prior to arriving.
11
Key Generator The Key Generator does not have a strict specification, except that it should not use data
that has existed in a non-protected location as a key and all nonces need to be taken from
the TPM's Random Number Generator (RNG).
Random Number Generator The RNG itself consists of a state register, a collector of either entropy or unpredictable
data such as thermal noise or clock offsets, and a post-processor with a hashing function.
The state register is a protected location inside the TPM's nonvolatile memory that stores
the current state of the machine. It can also be implemented as a combination of one
volatile register and one non-volatile register, which is a bit of clever design allowing
developers to use flash RAM (which wears out after a certain number of writes) as the
non-volatile storage. The volatile register is simply written to the non-volatile register
when the TPM detects a power-down. The entropy collector filters the input data to make
sure there is no bias and makes an attempt to correct it if there is. This allows the TPM to
produce good random numbers without needing a dedicated source of hardware entropy.
Opt-In Component The Opt-In Component maintains the state of various flags, such as whether the TPM is
enabled or disabled. An important part of this is tied to the fact that the platform operator
must be physically present at the machine in order to change the state of these flags. The
particular method of asserting physical presence is left up to the implementation, but an
example of requiring local keyboard input (which can be verified by establishing a
trusted path between the keyboard and the platform) is given.
12
Execution Engine The Execution Engine does just that: executes the function calls (stored in the Program
Code section of the chip) that the chip receives on its I/O bus. The EE makes sure the
security and integrity of the chip and the data it protects is properly maintained. The TPM
ships with both volatile and non-volatile RAM for storing secret data and computational
variables.
Platform Configuration Registers (PCR) Finally, the Platform Configuration Registers (PCR) are 160-bit storage locations for
integrity measurements. There are at least 16 PCRs on the TPM. There are a large number
of values to be measured and stored, and the result of the new measurement cannot
overwrite the old measurement (or a malicious user could overwrite a value that indicated
tampering with a known good value, subverting the detection mechanism). Thus, the
TCG came up with a clever trick to deal with the fact that each measurement must be
individually stored. As you may have noticed, the PCR contain the same number of bits
as the output of the SHA-1 Engine. This is because the PCR holds a hash of all the
previous updates, and when a new metric must be stored it just hashes the value of the
new measurement concatenated onto the old measurement. This makes it a very difficult
system to break into, as you would have to somehow reverse the hash computation
(something that is currently infeasible) to determine the input message.
13
14
particular platform. There are two ways to generate the EK. The first method is
to
use
the
TPM
command
specified
for
this
purpose
4.4 Certificates
Three types of certificates that may be stored in the TPM are: Endorsement
Certificate (Endorsement Cert), Platform Cert, and Conformance Cert. The
Endorsement Cert contains the public key of the EK. The purpose of the
Endorsement Cert is to provide attestation that the particular TPM is genuine,
i.e. that the EK is protected.
The Platform Cert is provided by the platform vendor and provides attestation
that the security components of the platform are genuine.
15
16
"The endorsement key is a 2,048-bit RSA public and private key pair, which is created
randomly on the chip at manufacture time and cannot be changed. The private key never
leaves the chip, while the public key is used for attestation and for encryption of sensitive
data sent to the chip, as occurs during the TPM_TakeOwnership command."
( David Safford , This key is used to allow the executions of secure transactions : every
TPM is required to sign a random number in order to ensure its compliance of the TCG
standard and to prove its identity ; this makes impossible for a software TPM emulator to
17
start a secure transaction with a 'trusted' entity . The TPM is designed to avoid the
extraction of this key by hardware analysis .
Secure I/O
Secure input and output ( I/O ) refers to a protected path between the computer user and
the software with which they believe they are interacting. On current computer systems
there are many ways for malicious software to intercept data as it travels between a user
and a software process - for example keyboard loggers and screen-scrapers. Secure I/O
reflects a hardware and software protected and verified channel, using checksums to
verify that the software used to do the I/O has not been tampered with. Malicious
software injecting itself in this path could be identified.
Although protecting against software attacks, Secure I/O doesn't assist in protection
against hardware-based attack such as a key capture device physically inserted between
the user's keyboard and the computer.
Memory curtaining
Memory curtaining extends the current memory protection techniques to provide full
isolation of sensitive areas of memory for example locations containing cryptographic
18
keys. Even the operating system doesn't have full access to curtained memory, so the
information would be secure from an intruder who took control of the OS.
Sealed storage
19
Remote attestation
Remote attestation allows changes to the user's computer to be detected by him and
others. That way, he can avoid having private information sent to or important commands
sent from a compromised or insecure computer. It works by having the hardware generate
a certificate stating what software is currently running. The user can present this
certificate to a remote party to show that their computer hasn't been tampered with.
20
To take the diary example again, the user's diary software could send the diary to other
machines, but only if they could attest that they were running a secure copy of the diary
software. Combined with the other technologies, this provides a more secured path for
the diary: secure I/O protects it as it is entered on the keyboard and displayed on the
screen, memory curtaining protects it as it is being worked on, sealed storage protects it
when saved to the hard drive, and remote attestation protects it from unauthorized
software even when it is used on other computers.
21
Applications can utilize the TPM either through the MS-CAPI standard interface, or by
directly implementing a communication interface with theTSS, especially for certain
TCPA functions that may not be supported by MS-CAPI.
22
23
BIOS Code
The TCPA specifies the measurement of integrity of BIOS code at system startup. In
order to accomplish such integrity measurement and reporting, the system BIOS has to be
enhanced with integrity measurement functions.
Depending on the existing BIOS architecture, such enhancements can be a complex task.
Platform vendors may wish to provide various pre-boot security functions using the
TPM. The necessary code to provide such functions is either implemented directly within
the system BIOS or provided as an option ROM.
24
25
would only release the digital key used to encrypt the account number and PIN to 'trusted'
entities.
26
Chapter 9 : Limitations
As Camenisch acknowledges in , with the Privacy CA protocol personal information,
such as a profile of user activities, can be leaked to a third party without users knowledge
if a third party and the Privacy CA collude. As Arbaugh puts it, [the TCG] proponents
may argue, but cannt guarantee that [colluding] will never happen. While the second
protocol is an improvement over the first, it needs to sacrifice users privacy in order to
detect invalid TPMs attestations. The third protocol does claim that even collusion will
not result in a leak; however, it is not even clear whether or not the proposed protocol
will be included in any future TCG specification.
It should also be noted that the TPM cannot protect against many of attacks that threaten
privacy of users. For instance, Ross Anderson protests Most viruses nowadays exploit
the scripting languages in products like [Microsoft] Office. In such a case, the
application may be trusted by TC system however users activities or data could actually
be compromised covertly. Also the TPM does not reduce the threat from the likes of
spywares that could monitor and profile users activities, such as browsing habits, and
send them to a remote party. Additionally, as mentioned in section 4 it is vulnerable to
power analysis which can break tamper-evident property of the TPM by being able to
extract information from protected storage without being detected.
Lastly, while the TCG Best Practices Committee does emphasize the importance of
rivacy of users of TPM-based systems, it provides little to no way of actually enforcing
its guideline to protect users privacy. Without the means to enforce the guideline, the
privacy of users may ultimately end up in the hands of implementers of the TPM
specification.
27
28
29
30
31
About 20 million TPM chips shipped in 2005, most of them in notebook PCs. By 2010,
worldwide shipments of TPM modules in PC client systems will reach more than 250
million (Figure 4). However, as categories beyond PCs e.g., mobile phones, storage
systems, embedded applications, and peripherals adopt TPMs, the total number of chips
shipped could rise dramatically, even exponentially.
Chapter 12 : Conclusion
Trusted computing, whether you like it or not, is making its progress towards the mass
market backed by giant corporations. At the heart of the technology resides the TPM. The
paper presented a brief overview of the TPM and its functionalities and discussed the
ways it can aid protecting users privacy and its limitations in doing so.
Also, the paper identified several limitations of the TPM and its remote attestation
protocols in protecting to users privacy. While remote attestation that is possible with the
TPM can be beneficial to security, the paper elicited potential threats to users privacy
resulting from the three remote attestation protocols. Other limitations of the TPM
included vulnerabilities from various threats such as spywares, power analysis and
exploiting of trusted software.
32
Bibliography :
URLs :
www.ieeexplore.org
www.infineon.com
www.intel.com/design/mobile/platform/downloads
www.trustedcomputinggroup.org/groups/TCG_Architecture
silicon-trust.com/trends/comp_tpm.asp
Microsoft.com/resources/ngscb/default.mspx
Journals :
Trusted Computing Platform Alliance, TCPA Main Specification Version 1.1, 2001
33