Tr usted Computing

Security from the ground up

Danny Fuller ton 2011/11/04

Why I used to hate TC

Palladium

a chip soldered to our motherboard

all of your actions had to be approved by Microsoft

I was some kind of frustrated liberal punk...

 theres no way Ive could accept this

Ive decided to fight this however Ive could:

tell everyone how this would affect us

swore to never buy a motherboard with this chip

and learn about it

How I came to love TC

Trusted Computing != Palladium

it has very interesting security properties

breaks the status quo

Hackfest 2010 Broken by Design

No comments on the background

well, Im still a liberal punk but *paranoiac* too

What went wr ong?

My guess:

Trusted Computing is a disruptive innovation

I just didn't understood the technology

What is it?

P r otection objectives

High : software based attack Medium : open case Low : sophisticated local attack

The basic idea

We cannot trust the entire platform

but only a very small part of it

and build a chain of trust

Root of Trust for Measurements + Trusted Platform Module

Not entirely true since we have to trust the MLE, and the hardware.

Core Root Of Trust for Measurements

CPU

MCH

Memory

ICH

TPM

BIOS

Bios Boot Block

Tr usted P latfor m Module

Typical TPM
secure I/O processor
Execution engine Prog Code Opt-in Random Number Generator RSA key generator RSA engine SHA1 hash engine

persistent memory
Opt-in Storage Root Key (SRK)

volatile memory
Loaded Keys Attestation Identity Keys (AIK)

Endorsement Key (EK)

Platform Configuration Registers (PRC)

Orchestrator: receive request and dispatch

secure I/O processor
Execution engine Prog Code Opt-in Random Number Generator RSA key generator RSA engine SHA1 hash engine

persistent memory
Opt-in Storage Root Key (SRK)

volatile memory
Loaded Keys Attestation Identity Keys (AIK)

Endorsement Key (EK)

Platform Configuration Registers (PRC)

Implement the specs: validation, execute request, respond

secure I/O processor
Execution engine Prog Code Opt-in Random Number Generator RSA key generator RSA engine SHA1 hash engine

persistent memory
Opt-in Storage Root Key (SRK)

volatile memory
Loaded Keys Attestation Identity Keys (AIK)

Endorsement Key (EK)

Platform Configuration Registers (PRC)

Create good random data for symmetric, asymmetric, nonce

secure I/O processor
Execution engine Prog Code Opt-in Random Number Generator RSA key generator RSA engine SHA1 hash engine

persistent memory
Opt-in Storage Root Key (SRK)

volatile memory
Loaded Keys Attestation Identity Keys (AIK)

Endorsement Key (EK)

Platform Configuration Registers (PRC)

Securely create RSA key pairs: public, private

secure I/O processor
Execution engine Prog Code Opt-in Random Number Generator RSA key generator RSA engine SHA1 hash engine

persistent memory
Opt-in Storage Root Key (SRK)

volatile memory
Loaded Keys Attestation Identity Keys (AIK)

Endorsement Key (EK)

Platform Configuration Registers (PRC)

RSA encryption, decryption, signature, verification

secure I/O processor
Execution engine Prog Code Opt-in Random Number Generator RSA key generator RSA engine SHA1 hash engine

persistent memory
Opt-in Storage Root Key (SRK)

volatile memory
Loaded Keys Attestation Identity Keys (AIK)

Endorsement Key (EK)

Platform Configuration Registers (PRC)

Authorization values, HMAC, etc

secure I/O processor
Execution engine Prog Code Opt-in Random Number Generator RSA key generator RSA engine SHA1 hash engine

persistent memory
Opt-in Storage Root Key (SRK)

volatile memory
Loaded Keys Attestation Identity Keys (AIK)

Endorsement Key (EK)

Platform Configuration Registers (PRC)

Keep track of internal state: sessions, etc

secure I/O processor
Execution engine Prog Code Opt-in Random Number Generator RSA key generator RSA engine SHA1 hash engine

persistent memory
Opt-in Storage Root Key (SRK)

volatile memory
Loaded Keys Attestation Identity Keys (AIK)

Endorsement Key (EK)

Platform Configuration Registers (PRC)

Power cycle resistant memory

secure I/O processor
Execution engine Prog Code Opt-in Random Number Generator RSA key generator RSA engine SHA1 hash engine

persistent memory
Opt-in Storage Root Key (SRK)

volatile memory
Loaded Keys Attestation Identity Keys (AIK)

Endorsement Key (EK)

Platform Configuration Registers (PRC)

Enforce users choice

secure I/O processor
Execution engine Prog Code Opt-in Random Number Generator RSA key generator RSA engine SHA1 hash engine

persistent memory
Opt-in Storage Root Key (SRK)

volatile memory
Loaded Keys Attestation Identity Keys (AIK)

Endorsement Key (EK)

Platform Configuration Registers (PRC)

at purchase time, TPMs are not operational

Root of all storage keys

secure I/O processor
Execution engine Prog Code Opt-in Random Number Generator RSA key generator RSA engine SHA1 hash engine

persistent memory
Opt-in Storage Root Key (SRK)

volatile memory
Loaded Keys Attestation Identity Keys (AIK)

Endorsement Key (EK)

Platform Configuration Registers (PRC)

created when owner activate the TPM

used to create secure key trees

provide, virtually, unlimited secure storage

inside the TPM

Storage Root Key

Storage Key User1

Storage Key User2

outside the TPM

Binding Key

Binding Key

Signing Key

Signing Key

The actual structure is malleable and can be very different.

TCG specifications assertion

Secured I/O Processor
Execution engine Prog Code Opt-in Random Number Generator RSA key generator RSA engine SHA1 hash engine

persistent memory
Opt-in Storage Root Key (SRK) Endorsement Key (EK)

volatile memory
Loaded Keys Attestation Identity Keys (AIK)

Platform Configuration Registers (PRC)

endorsement certificate sign by the TPM manufacturer

uniquely identify the platform

privacy concerns

well yes but no

EK is only used in conjunction with something else

Some kind of privacy protector

Secured I/O Processor
Execution engine Prog Code Opt-in Random Number Generator RSA key generator RSA engine SHA1 hash engine

persistent memory
Opt-in Storage Root Key (SRK)

volatile memory
Loaded Keys Attestation Identity Keys (AIK)

Endorsement Key (EK)

Platform Configuration Registers (PRC)

mutual trust of the CA signed AIK satisfy challenger

privacy CA

EK

you

AIK

challenger

Privacy

What if collusion arise?

privacy CA

EK

you

AIK

challenger

Privacy

Direct Anonymous Attestation (DAA)

Zero Knowledge Proof

Store system measurements: SHA-1 hash

Secured I/O Processor
Execution engine Prog Code Opt-in Random Number Generator RSA key generator RSA engine SHA1 hash engine

persistent memory
Opt-in Storage Root Key (SRK)

volatile memory
Loaded Keys Attestation Identity Keys (AIK)

Endorsement Key (EK)

Platform Configuration Registers (PRC)

Static Root of Trust for Measurements (SRTM)

Launch time measurements

CRTM

1
3

BIOS ROM

BIOS FLASH

Boot Loader

OS Kernel

2
PCR 0 PCR 1

TPM

PCR 2 PCR 3 PCR 4

measurement:
store measurement: pass execution:

Boot process and PCRs attribution not accurate (highly simplified).

one PCR can be used to measure multiple elements

TPM_Extend()

PCR = hash( old value, new value )

0x0000 0xAAAA 0xBBBB 0xCCCC = = = = boot() hash( 0x0000, 0x1111 ) hash( 0xAAAA, 0x2222 ) hash( 0xBBBB, 0x3333 )

TPM doesnt act upon PCRs

PCRs are stored whether theyre bad or good

Dynamic Root of Trust for Measurements (DRTM)

Late launch measurements

CPU OS Kernel MCH

SMX

Memory

ICH

TPM

PCR 17

PCR 19

PCR 18

store measurement: measurement: pass execution:

Process not accurate (highly simplified).

Late launch measurements

SMX

CPU OS Kernel MCH

Memory

ICH

TPM

PCR 17

PCR 19

PCR 18

store measurement: measurement: pass execution:

Process not accurate (highly simplified).

Late launch measurements

SMX

CPU OS Kernel MCH

Memory

ICH

TPM

PCR 17

PCR 19

PCR 18

store measurement: measurement: pass execution:

Process not accurate (highly simplified).

Secur ity Enhancements

Measurements RTM Root of Trust for Measurement CRTM + TPM (SRTM) || SMX + TPM (DRTM)

Sealed stor age

TPM_Seal(): Encrypt data to a specific environment

PCR X: f56b7e4d5e065214afa5cc8b86897d7a4cbffb14 PCR Y: 7cb06027e87e7d848d8576d8fef5f76256f41cee PCR Z: 38464bf083d958b53580c63c01e56707fd043588

TPM
data encrypted data

TPM_Unseal(): Decrypt if a specific environment is active

PCR X: f56b7e4d5e065214afa5cc8b86897d7a4cbffb14 PCR Y: 7cb06027e87e7d848d8576d8fef5f76256f41cee PCR Z: 38464bf083d958b53580c63c01e56707fd043588

PCR x PCR y PCR z

TPM
encrypted data data

Detect malware Keylogger / Meterpreter / KonBoot Rootkits (user/kernel, MBR, BIOS)

Protect data Keys, BitLocker, etc

manipulate confidential db TPM_unseal db key erase db key

DRTM measurement

Attack Surface

block I/O

unblock I/O

Time

manipulate confidential db TPM_unseal db key erase db key

DRTM measurement

Attack Surface

block I/O

unblock I/O

attack Time

Remote Attestation

TPM_Quote(): Sign PCRs with AIK

PCR x
PCR y PCR z

Attestation
RSA engine
PCR x PCR y PCR z

TPM

AIK

AIK signature

Strong Network Access Control (NAC) Trusted Network Connect

assess the security of a kiosk with your mobile device

Conclusion

a TPM is a passive device

it cannot take over your platform by itself

at this point, theres no battle about keeping our freedom / rights

Trusted Computing is a tool

nothing else

and its about time we start using it

Thanks!