Trusted Computing and the Trusted Platform Module

Slides:



Advertisements
Similar presentations
Rambling on the Private Data Security
Advertisements

Vpn-info.com.
Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.
CSUF Chapter CSUF Operating Systems Security 2.
Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
Hardware Security: Trusted Platform Module Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources.
Section 3.2: Operating Systems Security
1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007.
1 Bootstrapping Trust in a “Trusted” Platform Carnegie Mellon University November 11, 2008 Bryan Parno.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
Trusted Disk Loading in the Emulab Network Testbed Cody Cutler, Mike Hibler, Eric Eide, Rob Ricci 1.
Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation Dane Brandon, Hardeep Uppal CSE551 University of Washington.
Trusted Computing Initiative Beyond trustworthy. Trusted Computing  Five Key Concepts >Endorsement Key >Secure Input and Output >Memory Curtain / Protected.
Cyber Security and Key Management Models Smart Grid Networks The Network System Key Management and Utilization Why Hardware Security Christopher Gorog,
SEC316: BitLocker™ Drive Encryption
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture notes.
File System and Full Volume Encryption Sachin Patel CSE 590TU 3/9/2006.
Operating Systems Operating System
Basic Input Output System
Bootstrapping Trust in Commodity Computers Bryan Parno, Jonathan McCune, Adrian Perrig 1 Carnegie Mellon University.
Trusted Computing BY: Sam Ranjbari Billy J. Garcia.
Trusted Computing Platform Alliance
Architecture for Protecting Critical Secrets in Microprocessors Ruby Lee Peter Kwan Patrick McGregor Jeffrey Dwoskin Zhenghong Wang Princeton Architecture.
An approach to on the fly activation and deactivation of virtualization-based security systems Denis Efremov Pavel Iakovenko
Trusted Computing Or How I Learned to Stop Worrying and Love the MPAA.
Cosc 4765 Trusted Platform Module. What is TPM The TPM hardware along with its supporting software and firmware provides the platform root of trust. –It.
Chapter 3.2: Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as.
Trusted Computing and the Trusted Platform Module Bruce Maggs (with some slides from Bryan Parno)
Trusted Infrastructure Xiaolong Wang, Xinming Ou Based on Dr. Andrew Martin’s slides from TIW 2013.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Trusted Computing and the Trusted Platform Module Bruce Maggs (with some slides from Bryan Parno)
1 ENG224 INFORMATION TECHNOLOGY – Part I 1. Introduction to Computers.
1 Information Security – Theory vs. Reality , Winter Lecture 12: Trusted computing architecture (cont.), Eran Tromer Slides credit:
What is BitLocker and How Does It Work? Steve Lamb IT Pro Evangelist, Microsoft Ltd
Systems Architecture Microsoft BitLocker -> securing data on mobile devices Johannes Marotzke
Computer Security module October 2008 Mark D. Ryan HP Labs, Bristol University of Birmingham Trusted Platform Module (TPM) introduction.
Computer Security module October 2009 Mark D. Ryan University of Birmingham Trusted Platform Module (TPM) introduction.
Trusted? 05/4/2016 Charles Sheehe, CCSDS Security Working Group GRC POC All information covered is from public sources 1.
IoT Cooperation Strategy
Introduction to Operating Systems Concepts
Presented by Mert Çetin
Trusted? 05/4/2016 Charles Sheehe, CCSDS Security Working Group GRC POC All information covered is from public sources.
Trusted Computing and the Trusted Platform Module
Trusted Infrastructure
Operating System Review
Memory Key Revision Points.
Hardware security: The use of a Trusted Platform Module
Outline What does the OS protect? Authentication for operating systems
PV204 Security technologies
Outline What does the OS protect? Authentication for operating systems
Introduction to Computers
תרגול 9 – Windows Security
Operating System Review
TERRA Authored by: Garfinkel, Pfaff, Chow, Rosenblum, and Boneh
Building hardware-based security with a Trusted Platform Module (TPM)
Booting Up 15-Nov-18 boot.ppt.
Starting the computer. Every day we are using an operating system and most specifically a Windows operating system but most of us are not aware of the.
TPM, TEE, SGX Technologies
Assignment #7 – Solutions
User-mode Secret Protection (SP) architecture
Sai Krishna Deepak Maram, CS 6410
SCONE: Secure Linux Containers Environments with Intel SGX
TPM, UEFI, Trusted Boot, Secure Boot
Aimee Coughlin, Greg Cusack, Jack Wampler, Eric Keller, Eric Wustrow
The bios.
Bruce Maggs (with some slides from Bryan Parno)
Bruce Maggs (with some slides from Bryan Parno)
Stefano Tempesta Secure Machine Learning with SQL Server Always Encrypted with Secure Enclaves.
Presentation transcript:

Trusted Computing and the Trusted Platform Module Bruce Maggs (with some slides from Bryan Parno)

Bryan Parno’s Travel Story

Attestation How can we know that a system that we would like to use has not been compromised?

Bootstrapping Trust is Hard! Challenges: Hardware assurance Ephemeral software User Interaction App 1 App 4 App 3 App N App 2 App 5 S5( ) S6( ) S4( ) S7( ) S3( ) S10( ) S11( ) S2( ) S9( ) S8( ) S15( ) S1( ) S14( ) S12( ) S13( ) OS Module 1 Module 3 Module 2 Module 4 Safe? H( ) ^ H( ) Yes!

Bootstrapping Trust is Hard! Challenges: Hardware assurance Ephemeral software User Interaction Evil App OS Safe? Yes!

Trusted Platform Module Components https://en.wikipedia.org/wiki/Trusted_Platform_Module#/media/File:TPM.svg

Often found in business-class laptops TPM Chip Often found in business-class laptops https://en.wikipedia.org/wiki/Trusted_Platform_Module#/media/File:TPM_Asus.jpg

Caveat The TPM is not 100% tamper proof! Safe use requires physical security In 2010 Christopher Tarnovsky extracted the private key from an Infineon TPM chip by soaking the chip in acid to remove plastic removing RF-shield wire mesh probing with an extremely small needle

Built-In Unique Identifier “Endorsement Key” permanently embedded in TPM RSA public-private key pair Private key never leaves the TPM chip Public key can be certified (e.g., TPM may include an EKCERT certificate signed by a TPM CA such as the TPM manufacturer) Master “storage root key” (SRK) created when TPM first used

On-Chip Algorithms RSA key-pair generation RSA encryption/decryption RSA signing Random number generation SHA-1 hashing Keyed-hash message authentication code (HMAC)

Platform Configuration Registers (PCRs) A TPM contains several 20-byte PCRs A PCR is initialized to zero at power on. The only operation allowed on a PCR is to extend it: val[PCR] = SHA1(val[PCR] . newval) At boot time, a TPM-enabled PC takes a series of measurements and stores them in PCRs

HMAC Hash with two inputs: a key and a block of data Typically key is randomly generated and secret Key can be used (for example) to guarantee that the hash was freshly created

How HMAC can be used TPM can hash contents of all storage on computer, or storage in certain places Disks Memory Registers in the CPU User can choose to execute only from known safe states

Applications Storing and protecting sensitive information from modification Trusted boot Attestation

TPM-Based Attestation Example [Gasser et al. ‘89], [Arbaugh et al. ‘97], [Sailer et al. ‘04], [Marchesini et al. ‘04] OS Module OS Module App App BIOS BIOS Bootloader Bootloader TPM PCRs KPriv

Establishing Trust via a TPM [Gasser et al. ‘89], [Arbaugh et al. ‘97], [Sailer et al. ‘04], [Marchesini et al. ‘04] Accurate! BIOS Bootloader OS Module App Guarantees freshness random # random # BIOS Bootloader OS Module App TPM PCRs KPriv KPub Guarantees real TPM Sign ( ) Kpriv BIOS Bootloader OS Module App random # Guarantees actual TPM logs

Microsoft BitLocker Drive Encryption Encryption of volume containing Windows OS, user files, e.g., C:\ Separate unencrypted volume contains files needed to load Windows TPM protects disk encryption key by encrypting it TPM releases key only after comparing hash of early (unencrypted) boot files with previous hash BitLocker can be used without a TPM – user supplies an encryption password Relies on user having an OS password!

Microsoft Secure Boot (Windows 8+) Enabled by “UEFI” – Unified Extensible Firmware Interface (replacement for traditional BIOS) Manufacturer’s and Microsoft public keys stored in firmware (can add other OS vendors) TPM checks that firmware is signed by the manufacturer TPM checks that hash of boot loader has been signed with Microsoft public key

Microsoft Trusted Boot Takes over after Secure Boot Verifies all OS components, starting with Windows kernel Windows kernel verifies boot drivers, start-up files

Microsoft Measured Boot TPM signs measured boot log file Remote attestation possible by transmitting signed boot log

Intel SGX Intel Software Guard Extensions – new instructions added to the x64 instruction set Incorporated directly into CPU, e.g., Intel i7-6700K, Dell Inspiron 11 i3153 (Not a separate chip like TPM.) Application can created trusted memory “enclave” Only trusted functions (stored in enclave) can see or modify enclave https://software.intel.com/en-us/sgx/details

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.