Analysis of Direct Anonymous Attestation (DAA) Sudip Regmi Ilya Pirkin

Protocol Diagram (Simple Model) Issuer PKI Verifier Platform – {Commit(f),Ni} 1.Join Request – {Commit(f),Ni} Authenticated by EK, using SPK – {DAA- Certificate(Ni, Commit(f), 2. Join Response – {DAA- Certificate(Ni, Commit(f),PKI)} {basename, nonce} 3. Sign Request {basename, nonce} {m, Signature(m, DAA- Certificate, Nv, nonce}} 4. Sign Response - {m, Signature(m, DAA- Certificate, Nv, nonce}}

Security Properties Correctness Correctness The verifier completes the protocol for message m only if: The verifier completes the protocol for message m only if: m was signed by an honest TPM using a DAA-Certificate and verifier’s basename; m was signed by an honest TPM using a DAA-Certificate and verifier’s basename; The DAA-Certificate was issued by an honest Issuer for the TPM before signing message m. The DAA-Certificate was issued by an honest Issuer for the TPM before signing message m. The issuer which the verifier knows is the same as the issuer which generated DAA-Certificate(f) used in the signature The issuer which the verifier knows is the same as the issuer which generated DAA-Certificate(f) used in the signature TPM is not on the rogue list TPM is not on the rogue list

Security Properties Anonymity – A transaction of an honest platform cannot be linked with its Endorsement Key (EK). Anonymity – A transaction of an honest platform cannot be linked with its Endorsement Key (EK). Checked by comparing pseudonyms in the sign response and the join request. If they are equal anonymity breaks Checked by comparing pseudonyms in the sign response and the join request. If they are equal anonymity breaks Unlinkability – Transactions of an honest platform with different Verifiers are not linkable. Unlinkability – Transactions of an honest platform with different Verifiers are not linkable. Checked by comparing PKI, pseudonyms in sign responses. Transactions are linkable if: Checked by comparing PKI, pseudonyms in sign responses. Transactions are linkable if: Values are the same if came from the same TPM Values are the same if came from the same TPM Values are different if came from different TPM Values are different if came from different TPM

Level of Abstraction Simple Model Simple Model Treats host and TPM as one player – the platform. Ignores any interactions between these two players Treats host and TPM as one player – the platform. Ignores any interactions between these two players Only four messages and three player Only four messages and three player Simple Message Format. Simple Message Format. Full Model Full Model Considers interaction between Host and TPM Considers interaction between Host and TPM Messages reflect actual protocol messages with the exception of the interactive proofs of knowledge Messages reflect actual protocol messages with the exception of the interactive proofs of knowledge

Modeling Approach Primitives are secure Primitives are secure Interactive Proof of Knowledge is modeled by limiting Adversary’s capabilities Interactive Proof of Knowledge is modeled by limiting Adversary’s capabilities Can’t replay Join Request Can’t replay Join Request Can’t modify Join Request Can’t modify Join Request

Adversary’s Capabilities Modeled Can intercept messages on the network Can intercept messages on the network Checks for use of different PK in DAA-Certificate Checks for use of different PK in DAA-Certificate Checks to see if he can link two transactions (Join Request with Sign Response, Sign Response with another Sign Response) Checks to see if he can link two transactions (Join Request with Sign Response, Sign Response with another Sign Response) Can replay intercepted messages blindly Can replay intercepted messages blindly Replays Sign Response for a seen Sign Request Randomly Replays Sign Response for a seen Sign Request Randomly Constructs a Sign Response in response to a seen Sign Request(Constructs from an earlier Join and Sign Response) Constructs a Sign Response in response to a seen Sign Request(Constructs from an earlier Join and Sign Response) Constructs a Sign Request with the issuer's basename. (The idea is to make the TPM to generate the same pseudonym as in the join protocol) Constructs a Sign Request with the issuer's basename. (The idea is to make the TPM to generate the same pseudonym as in the join protocol)

Attacks in Simple Model Issuer Verifier Platform 1. Join Request 2. Join Response 3. Sign Request 4. Sign Response For each new Join Request a new Public Key is Used For each new Join Request a new Public Key is Used Fix – Make sure that same is used in as many as n participant to guarantee n-anonymity Fix – Make sure that same is used in as many as n participant to guarantee n-anonymity Rudolph DAA Attack on Anonymity Rudolph DAA Attack on Anonymity Murphi outputs: Error: intruder linked PKI from the same TPM Murphi outputs: Error: intruder linked PKI from the same TPM

Attacks in Simple Model Issuer Intruder Platform Join Request Join Response Sign Request Sign Response Anonymity Attack – Intruder uses Issuer’s basename Anonymity Attack – Intruder uses Issuer’s basename Join Request and Sign Responses have same pseudonym Join Request and Sign Responses have same pseudonym Fix – Include the type of the basename into pseudonym. Fix – Include the type of the basename into pseudonym. Murphi outputs: Error: intruder linked pseudonyms in join and sign requests Murphi outputs: Error: intruder linked pseudonyms in join and sign requests

Attacks in Simple Model Issuer Verifier1 Platform Join Request Join Response Sign Request 1 Sign Response 1 Unlinkability Attack – bsn_v1 = bsn_v2 Unlinkability Attack – bsn_v1 = bsn_v2 Sign Response 1 and Sign Response 2 have same basenames Sign Response 1 and Sign Response 2 have same basenames Intruder Sign Response 2 Sign Request 2

Issues in Simple Model EK is not verified against a revocation list (Rogue Tagging Feature is not setup correctly) EK is not verified against a revocation list (Rogue Tagging Feature is not setup correctly) Correctness Issue – Intruder forwards Platform1’s Messages to Platform2. Correctness Issue – Intruder forwards Platform1’s Messages to Platform2. Verifier1 Intruder Platform1Platform2 Platform1 and Platform2 are on different networks, each correctly joined their issuers Platform1 and Platform2 are on different networks, each correctly joined their issuers Intruder redirects the sign request to a different network Intruder redirects the sign request to a different network Verifier does not check which network the platform is in Verifier does not check which network the platform is in How far does anonymity extends? How far does anonymity extends?

Full model – join protocol

Full model – sign protocol

Conclusion The protocol is well designed The protocol is well designed Using interactive PK and nonces to ensure freshness and integrity of messages Using interactive PK and nonces to ensure freshness and integrity of messages Hashes cover all possible parameters Hashes cover all possible parameters High level of description makes it difficult to verify corner conditions. High level of description makes it difficult to verify corner conditions. Correctness in anonymous system is different from peer-to-peer. Correctness in anonymous system is different from peer-to-peer. Managed to model known attacks, no new findings Managed to model known attacks, no new findings Cross-site attack should be taken care of by users Cross-site attack should be taken care of by users Too Detailed Model runs out of memory Too Detailed Model runs out of memory