Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Security module October 2009 Mark D. Ryan University of Birmingham Trusted Platform Module (TPM) introduction.

Published byDelilah Knight Modified over 8 years ago

Similar presentations

Presentation on theme: "Computer Security module October 2009 Mark D. Ryan University of Birmingham Trusted Platform Module (TPM) introduction."— Presentation transcript:

1 Computer Security module October 2009 Mark D. Ryan University of Birmingham Trusted Platform Module (TPM) introduction

2 The Trusted Computing Group ● An industry consortium including – Microsoft, HP, Dell, Sony, Lenovo, Toshiba, Vodafone, Seagate,... – (about 160 organisations in total) ● Main output is Trusted Platform Module spec – The specification is publicly available – The TPM is a passive device (it does not monitor or prohibit anything; just performs actions if asked) – It is mandated to be opt-in, not opt-out – It includes privacy-enabling functionality

3 The Trusted Platform Module A hardware chip currently included in 100M laptops –HP, Dell, Sony, Lenovo, Toshiba... –Soldered onto the motherboard, on the LPC bus –HP alone ships 1M TPM-enabled laptops each month Specified by the Trusted Computing Group –An industry consortium that includes Intel, HP, Microsoft, AMD, IBM, Sun, Lenovo.... and 130 other members Manufactured by many companies –Atmel, Broadcom, Infineon, Sinosun, STMicroelectronics, and Winbond Supporting software to be rolled out over the next few years –MS BitLocker is the only mainstream application so far

4 TPM functionality Platform integrity reporting –“Measurement” and reporting of integrity of platform; may include measurement of BIOS, disk MBR, boot sector, operating system and application software Platform authentication –Creation of attestation identity keys (AIK), with anonymity guarantees (DAA) Secure storage – Creation of RSA keys (with private part known only to the TPM)‏ – Encryption and decryption of user data with those keys

5 TPM architecture Hash engine Processor RSA key generation RSA signing and encryption Random number generator Endorsement Key Storage Root Key Loaded keys Platform configuration registers Volatile memory Non-volatile memory

6 Secure storage – Keys are created with TPM_CreateWrapKey ● Passwords (known as “authdata”) are specified for each key ● Keys are arranged in a tree hierarchy ● The TPM returns the created key as a blob; the secret parts are encrypted with the parent key – The function TPM_Seal encrypts data ● It also “seals” it to specified PCR values ● The command returns the sealed blob ● The sealed blob is protected by another piece of authdata, specified at the seal time

7 TPM command message flow (abstract view) TPMUser process TPM_CreateWrapKey( keyinfo ) keyblob TPM_LoadKey2( keyblob )‏ handle TPM_Seal( handle, data )‏ sealedblob “Sealing” means encrypting and binding to PCRs

8 TPM authData To each TPM object or resource is associated an authData value –A 160-bit shared secret between user process and TPM –Think of it as a password that has to be cited to use the object or resource‏ authData may be a weak (guessable) secret –May be based on a user-chosen password; e.g. in Microsoft Bitlocker. The TPM resists online guessing attacks of weak authdata by locking out a user that repeatedly tries wrong guesses –Details are left to manufacturer

9 OIAP and OSAP TPMUser process TPM_OIAP( )‏ authHandle keyAuth TPMUser process TPM_OSAP( keyHandle, No' )‏ authHandle, Ne, Ne' K = hmac( keyAuth ; Ne', No' ) ‏ keyAuth ● Long-lived session ● Allows different objects in same session ● Authdata must be cited each command ● Session may be shortlived ● Just one object ● Because K is cached, authdata need not be cited for each command

10 TPM_CreateWrapKey in more detail TPMUser process Ne', keyBlob hmac(K; keyBlob, Ne', No)‏ TPM_OSAP( parentKeyHandle, NoOSAP )‏ authHandle, Ne, NeOSAP K = hmac( parentKeyAuth ; NeOSAP, NoOSAP ) ‏ hmac( K ; encAuth, keyInfo, Ne, No )‏ TPM_CreateWrapKey( parentKeyHandle, encAuth, keyInfo, authHandle, No )‏ parentKeyAuth

11 TPM_LoadKey2 in more detail TPMUser process Ne', handle hmac( parentKeyAuth ; Ne', No)‏ TPM_OIAP( )‏ authHandle, Ne hmac( parentKeyAuth ; keyBlob, Ne, No )‏ TPM_LoadKey2( parentKeyHandle, keyBlob, authHandle, No )‏ parentKeyAuth

12 Platform measurement ● The TPM has 24 Platform Configuration Registers (PCRs) – Used to record platform configuration – x is a “measurement” of some part of the platform – TPM_Extend(p,x) “stores” the value x on the PCR p – TPM_Extend(p,x) means: p := SHA1( p || x) – p contains a proof of the record of the values that have been extended into it.

13 Core root of trust for measurement

14 Platform integrity reporting ● TPM_Quote returns a signature (using a TPM key) on the PCR p. ● A remote party can use that to be convinced of the integrity of the platform ● The key used is an attestation identity key (AIK), that has a certificate demonstrating that it is a real TPM key.

15 Attestation using a Privacy CA PCA User process { Cert PCA (AIK) } K { K, AIK } EK TPM_MakeIdentity( )‏ AIK EK AIK TPM TPM_ActivateIdentity( { K, AIK } EK )‏ K

16 TPM architecture Hash engine Processor RSA key generation RSA signing and encryption Random number generator Endorsement Key Storage Root Key Loaded keys Platform configuration registers Volatile memory Non-volatile memory

17 TPM: summary ● Commands – Authdata ● Storage ● Platform integrity measurement ● Platform integrity reporting – Attestation – Privacy preserving

18 MS BitLocker and TPM How to ensure only MSBL has access to volume decryption key? [Simplified story] ● On boot, control passes to pre-bios. ● Pre-bios measures bios, extends PCR, passes control. ● Bios measures other hardware and MBR, extends PCR, passes control. ● MBR measures MSBL, extends PCR, passes control. Begin window. ● MBSL retrieves vol id key and extends PCR with “stop value”. End window. ● MBSL starts decrypting disk and launches OS.

Download ppt "Computer Security module October 2009 Mark D. Ryan University of Birmingham Trusted Platform Module (TPM) introduction."

Similar presentations

Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.

Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.
Eran Tromer Slides credit: Dan Boneh, Stanford course CS155

Eran Tromer Slides credit: Dan Boneh, Stanford course CS155
Trusted Platform Module

Trusted Platform Module
Rambling on the Private Data Security

Rambling on the Private Data Security
Re-envisioning of the TPM

Re-envisioning of the TPM
Vpn-info.com.

Vpn-info.com.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 3 02/14/2010 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 3 02/14/2010 Security and Privacy in Cloud Computing.
 Alexandra Constantin  James Cook  Anindya De Computer Science, UC Berkeley.

 Alexandra Constantin  James Cook  Anindya De Computer Science, UC Berkeley.
Hardware Security: Trusted Platform Module Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources.

Hardware Security: Trusted Platform Module Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources.
1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007.

1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007.
1 Bootstrapping Trust in a “Trusted” Platform Carnegie Mellon University November 11, 2008 Bryan Parno.

1 Bootstrapping Trust in a “Trusted” Platform Carnegie Mellon University November 11, 2008 Bryan Parno.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
Trusted Disk Loading in the Emulab Network Testbed Cody Cutler, Mike Hibler, Eric Eide, Rob Ricci 1.

Trusted Disk Loading in the Emulab Network Testbed Cody Cutler, Mike Hibler, Eric Eide, Rob Ricci 1.
Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation Dane Brandon, Hardeep Uppal CSE551 University of Washington.

Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation Dane Brandon, Hardeep Uppal CSE551 University of Washington.
Trusted Computing Initiative Beyond trustworthy. Trusted Computing  Five Key Concepts >Endorsement Key >Secure Input and Output >Memory Curtain / Protected.

Trusted Computing Initiative Beyond trustworthy. Trusted Computing  Five Key Concepts >Endorsement Key >Secure Input and Output >Memory Curtain / Protected.
SEC316: BitLocker™ Drive Encryption

SEC316: BitLocker™ Drive Encryption
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture notes.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture notes.
Trusted Computing Platform Alliance – Introduction and Technical Overview – Joe Pato HP Labs MIT 6.805/6.857 17 October 2002.

Trusted Computing Platform Alliance – Introduction and Technical Overview – Joe Pato HP Labs MIT 6.805/ October 2002.

Similar presentations

Ads by Google