Presentation is loading. Please wait.

Presentation is loading. Please wait.

Innovations for Grid Security from Trusted Computing

Published byMaría Concepción Quintana Quintero Modified over 6 years ago

Similar presentations

Presentation on theme: "Innovations for Grid Security from Trusted Computing"— Presentation transcript:

1 Innovations for Grid Security from Trusted Computing
2018/11/9 Innovations for Grid Security from Trusted Computing Wenbo Mao Trusted Systems Lab Hewlett-Packard Laboratories, Bristol United Kingdom Joint work with Hai Jin, Huazhong Univ. of Sci. & Tech., China Andrew Martin, Oxford University, UK HP template

2 What’s in this Presentation
2018/11/9 What’s in this Presentation Overview of Trusted Computing TC Working Principle TC for Grid Security 2018年11月9日星期五 Trusted Computing overview HP template

3 Trusted Computing in a Nutshell
2018/11/9 Trusted Computing in a Nutshell A temper-resistant hardware based system for a systematic fix of security problems with open platforms, while remaining in open-platform architecture preventing release of critical data into undesired software environments conformed platform/user security policies: even sys-administrator can’t override policies An important requirement: low cost (target: < $5 per platform) 2018年11月9日星期五 Trusted Computing overview HP template

4 Trusted Computing overview
2018/11/9 From TCPA to TCG Founded in 1999 as Trusted Computing Platform Alliance (TCPA) by: Compaq HP IBM Intel Microsoft Renamed to Trusted Computing Group (TCG) in 2003 when TCPA reached 190+ member companies 2018年11月9日星期五 Trusted Computing overview HP template

5 TCG: not-for-profit, vendor neutral and industrial & open standards
2018/11/9 TCG: not-for-profit, vendor neutral and industrial & open standards The Board Technical Committee Marketing Committee TPM Conformance PC-specific PDA Mobile ‘phone Servers Infrastructure Peripherals HDD Keyboard Promoted by: AMD, HP, IBM, Intel, Microsoft, Sony, Sun 2018年11月9日星期五 Trusted Computing overview HP template

6 Trusted Platform Architecture
2018/11/9 Trusted Platform Architecture TPM --- Trusted Platform Module --- a tamper-resistant hardware module mounted in a platform App1 App2 App3 .…… App n protected encrypted executables files OS TPM Boot Processes keys & passwords measurement & reporting 2018年11月9日星期五 Trusted Computing overview HP template

7 Trusted Computing overview
2018/11/9 Deployment Status TPM v1.1b First generation platforms from HP and IBM – available since 2004 This notebook machine has one TPM v1.2 Second generation platforms based on new offerings (eg, measurement, attestation) from AMD, Intel, MS – available 2006 ? TPM (security chip) vendors Atmel, Infineon, National Semiconductor, Sinosun 2018年11月9日星期五 Trusted Computing overview HP template

8 Trusted Computing overview
2018/11/9 TCG Benefits TCG is designed so that platform identities and Integrity Metrics can be proven reliably to remote parties Secure storage of crypto keys in TPM X.509 to be widely deployed in the vast client environment Secure online discovery of platforms and services: confidence in the information about the software environment and identity of a remote party Protection against hacker scripts, by automatically preventing access to data if unauthorised programs are executed 2018年11月9日星期五 Trusted Computing overview HP template

9 What’s in this Presentation
2018/11/9 What’s in this Presentation Overview of Trusted Computing TC Working Principle TC for Grid Security 2018年11月9日星期五 Trusted Computing overview HP template

10 Trusted Computing overview
2018/11/9 How it Works…. TCG mechanisms for: Protected Storage and Execution Protect private and secret data Protected environment against malicious code subversion Platform Integrity Measurement and Storage Reliably measure software integrity property Securely store measured platform and s/w integrity Platform Status Attestation Report integrity properties to a remote challenging party Using crypto challenge-response mechanism and digital signature 2018年11月9日星期五 Trusted Computing overview HP template

11 Trusted Computing overview
2018/11/9 Trusted Platform Module (TPM, Hardware): Protected (tamper-resist) Storage and Execution Hash Processor NV-memory Asymmetric key generation RNG Memory Power detection Digital sign & asymm crypto Clock/Counter Communications I/O MAC PCR 2018年11月9日星期五 Trusted Computing overview HP template

12 Trusted Computing overview
2018/11/9 TPM Crypto Systems on the Chip: SHA-1 hash, HMAC (hashed msg authentication code) Random number generation (physical) Asymmetric key generation (2048-bit RSA) Asymmetric crypto encryption and signing(RSA PKCS#1v2) Symmetric crypto is performed off-chip (to achieve high performance and avoid exportation control) 2018年11月9日星期五 Trusted Computing overview HP template

13 Core Root of Trust for Measurement (CRTM): Authenticated Boot
2018/11/9 Core Root of Trust for Measurement (CRTM): Authenticated Boot 2018年11月9日星期五 Trusted Computing overview HP template

14 Trusted Computing overview
2018/11/9 Integrity Measurement and Storage: Platform Configuration Register (PCR) An integrity measurement of an executable is a SHA-1 hash of 160-bit checksum (aka “crypto digest”) The integrity measurement of executables is cumulatively stored in a PCR: PCR  H( executable || PCR ) What can be measured and cumulatively stored (cannot be overwritten until reboot): BIOS, ROMs, MBR (static PCRs: no 0-4) OS loaders (static PCRs: no 5-7) Trusted OS’s (static PCRs: no 8-15) Trusted Applications (dynamic PCRs: no 21-22) 2018年11月9日星期五 Trusted Computing overview HP template

15 Trusted Computing overview
2018/11/9 Platform Attestation: Reporting System Integrity Status to a Remote Party Stored system integrity status can be reported to a remote party using crypto challenge-response mechanism and digital signature TPM will use a user’s “attestation identity key (AIK)” to sign the system integrity report 1 Alice  TPM-for-Bob: RandomN, “Status quo for PCR3?” 2 TPM-for-Bob  Alice: Sign(PrivateAIK, RandomN, PCR3) 3 Alice verifies signature using Bob’s PublicAIK 2018年11月9日星期五 Trusted Computing overview HP template

16 What’s in this Presentation
2018/11/9 What’s in this Presentation Overview of Trusted Computing TC Working Principle TC for Grid Security 2018年11月9日星期五 Trusted Computing overview HP template

17 TC for Grid Security “Offer I”: Secure Key Storage
2018/11/9 TC for Grid Security “Offer I”: Secure Key Storage Tamper-resistant TPM is a natural place to store crypto keys, no need of using short-lived keys and “proxy certificates” with private key stored in file space TPM of a client can be for multi users, each user can have a user key which can’t even be accessed by sys-admin Secure key storage permits a longer lifetime for a certificate; it can be easier to achieve IPSec for Grid security at the node level, rather than being confined to “identity certificate” at the user level as in the case of the current GSI 2018年11月9日星期五 Trusted Computing overview HP template

18 Trusted Computing overview
2018/11/9 TC for Grid Security “Offer II”: group-oriented security from distributed FW A conventional firewall is based on network topology: one-side is all trusted, the other side is assumed all enemies; but a Grid VO has no such network topology Distributed firewall (Bellovin et al): With secure means for key storage by each IP node, IPSec can be in place IP packets can be filtered or accepted according to VO policy and IPSec signatures (in IPSec, each packet is signed) With distributed firewall, a Grid VO forms a trust domain and achieves good group-oriented security 2018年11月9日星期五 Trusted Computing overview HP template

19 Trusted Computing overview
2018/11/9 TC for Grid Security “Offer III”: Attestation of Secure Guest Environment Attestation of secure virtualization: A remote platform (eg, a Grid server) is attested by a guest such that it has the following behaviour of “virtualized OS in curtained memory”: (1) a memory area is allocated to run a virtualized secure OS environment which cannot even be accessed by the platform owner (eg, system administrator); (2) a proprietary code of a guest is encrypted under a public key where the matching private key is in the TPM; the encrypted code is sent to the TPM; (3) TPM decrypts and loads the proprietary code to run in the virtualized OS for the guest … No conventional security mechanism can offer a solution to this typical Grid computing scenario. It is the remote platform attestation that has played the trick. 2018年11月9日星期五 Trusted Computing overview HP template

20 It’s time to work on “TC for Grid Security”
2018/11/9 It’s time to work on “TC for Grid Security” “Offer I” is available now (this machine has a TPM v1.1b) so “Offer I” is readily compatible with GSI (Security Area RG started in GGF13) node level certificate is ready for realizing IPSec user level certificate is ready for property-based credentials “Offers II & III” address exactly fundamental limitations of GSI; the issue here is to augment GSI IPSec deployment will be sped up by TC, hence distributed firewall should start consideration for GSI integrity attestation is with TPM v1.2 and beyond (available in 2006); virtualization work is now underway IDC predicts: 20 million TPM platforms to be delivered by end of 2005, and by 2007, 70% of the platforms world wide will have TPMs Microsft “Longhorn” OS will use TPM, available in 2006 Future: with Grid & TC both in open-platform architecture, they can co-develop without major obstacle 2018年11月9日星期五 Trusted Computing overview HP template

21 Trusted Computing overview
2018/11/9 Work in GGF A GGF new project, TC-RG, has been created: Offer I (i.e., augmenting GSI with TPM for crypto key repository) has been planned for completion in one-year timeframe Offers II & III are to be researched further A paper version of this presentation can be downloaded from the above URL 2018年11月9日星期五 Trusted Computing overview HP template

22 2018/11/9 HP template

Download ppt "Innovations for Grid Security from Trusted Computing"

Similar presentations

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab
Copyright© 2006 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Trusted Computing David Grawrock TPM.

Copyright© 2006 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Trusted Computing David Grawrock TPM.
Trusted Platform Module

Trusted Platform Module
Thomas S. Messerges, Ezzat A. Dabbish Motorola Labs Shin Seung Uk.

Thomas S. Messerges, Ezzat A. Dabbish Motorola Labs Shin Seung Uk.
Vpn-info.com.

Vpn-info.com.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 3 02/14/2010 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 3 02/14/2010 Security and Privacy in Cloud Computing.
TCPA TCPA TCPA T rusted C omputing P latform A lliance Saurabh Phansalkar.

TCPA TCPA TCPA T rusted C omputing P latform A lliance Saurabh Phansalkar.
Daonity: Grid Security with Behaviour Conformity from Trusted Computing Daonity Team Led by HP Labs China Joint work with Wuhan University Huazhong University.

Daonity: Grid Security with Behaviour Conformity from Trusted Computing Daonity Team Led by HP Labs China Joint work with Wuhan University Huazhong University.
Trusted Computing Platforms Blessing or Curse? by Bastian Sopora, Seminar DRM 2006.

Trusted Computing Platforms Blessing or Curse? by Bastian Sopora, Seminar DRM 2006.
Trustworthy and Personalized Computing Christopher Strasburg Department of Computer Science Iowa State University November 12, 2008.

Trustworthy and Personalized Computing Christopher Strasburg Department of Computer Science Iowa State University November 12, 2008.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Copyright© 2005-2006 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.
Using Secure Coprocessors to Protect Access to Enterprise Networks Dr. José Carlos Brustoloni Dept. Computer Science University of Pittsburgh

Using Secure Coprocessors to Protect Access to Enterprise Networks Dr. José Carlos Brustoloni Dept. Computer Science University of Pittsburgh
Enforcement of Security Policy Compliance in Virtual Private Networks Prof. José Carlos Brustoloni Dept. Computer Science University of Pittsburgh

Enforcement of Security Policy Compliance in Virtual Private Networks Prof. José Carlos Brustoloni Dept. Computer Science University of Pittsburgh
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation Dane Brandon, Hardeep Uppal CSE551 University of Washington.

Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation Dane Brandon, Hardeep Uppal CSE551 University of Washington.
Trusted Computing Initiative Beyond trustworthy. Trusted Computing  Five Key Concepts >Endorsement Key >Secure Input and Output >Memory Curtain / Protected.

Trusted Computing Initiative Beyond trustworthy. Trusted Computing  Five Key Concepts >Endorsement Key >Secure Input and Output >Memory Curtain / Protected.
SEC316: BitLocker™ Drive Encryption

SEC316: BitLocker™ Drive Encryption
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.

Similar presentations

Ads by Google