Presentation is loading. Please wait.

Presentation is loading. Please wait.

©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Trusted Computing Yaron Sheffer Manager, Standards.

Published byAllan Heath Modified over 9 years ago

Similar presentations

Presentation on theme: "©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Trusted Computing Yaron Sheffer Manager, Standards."— Presentation transcript:

1 ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Trusted Computing Yaron Sheffer Manager, Standards and VPN Technologies Check Point Jan. 2008

2 2 ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Agenda  A few words about Check Point  Why Trusted Computing  The Trusted Computing Architecture  Uses of Trusted Computing  Issues with Trusted Computing  Trusted Computing in practice  Details: 3 rd party attestation  The TC ecosystem: related and competing work, NAC

3 3 ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. A Global Security Leader * Frost & Sullivan Global leader in firewall/VPN* and mobile data encryption More than 100,000 protected businesses More than 60 million consumers 100% of Fortune 100 as customers 100% security 100% focus on information security >1,000 dedicated security experts Protecting networks and enterprise data Global ~ 2,000 employees 69 offices, 28 countries 2,200 partners, 88 countries HQ in Israel and U.S.A. Leader Revenue Net Profit

4 4 ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. SMART Security Management Architecture Unified Security Architecture Management Data leakage Compliance Port controlReporting Disk Encryption Monitoring Media Encryption IPS Personal firewall UTM Disk Encryption VPNAnti-Virus FirewallVPN Client Always Anticipating New Security Needs

5 5 ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Agenda  A few words about Check Point  Why Trusted Computing  The Trusted Computing Architecture  Uses of Trusted Computing  Issues with Trusted Computing  Trusted Computing in practice  Details: 3 rd party attestation  The TC ecosystem: related and competing work, NAC

6 6 ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Trusted Computing  Trust (RFC 4949): A feeling of certainty (sometimes based on inconclusive evidence) either (a) that the system will not fail or (b) that the system meets its specifications (i.e., the system does what it claims to do and does not perform unwanted functions)  When approaching a PC, do we have this feeling?  Something is rotten in the state of Denmark

7 7 ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Lack of Trust  Mutability –Data –Applications and libraries –Device drivers –Kernel components –And… the BIOS  “Least privilege” principle is ignored –Administrator privileges  Huge amounts of trusted code  Secure development principles are not applied

8 8 ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Trusted Computing Group  [An] organization formed to develop, define, and promote open standards for hardware-enabled trusted computing and security technologies, including hardware building blocks and software interfaces, across multiple platforms, peripherals, and devices  Implicitly: software alone will not do  Established (as TCPA) 1999  TPM 1.0 published Feb. 2001  TNC work started 2004  Around 200 member companies  www.trustedcomputing.org www.trustedcomputing.org

9 9 ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Agenda  A few words about Check Point  Why Trusted Computing  The Trusted Computing Architecture  Uses of Trusted Computing  Issues with Trusted Computing  Trusted Computing in practice  Details: 3 rd party attestation  The TC ecosystem: related and competing work, NAC

10 10 ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Trusted Computing Architecture TPM (Trusted Platform Module): a tamper-resistant hardware module mounted in a platform. Responsible for: measurement, storage, reporting and policy enforcement Protected Code TPM Boot Process Operating System App1App2App3 Encrypted Files

11 11 ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Roots of Trust  A Root of Trust is a component that must behave as expected, because its misbehaviour cannot be detected –A piece of code  Root of Trust for Measurement: the component that can be trusted to reliably measure and report to the Root of Trust for Reporting what software executes at the start of platform boot  Root of Trust for Reporting: the component that can be trusted to report reliable information about the platform  Root of Trust for Storage: the component that can be trusted to securely store any quantity of information

12 12 ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. A Chain of Trust  The core idea of the Trusted Computing architecture  Each stage measures and validates the next one –Measurements go into Platform Configuration Registers (PCRs) on the TPM  The chain starts with the hardware TPM  Then software: –RTM, TPM Software Stack, BIOS, kernel –Applications?  At the end, the entire platform is verified to be in a trusted state

13 13 ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. TC Cryptographic Capabilities  SHA-1, HMAC –Hashed message authentication code  Physical random number generation –An important feature in itself  Asymmetric key generation –2048-bit RSA  Asymmetric crypto encryption/decryption and signing –RSA PKCS#1  Bulk symmetric crypto is performed off-chip –For example, disk encryption  Reasons: price, export considerations  This is no high performance crypto chip!

14 14 ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Agenda  A few words about Check Point  Why Trusted Computing  The Trusted Computing Architecture  Uses of Trusted Computing  Issues with Trusted Computing  Trusted Computing in practice  Details: 3 rd party attestation  The TC ecosystem: related and competing work, NAC

15 15 ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Uses of Trusted Computing  Data protection: storage of secrets –TPM unseals storage keys only if the platform is in a trusted state  Detecting unwanted changes to a machine’s configuration –Secure boot  The next three require “3rd party attestation” –Protocol described later  Checking client integrity on a local network –E.g. before the client is allowed into the network –Or by each network server  Verifying the trustworthiness of a “kiosk” –By a remote server –By a local smartcard  Machine authentication for remote access

16 16 ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Authentication and Privacy: A Contradiction?  When you digitally sign a measurement report, you potentially reveal your identity!  The architecture provides for the TPM to have control over “multiple pseudonymous attestation identities” – next slide  TPM attestation identities do not contain any owner/user related information –A platform identity attests to platform properties  No single TPM “identity” is ever used to digitally sign data –Privacy protection  TPM Identity certification is required to attest to the fact that they identify a genuine TC platform  The TPM Identity creation protocol allows for choosing different Certification Authorities (Privacy CA) to certify each TPM identity –Prevent correlation

17 17 ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Multiple Pseudonymous Attestation Identities… Host being verifiedVerifier Host Identity CA Name1Name2 Certified by… Trusts…

18 18 ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Issues with Trusted Computing  TC is happening very slowly –A mixture of technical, business and perceptual issues  Can a large and not-so-well-designed OS ever become trustworthy? –Intel’s current direction might point to a solution  The distinction between platform owner and data owner –Can Sony prevent you from playing their songs? – DRM is evil! –Can Sony prevent you from reading their confidential financial data? – Enterprise DRM is ??? –But hey, we’ve had DRM long before TPM!  Allowing an “open” software ecosystem –For proprietary software –For open source software –For open source software that refuses to “play by the rules”

19 19 ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Trusted Computing in Practice  TPM exists on a very large percentage of desktops and laptops –On your computer, too  But it is disabled by default  So it is rarely used –Even innocuous functionality like RNG is blocked!  Microsoft was expected to enhance TC functionality in Vista –But only made a small step with BitLocker  Apple used TPM once to ensure its new OS only runs on its own “beta” machines –But this is the wrong way around!

20 20 ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Agenda  A few words about Check Point  Why Trusted Computing  The Trusted Computing Architecture  Uses of Trusted Computing  Issues with Trusted Computing  Trusted Computing in practice  Details: 3 rd party attestation  The TC ecosystem: related and competing work, NAC

21 21 ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Remote Attestation  Three phases  Measurement: machine to be attested must measure its properties locally  Attestation: transfer measurements from machine being attested to remote machine  Verification: remote machine examines measurements transferred during attestation and decides whether they are valid and acceptable

22 22 ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Linux Integrity Measurement

23 23 ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Linux Attestation

24 24 ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Linux Verification

25 25 ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Agenda  A few words about Check Point  Why Trusted Computing  The Trusted Computing Architecture  Uses of Trusted Computing  Issues with Trusted Computing  Trusted Computing in practice  Details: 3rd party attestation  The TC ecosystem: related and competing work, NAC

26 26 ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Network Access Control (NAC)  Two separate goals: –Ensure computers are “clean”, and running an authorized configuration –Ensure only “good” computers connect to the LAN  We could have done #1 with TC, but TC is not happening  So we just ask the computer nicely, and believe the response…  NAC is important in the marketplace  Being standardized within TCG –Under the name Trusted Network Connect, TNC  It might converge with TC some day

27 27 ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. TC: Related and Competing Initiatives  Microsoft Next Generation Secure Computing Base (NGSCB), formerly Palladium –Uses TPM to create a secure OS partition –Was expected to go into Vista –Apparently dead now –Microsoft’s Bitlocker disk encryption survived into Vista  ARM TrustZone  Intel Trusted Execution Technology –Next slide

28 28 ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Intel Trusted Execution Technology  A recent initiative, an extension of the vPro architecture  Relies on TPM  Focused on virtualization: partitioning of virtual machines  Requires an “enabled” OS and applications  Provides: –Protected (partitioned) execution – partitions are full virtual machines, each running its own OS –Sealed storage –Protected input (e.g. from USB devices) –Protected graphics –Software measurement and protected launch of OS components  Consists of: –CPU extensions –Chipset enhancements, e.g. to partition physical memory –TPM

29 29 ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Summary  Trusted Computing tries to solve one of the top problems in today’s computing  It builds a complex and interesting architecture, using innovative hardware components  The in-built conflict between proven security and privacy has not been resolved, and maybe cannot be  TC is making small steps forward, will it ever see widespread use?

30 30 ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Further Reading  https://www.trustedcomputinggroup.org/home https://www.trustedcomputinggroup.org/home  http://en.wikipedia.org/wiki/Trusted_computing http://en.wikipedia.org/wiki/Trusted_computing  Pearson et al., Trusted Computing Platforms, Hewlett Packard and Prentice Hall 2003  David Grawrock, The Intel Safer Computing Initiative. Intel Press 2006.

31 ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Thank You! yaronf@checkpoint.com

Download ppt "©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Trusted Computing Yaron Sheffer Manager, Standards."

Similar presentations

Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.

Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.
Copyright© 2006 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Trusted Computing David Grawrock TPM.

Copyright© 2006 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Trusted Computing David Grawrock TPM.
Ljubomir Ivaniš CPU d.o.o.

Ljubomir Ivaniš CPU d.o.o.
Vpn-info.com.

Vpn-info.com.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 3 02/14/2010 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 3 02/14/2010 Security and Privacy in Cloud Computing.
 Alexandra Constantin  James Cook  Anindya De Computer Science, UC Berkeley.

 Alexandra Constantin  James Cook  Anindya De Computer Science, UC Berkeley.
Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.

Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
Trusted Computing Platforms Blessing or Curse? by Bastian Sopora, Seminar DRM 2006.

Trusted Computing Platforms Blessing or Curse? by Bastian Sopora, Seminar DRM 2006.
1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007.

1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007.
1 Bootstrapping Trust in a “Trusted” Platform Carnegie Mellon University November 11, 2008 Bryan Parno.

1 Bootstrapping Trust in a “Trusted” Platform Carnegie Mellon University November 11, 2008 Bryan Parno.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
Copyright© 2005-2006 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.
Enforcement of Security Policy Compliance in Virtual Private Networks Prof. José Carlos Brustoloni Dept. Computer Science University of Pittsburgh

Enforcement of Security Policy Compliance in Virtual Private Networks Prof. José Carlos Brustoloni Dept. Computer Science University of Pittsburgh
Using Cryptographic ICs For Security and Product Management Misconceptions about security Network and system security Key Management The Business of Security.

Using Cryptographic ICs For Security and Product Management Misconceptions about security Network and system security Key Management The Business of Security.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2010 Lecture 5 03/08/2010 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2010 Lecture 5 03/08/2010 Security and Privacy in Cloud Computing.
Trusted Computing Initiative Beyond trustworthy. Trusted Computing  Five Key Concepts >Endorsement Key >Secure Input and Output >Memory Curtain / Protected.

Trusted Computing Initiative Beyond trustworthy. Trusted Computing  Five Key Concepts >Endorsement Key >Secure Input and Output >Memory Curtain / Protected.
SEC316: BitLocker™ Drive Encryption

SEC316: BitLocker™ Drive Encryption
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.
Trusted Computing Platform Alliance – Introduction and Technical Overview – Joe Pato HP Labs MIT 6.805/6.857 17 October 2002.

Trusted Computing Platform Alliance – Introduction and Technical Overview – Joe Pato HP Labs MIT 6.805/ October 2002.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Similar presentations

Ads by Google