Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Introduction to Trusted Platform Technology Siani Pearson Hewlett Packard Laboratories, UK

Published byBrittney Wilkerson Modified over 9 years ago

Similar presentations

Presentation on theme: "An Introduction to Trusted Platform Technology Siani Pearson Hewlett Packard Laboratories, UK"— Presentation transcript:

1 An Introduction to Trusted Platform Technology Siani Pearson Hewlett Packard Laboratories, UK Siani_Pearson@hp.com

2 Content What is Trusted Platform technology and TCPA? Why is Trusted Platform technology being developed? What are the main concepts? Where can this technology be applied? How can I find out more?

3 TCPA: industry work group “Through the collaboration of platform, software and technology vendors, develop a specification that delivers an enhanced HW and OS based trusted computing platform that enhances customers’ trusted domains.” –A platform can be trusted if it behaves in the expected manner for the intended purpose

4 Evolution of TCPA Original promoters: HP, Intel, IBM, Microsoft Over 150 members TPM PP In evaluation by NIST Platform PP In development V1.0 Jan ’01 V1.1 Aug ’01 (v1.2 Dec ’02?) March ‘01

5 Why is TP technology being developed? Increased connectivity necessitates stronger trust and confidence in computer platforms - threats from Internet - in general, a third party knows nothing about environment and history of target platform - business-critical services Hardware integrity has been too expensive for mass market

6 What are the main concepts? What TCPA provides Overview of Terminology Design features of TCPA platforms Roots of Trust Platform Identity Platform Integrity – Authenticated Boot Protected Storage

7 What TCPA provides Evidence about the integrity of a platform to both the owner and arbitrary third parties Multiple pseudononymous identities Protected storage Cryptographic functions Cheap and standards based, therefore can be ubiquitous Important building blocks for distributed trust and trusted e-services How can I trust a remote system that is not under my control? A fundamental change to the architecture of existing computers

8 The main mechanisms Trusted Platform technology provides mechanisms for: –Platform Identity Identify the platform and its properties to a challenging party –Authenticated Boot Reliably measure and report on the platform’s integrity –Protected Storage Protect integrity and identity information against subversion

9 Basic Definitions Platform A computing device, usually one that communicates with other such devices Trusted Computing Platform Alliance (TCPA) The organization that has specified how to produce Trusted Platforms Trusted (Computing) Platform (TP) A platform that creates a foundation of trust for software processes Trusted Platform Module (TPM) The hardware root of trust of a TP Trusted Platform Subsystem A set of capabilities inside a platform that are defined by TCPA Certification Authority (CA) Organization that vouches for an entity (e.g. for a cryptographic key, hardware or software component, platform or organization)

10 Overview of terminology Trusted Platform Subsystem = (Trusted Platform Module + Core Root of Trust for Measurement + Trusted platform Support Service)

11 Design features of the TCPA Trusted Platform Most cryptographic primitives - but not bulk encryption Privacy - Fully “opt-in”, with no identity correlation No global secrets - If a TPM is cracked, it reveals information relating to the associated platform and nothing further Low cost protected environment outside a crypto coprocessor - because it is uneconomic to do bulk processing in a coprocessor Ubiquitous security - at very low cost and without significant product export/import problems

12 Privacy Owner control over: –TPM activation –Generation of IDs Multiple pseudonymous IDs (limits correlation) User data kept private from everyone else – no superuser Can prevent the revelation of secrets unless the software state is in an approved state

13 Roots of trust (1) –A root of Trust for Measurement: First component of the boot process. Starts a chain of trusted measurements (Integrity Metrics) of the code executed during the boot process –A root of Trust for Reporting: Implements secure reporting mechanisms for securely stored Integrity Metrics

14 Roots of Trust (2): the TPM –bound to computing platform –records Integrity Metrics of the code executed during the boot process (BIOS, Option-Roms, OS Loader, OS…) –More information logged to the TPM after boot process => Report to a Challenger about software that has been executed on the platform

15 Roots of Trust (3): Attestation entities Trusted Platform Module Entity (TPME) vouches that the Trusted Platform Module (TPM) is genuine by attesting for the Endorsement key inside the TPM Validation Entity (VE) certifies the values of integrity measurements that are to be expected when a particular part of the platform is working properly Conformance Entity (CE) vouches that the design of the TCPA Subsystem in a class (type) of platform meets the requirements of the TCPA specification Platform Entity (PE) vouches for a platform containing a specific TPM Privacy Certification Authority (Privacy-CA; P-CA) attests that an ID belongs to a TP

16 Roots of trust (4)

17 Trusted Platform Identity: Attestation A Trusted Platform can have multiple certified attestation Identities (TPM Ids) –A TPMId is certified by a Certification Authority (Privacy-CA, or CA) that vouches for the Trusted Platform implementation –A TPMId Certificate can be anonymous, it is a TPM identity, not a user identity –TPMIds are used to authenticate the platform as a genuine Trusted Platform, when reporting Integrity Metrics to a Challenger

18 Generating an identity

19 Platform Integrity Measurement: Authenticated Boot

20 Platform Integrity Reporting TPM reports on Integrity Metrics and signs them using a cryptographic identity: TPMId The reporting information will contain –Integrity Metrics: IM 1, IM 2, …, IM N –Metrics Information: Info 1, Info 2, …, Info N –Σ TPMId (IM 1 ), Σ TPMId (IM 2 ),…, Σ TPMId (IM N ) –Certificate for TPMId by CA Id : Cert CA Id (TPMId) –Certificates for Integrity Metrics TO INTERPRET: Validate CA Id and verify Cert CA Id (TPMId)  Trust in the Trusted Platform, based on CA Id trust Verify signatures on Integrity Metrics  Trust in reported Integrity Metrics values Verify Integrity Metrics Certificates and compare certified metrics to reported metrics  Trust that these metrics correspond to certified software BUT!!!

21 Protected Storage Data can be stored using the TPM, that can only be retrieved using this same TPM A specific software configuration can also be specified, that will be required for the TPM to allow this data to be retrieved  Sealing operation: parameters define which Integrity Metrics the data should be sealed to

22 Benefits TCPA brings new functionality to the client platform (PC, mobile, PDA). The potential of TCPA will be released in phases, because some features require more supporting software and infrastructure than others.

23 Short term TCPA benefits – protected storage (Platform with a TPM, associated software provided by the TPM manufacturer) Customers can encrypt the data on their hard disks in a way that is much more secure than software solutions. –The TCPA chip is a portal to encrypted data. –Encrypted data can then only ever be decrypted on the same platform that encrypted it. –TCPA also provides for digital signature keys to be protected and used by the embedded hardware chip

24 Middle term TCPA benefits – integrity checking (Short term solution plus additional software) Protection against hackers, by automatically preventing access to data if unauthorised programs are executed. –TCPA provides for the measurement of integrity metrics of the software environment on the TCPA platform. –Allows for a remote party to verify what the software environment on a TCPA platform is. –The TCPA chip can then be used to encrypt data to disk so that this data can only ever be decrypted on that same platform, and ONLY if the platform has a given set of software environment integrity metrics.

25 Long term TCPA benefits – e-commerce Customers and their partners/suppliers/customers can connect their IT systems and expose only the data that is intended to be exposed. –TCPA is designed so that platform identities and Integrity Metrics can be proven reliably to previously unknown parties. –Secure online discovery of platforms and services: confidence in the information about the software environment and identity of a remote party, enabling higher levels of trust when interacting with this party.

26 Where can this technology be applied? Existing applications benefit from enhanced security Encourages the development of new services that require higher security levels e.g. electronic cash, email, hot-desking, platform management, single sign-on, VPN, web access, etc. We will consider 3 examples.

27 Scenario One

28 Scenario Two

29 Scenario Three

30 Further Information TCPA specification v1.1 is publicly available, and is already implemented in at least three hardware products (Atmel, Infineon, NationalSemi). www.trustedcomputing.org

Download ppt "An Introduction to Trusted Platform Technology Siani Pearson Hewlett Packard Laboratories, UK"

Similar presentations

Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.

Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.
Copyright© 2006 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Trusted Computing David Grawrock TPM.

Copyright© 2006 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Trusted Computing David Grawrock TPM.
Thomas S. Messerges, Ezzat A. Dabbish Motorola Labs Shin Seung Uk.

Thomas S. Messerges, Ezzat A. Dabbish Motorola Labs Shin Seung Uk.
Vpn-info.com.

Vpn-info.com.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
The Italian Academic Community’s Electronic Voting System Pierluigi Bonetti Lisbon, May 2000.

The Italian Academic Community’s Electronic Voting System Pierluigi Bonetti Lisbon, May 2000.
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
1 Trusted Systems in Networking Infrastructure Rafael Mantilla Montalvo Cisco Systems June 2013.

1 Trusted Systems in Networking Infrastructure Rafael Mantilla Montalvo Cisco Systems June 2013.
TCPA TCPA TCPA T rusted C omputing P latform A lliance Saurabh Phansalkar.

TCPA TCPA TCPA T rusted C omputing P latform A lliance Saurabh Phansalkar.
Hardware Security: Trusted Platform Module Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources.

Hardware Security: Trusted Platform Module Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
1 Bootstrapping Trust in a “Trusted” Platform Carnegie Mellon University November 11, 2008 Bryan Parno.

1 Bootstrapping Trust in a “Trusted” Platform Carnegie Mellon University November 11, 2008 Bryan Parno.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation Dane Brandon, Hardeep Uppal CSE551 University of Washington.

Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation Dane Brandon, Hardeep Uppal CSE551 University of Washington.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Similar presentations

Ads by Google