Add to collection(s) Add to saved
  1. No category

Trusted Computing and the Trusted Platform Module Bruce Maggs

advertisement 
Trusted Computing
and the
Trusted Platform Module
Bruce Maggs
(with some slides from Bryan Parno)
Bryan Parno’s Travel Story
2
Attestation
• How can we know that a system that we
would like to use has not been
compromised?
3
Bootstrapping Trust is Hard!
Challenges:
• Hardware
Ap
Ap ApAp
Ap
Ap
p p p ppp
14 5 N
23
assurance
• Ephemeral
software
Module
1
Module
3
• User Interaction
OS
S15
(
(
)
)
987654321
10
11
12
13
14
Module
Module
2
4
Safe?
Yes!
^
H( )
4
Bootstrapping Trust is Hard!
Challenges:
• Hardware
Evil
App
assurance
• Ephemeral
software
• User Interaction
Safe?
Evil
OS
Yes!
5
TPM Chip
Often found in business-class laptops
(image from Wikipedia)
6
Caveat
• The TPM is not tamper proof!
• Safe use requires physical security!
7
Built-In Unique Identifier
•
•
•
•
“Endorsement Key”
RSA public-private key pair
Private key never leaves the TPM chip
Public key can be certified
8
On-Chip Algorithms
•
•
•
•
•
•
RSA key-pair generation
RSA encryption/decryption
RSA signing
Random number generation
SHA-1 hashing
Keyed-hash message authentication code
(HMAC)
9
Platform Configuration Registers (PCRs)
• A TPM contains several 20-byte PCRs
• A PCR is initialized to zero at power on.
• The only operation allowed on a PCR is
to extend it:
• val[PCR] = SHA1(val[PCR] . newval)
• At boot time, a TPM-enabled PC takes
a series of measurements and stores
them in PCRs
10
HMAC
• Hash with two inputs: a key and a block
of data
• Typically key is randomly generated
• Key can be used (for example) to
guarantee that the hash was freshly
created
11
How HMAC can be used
• TPM can hash contents of all storage
on computer, or storage in certain
places
• Disks
• Memory
• Registers in the CPU
• User can choose to execute only from
known safe states
12
Applications
• Storing and protecting sensitive
information
• Trusted boot
• Attestation
13
TPM-Based Attestation Example
[Gasser et al. ‘89], [Arbaugh et al. ‘97], [Sailer et al. ‘04], [Marchesini et al. ‘04]
Module
Module
Module
Module
BIOS
OS
Bootloader
App
App
App
PCRs
TPM KPriv
14
Establishing Trust via a TPM
[Gasser et al. ‘89], [Arbaugh et al. ‘97], [Sailer et al. ‘04], [Marchesini et al. ‘04]
random
#
Module
Accurate!
Module
Module
Module
K
Module
Module
AA
p pA
ppp
OS Pu
BIOS Bootloader
BIOS
Modul
e
Modul
e
Bootloader b
OS
p
Module
Module
(
K
Sign
BIOS Bootloader
priv
Guarantees
actual TPM
logs
Modul
e
Modul
e
OS
random #
AA
p pA
ppp
p
Guarantees
freshness
App
App
App
Guarantees
real TPM
)
PCRs
TPM KPriv
15
Microsoft uses of TPM
• Bitlocker drive encryption
• Secure Boot
16
Related documents
See how one company reduced equipment downtime by more than
See how one company reduced equipment downtime by more than
Trusted Computing and the Trusted Platform Module Bruce Maggs
Trusted Computing and the Trusted Platform Module Bruce Maggs
TOTAL PRODUCTIVE MAINTENANCE IN GEOTHERMAL POWER
TOTAL PRODUCTIVE MAINTENANCE IN GEOTHERMAL POWER
THA - Texas Department of State Health Services
THA - Texas Department of State Health Services
Management - CareerVarsity.com
Management - CareerVarsity.com
PowerPoint-presentatie
PowerPoint-presentatie
Week 4 SOO- Technology Protective Measures
Week 4 SOO- Technology Protective Measures
TCG Physical Presence Interface Specification
TCG Physical Presence Interface Specification
Download
advertisement