13-06-2012, 01:08 PM
Cryptographic Features of the Trusted Platform Module
[attachment=24310]
Introduction
The Trusted Platform Module (TPM) is the core of Trusted Computing and provides a number of cryptographic capabilities that help protect PC clients from threats to users’ sensitive information. After providing a brief overview of the Trusted Platform Module, this paper describes the threat (or attack) model that the TPM (and other Trusted Computing elements) is designed to protect against. It then examines the TPM features available to address these threats and use models that demonstrate how these features can be used to protect against such threats.
Threat Model
Sensitive Information
The TPM and other elements of the TCG specifications are designed to protect against or mitigate the potential damage caused by a variety of threats and attacks. This paper focuses on those that affect PC clients (desktops and notebooks).
PC clients have a large number of vulnerabilities, known and unknown, and this is unlikely to change given the nature and practices of the software industry. In addition, keeping patches up to date for all software installed on a system is time consuming and a large percentage of systems do not have all applicable patches. While networks and servers offer the most value for attackers, they are also better protected than PC clients. In addition, PC clients often contain information.
Platform Authentication and Attestation
When a compromised client is connected to a network, it can be a threat to the entire network even if the sensitive information on the client is protected. Therefore, it is important to be able to identify unauthorized or compromised clients and prevent them from connecting to the network. Software-only methods of authenticating clients can be circumvented because the authentication information, such as the computer name or MAC address, can be forged. Network administrators should be able to prevent access to the network to specific authorized client hardware. They should also be able to prevent access to properly configured and uncompromised clients before they gain access. Furthermore, an attacker or rogue client should not be able to forge its authentication as an authorized client or its configuration and current state.
Platform Configuration Registers
A Platform Configuration Register (PCR) is a 160-bit register for storing integrity measurements. TPMs must have at least 16 PCRs, all of which are protected and inside the TPM. While the number of PCRs is limited, they can each represent an unlimited number of measurements. This is accomplished by cryptographically hashing all updates to a PCR such that the new PCR value is dependent on the previous value and the value to add. The ordering and one-way properties of cryptographic hashes are particularly important for this use case.
The TPM_Seal operation can be used to encrypt data such that it can only be decrypted on a specific platform. Callers of this operation may specify PCR values required to unseal the data. Future TPM_Unseal operations will reveal the sealed data only if attempted on the same platform and the PCR value(s) match. In this way, the sealed data is protected from changes in the configuration. TPM_Seal and TPM_Unseal both require “AuthData” (similar to a password). This means that data can be sealed such that only a specific user can access it on a given client under a specific configuration.
[attachment=24310]
Introduction
The Trusted Platform Module (TPM) is the core of Trusted Computing and provides a number of cryptographic capabilities that help protect PC clients from threats to users’ sensitive information. After providing a brief overview of the Trusted Platform Module, this paper describes the threat (or attack) model that the TPM (and other Trusted Computing elements) is designed to protect against. It then examines the TPM features available to address these threats and use models that demonstrate how these features can be used to protect against such threats.
Threat Model
Sensitive Information
The TPM and other elements of the TCG specifications are designed to protect against or mitigate the potential damage caused by a variety of threats and attacks. This paper focuses on those that affect PC clients (desktops and notebooks).
PC clients have a large number of vulnerabilities, known and unknown, and this is unlikely to change given the nature and practices of the software industry. In addition, keeping patches up to date for all software installed on a system is time consuming and a large percentage of systems do not have all applicable patches. While networks and servers offer the most value for attackers, they are also better protected than PC clients. In addition, PC clients often contain information.
Platform Authentication and Attestation
When a compromised client is connected to a network, it can be a threat to the entire network even if the sensitive information on the client is protected. Therefore, it is important to be able to identify unauthorized or compromised clients and prevent them from connecting to the network. Software-only methods of authenticating clients can be circumvented because the authentication information, such as the computer name or MAC address, can be forged. Network administrators should be able to prevent access to the network to specific authorized client hardware. They should also be able to prevent access to properly configured and uncompromised clients before they gain access. Furthermore, an attacker or rogue client should not be able to forge its authentication as an authorized client or its configuration and current state.
Platform Configuration Registers
A Platform Configuration Register (PCR) is a 160-bit register for storing integrity measurements. TPMs must have at least 16 PCRs, all of which are protected and inside the TPM. While the number of PCRs is limited, they can each represent an unlimited number of measurements. This is accomplished by cryptographically hashing all updates to a PCR such that the new PCR value is dependent on the previous value and the value to add. The ordering and one-way properties of cryptographic hashes are particularly important for this use case.
The TPM_Seal operation can be used to encrypt data such that it can only be decrypted on a specific platform. Callers of this operation may specify PCR values required to unseal the data. Future TPM_Unseal operations will reveal the sealed data only if attempted on the same platform and the PCR value(s) match. In this way, the sealed data is protected from changes in the configuration. TPM_Seal and TPM_Unseal both require “AuthData” (similar to a password). This means that data can be sealed such that only a specific user can access it on a given client under a specific configuration.