Trusted Computing security _platform.ppt

Trusted Computing security _platform.ppt

• 1.
  Trusted Computing Asmaa ALQassabNagham ALLella Lubna Thanoon Supervised by Dr. Najlaa Badeea
• 2.
  WHO DO ITRUST? • Today a computer trusts one of two entities in a user and hacker model. • The user is trusted and the hacker is not. • But when does a computer know that the user is not doing something harmful? • With TC the user and the hacker are both not trusted. This ensures that nothing is done that can compromise the security of the PC.
• 3.
  WHY TC? “The theoryis that software based key generation or storage will always be vulnerable to software attack, so private keys should be created, stored, and used by dedicated hardware”
• 4.
  TRUSTED COMPUTING: BASICIDEA • Addition of security hardware functionality to a computer system to compensate for insecure software. • Enables external entities to have increased level of trust that the system will perform as expected/specified. • Trusted platform = a computing platform with a secure hardware component that forms a security foundation for software processes. • Trusted Computing = computing on a Trusted Platform .
• 5.
  SO HOW DOESTC WORK? • For TC to work you have to use the Trusted Computing Module TPM which is a hardware system where the core (root) of trust in the platform will reside. • TPM will be implemented using a security microchip that handles security with encryption.
• 6.
  WHAT IS ATPM? • A chip integrated into the platform • The (alleged) purpose is to provide more security • It is a separate trusted co-processor “The TPM represents a separate trusted coprocessor, whose state cannot be compromised by potentially malicious host system software.”
• 7.
  THE TRUSTED COMPUTINGGROUP • The Trusted Platform Module TPM is an international standard for a secure crypto- processor. • The TPM technical specification was written by a computer industry consortium called the Trusted Computing Group TCG. • The Trusted Computing Group is a non-profit industry consortium, which develops hardware and software standards. It is funded by many member companies, including IBM, Intel, AMD, Microsoft, Sony, Sun, and HP among others.
• 8.
  TRUSTED COMPUTING ARCHITECTURE TPM(Trusted Platform Module): a tamper-resistant hardware module mounted in a platform. Responsible for: measurement, storage, reporting and policy enforcement. Protected Code TPM Boot Process Operating System App1 App2 App3 Encrypted Files
• 9.
  ROOTS OF TRUST •A Root of Trust is a hardware or software mechanism, that is a component which must behave as expected, because its misbehavior cannot be detected. • Root of Trust for Measurement (RTM): the component that can be trusted to reliably measure and report to the Root of Trust for Reporting what software executes at the start of platform boot. • Uses Platform Configuration Registers (PCR) to record the state of a system. • Static entity like the PC BIOS.
• 10.
  • Root ofTrust for Reporting (RTR) : the component that can be trusted to report reliable information about the platform. • trusted to report information accurately and correctly. • Uses PCR and RSA signatures to report the platform state to external parties. • Root of Trust for Storage (RTS) : the component that can be trusted to securely store any quantity of information. • trusted to store information without interference leakage. • Uses PCR and RSA encryption to protect data and ensure that data can only be accessed if platform is in a known state. ROOTS OF TRUST
• 11.
  A CHAIN OFTRUST • The core idea of the Trusted Computing architecture: • Each stage measures and validates the next one. • Measurements go into Platform Configuration Registers (PCRs) on the TPM. • The chain starts with the hardware TPM, • Then software: • RTM, TPM Software Stack, BIOS, kernel • Applications? • At the end, the entire platform is verified to be in a trusted state.
• 12.
  KEY CONCEPTS • Secureinput and output • Memory curtaining / protected execution • Sealed storage • Endorsement key • Remote attestation
• 13.
  SECURE INPUT ANDOUTPUT • Secure I/O provides a secure hardware path from the keyboard to an application. • From the application back to the screen. • No other software running on the same PC will be able to determine what the user typed, or how the application responded .
• 14.
  MEMORY CURTAINING • Memorycurtaining extends common memory protection techniques to provide full isolation of sensitive areas of memory. • Even the operating system does not have full access to curtained memory .
• 15.
  SEALED STORAGE • Sealedstorage protects private information by binding it to platform configuration information including the software and hardware being used. • Data can be released only to a particular combination of software and hardware. • Embedding PCR values in blob ensures that only certain apps can decrypt data.
• 16.
  ENDORSEMENT KEY • Theendorsement key is a 2048-bit RSA public and private key pair. • Created randomly on the chip at manufacture time. • Non-migratable, store inside the chip, cannot be removed. • It is never used for encryption or signing.
• 17.
  REMOTE ATTESTATION • Proveto a remote party what software/configuration is running on the target system . • Three phases: • Measurement: machine to be attested must measure its properties locally. • Attestation: transfer measurements from machine being attested to remote machine. • Verification: remote machine examines measurements transferred during attestation and decides whether they are valid and acceptable.
• 18.
  FINALLY • ● secureboot allows the system to boot into a defined and trusted configuration. • ● curtained memory will provide strong memory isolation; memory that cannot be read by other processes including operating systems and debuggers. • ● sealed storage allows software to keep cryptographically secure secrets. • ● remote attestation allows a trusted device to present reliable evidence to remote parties about the software it is running. • Low cost technology.