Security of Cyber
Physical Systems
Lab-1 – Trusted Computing
Copyright By PowCoder代写 加微信 powcoder
Trusted Computing
Laboratories
• Lab-1:TrustedComputing:WorkingwithTrustedPlatformModule.Wewill create keys in secure manner and seal data to a specific device and use the TPM to provide strong identity when establishing unforgeable connection to other devices. The lab consist of 4 parts.
• Demonstrators:
• ShaimaAlAmri • HectorHamilton
Trusted Platform Module (TPM)
Defined set of services using a specific API
Picture of real TPM
cryptographic engines, protection key storage. Separate Functions and storage
TPM is a platform component, can be soldered or add-on
• Identity
• Platform identity
• Storage for chain of trust measurements
• Protected storage
• Place to store “assets” on platform that inherently has confidentiality
and integrity
• Software/firmware deniability of access to keys (Trusted Hardware)
• Attestation
• Key material and collected measuerments that enables attestation reports
TPM Block Diagram
Volatile PCR
RNG Hash Symmetric Asymmetric Key creation
Specification version 1.2 published in 2005
Non Volatile
ACL Policy
Specification version 2.0 published in 2014
Based on True Randomness hardware (oscillators)
SHA-1 only
SHA-2, SHA-3, and others
Used to encrypt keys unloaded from TPM
Max key size of RSA- 2048 , no ECC support
RSA and ECC
Using RNG and support RSA random primes
Specification version 1.2 published in 2005
RNG Hash Symmetric Asymmetric Key creation
Specification version 2.0 published in 2014
Volatile PCR
Non Volatile
Specification version 1.2 published in 2005
PCR – Volatile
SHA-1 bank
More banks + support for SHA2,3
Used to store policy of
Stores acess policy Area is small
Area is small but larger than TPM 1.2
Specification version 2.0 published in 2014
Ownership/Policy
Platform Owner
Can change on platformAuth
TPM2_clear() changes owner Require ownerAuth/platformAuth
Single RSA-2048 generated on each ownership change
Can change but mostly doesn’t Require platformAuth
Single Endorsement key set at manufacturing
Ownership changes represent biggest policy change in TPM 2.0
Storage Conundrum
• Need to store virtually unlimited amount of data
• But TPM has finite amount of storage area • How do we compress the phenomenal
amount of data into the TPM • Indirection won’t work hereJ
Storage Solution is the Storage Root Key
Storage key always inside of TPM
Can encrypt any data, but would normally encrypt other keys
Encrypted blob stored outside of TPM at any location. Blob has both confidentiality and integrity checks. Must decrypt inside of TPM
Could require TPM for decryption or use software decryption (creator’s choice).
Load storage key from outside TPM into TPM, decrypting to obtain key material. Key loading requires authorization and policy
Storage key
Data to store
Authorization Policy
Seal command combines data to seal, with policy necessary to authorize, and using public portion of key to encrypt and proof for HMAC calculation
Resulting data is Sealed, or bound, to the key that did the encryption and the specific device, through proof.
Sealed Blob
Sealed to specific TPM Verification of TPM restriction
Same load command as for Seal
Authorization Policy
Storage key
First decrypt and check HMAC, if HMAC correct, evaluate authorization policy. Unseal will only return data, not the policy
Sealed Blob
Only get back data when decryption is correct and authorization policy met
Bind is just an encryption, according to TPM rules, and any entity with the public portion of a storage key can perform the operation.
As an external entity would not know the proof value, there is no way to generate the HMAC calculation. There is an integrity calculation, just not HMAC with proof value.
Data to BIND
Authorization Policy
Resulting data is BIND to whatever TPM has access to the corresponding private key.
Bound to specific key
Key in use on multiple TPMs
Normal key load.
Note use of proof in the unbind operation
Authorization Policy
Storage key
First decrypt and check integrity, if integrity intact, evaluate authorization policy. Unseal will only return data, not the policy
Only get back data when decryption is correct and authorization policy met
Authorization Policy
Policy Configuration Register
Uses same concept as the measurement registers no real policy register
Auth Value
160-bits (gee same size as SHA-1 output)
To authorize action prove knowledge of the 160 bits
Session allows for the accumulation of policy items just like measurement PCR allows for accumulation of measurement values
Authorization compares state of policy to required state and if matching allows operation
Create a Policy Hash
TPM2_StartAuthSession PolicySigned PolicySecret PolicyPCR
The ending value represents the entire policy chain, the potential combinations are endless
StartAuthSession
StartAuthSession clears the policy hash value to zeros, in effect it sets the starting point
operation changes the policy hash and gives it a unique value that is order dependent
Each authorization
The policy hash only extends if the indicated operation is true
Alternate Paths
Both sessions start at the same point (zero)
Solution is operation that allows either path to be ok (multiple ORs are allowed)
But do a different operation and the policy hash value changes (it’s a byproduct of the hash operation)
Alternates
It is highly likely that there are multiple policies that represent valid auths (user or IT for instance)
Policy Options
TPM2_PolicySigned
authorization is signed with a key (symmetric or asymmetric)
TPM2_PolicySecret
authorization is HMACed with an authValue
TPM2_PolicyTicket
Time-dependent authorization
TPM2_PolicyOR
Check alternate policies
TPM2_PolicyPCR
PCR have the correct value
TPM2_PolicyLocality()
Command arrives with proper platform signaling
TPM2_PolicyNV
an NV location has the correct value
TPM2_PolicyCounterTimer
the conter/timer/resetCount/restartCount have the desired value(s)
TPM2_PolicyCommandCode
limits the authorization to specific command
TPM2_PolicyNameHash
limits the authorization to specific objects
TPM2_PolicyCpHash
limits the authorization to specific command, objects, and parameters
TPM2_PolicyAuthorize
Allows approval of any new policy
TPM2_PolicyAuthValue
use the authValue of the referenced object in the authorization HMAC
PCR Assignments
CRTM, BIOS, and embedded Option ROM
Motherboard configuration
OptionROM code
OptionROM configuration
DRTM Reserved
DRTM Reserved
IPL Configuration
MLE control
State transition
MLE control
MLE control
Reserved for OS
TPM Software Stack (TSS)
Remote Process
TSS Service Provider
RPC Client
TSS Service Provider
RPC Client
TSS Core Services TPM Device Driver Library
TPM Device Driver
TSS enables application development and interoperability
Kernel Mode
System Process User Process
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com