Professional Documents
Culture Documents
0
Re-envisioning of the TPM
Where are TPMs today?
2
Research & Exploratory Development Department (REDD)
Outline
3
Research & Exploratory Development Department (REDD)
How TPM 1.2 and 2.0 are the same
4
Research & Exploratory Development Department (REDD)
Comparison of capabilities (10,000 feet)
Capability TPM 1.2 TPM 2.0
Root of trust for Yes Yes
storage
RNG Yes Yes
Secure Key gen Yes Yes
Secure Key store Yes Yes
NVRAM Yes Yes
Attestation Yes Yes
Anti-hammer Yes Yes
5
Research & Exploratory Development Department (REDD)
How TPM 1.2 and 2.0 are different
6
Research & Exploratory Development Department (REDD)
Differences are architectural
(Code size reduced by almost a factor of 2)
Architecture 1.2 2.0
Algorithms Fixed: RSA2048/SHA-1 Any: RSA/ECC SHA-1, SHA-2, AES
7
Research & Exploratory Development Department (REDD)
Differences are architectural
Architecture 1.2 2.0
Manageability Difficult Always on
NVRAM Fixed Can be used for counters, PCRs,
authorization, storage
Object references By pointer By name (no substitution attacks possible)
Side channel attacks HMAC protected SRK Keys checked on loading before they are
used; new forms of authorization;
Types of keys Fixed types (AIK, Flexible types (But you can still make keys
signing, Binding, etc.) with 1.2-like behavior)
FIPSable Yes (level 1) Yes (level 2)
PCRs Brittle Easily managed
Single Sign On Difficult Easy
SRKs One, RSA 2048 As many as you want, you pick the algorithm
HMAC Not available Available
8
Research & Exploratory Development Department (REDD)
Command family comparison
(some 1.2 functions not included as seldom used)
Command Family Number of Number of
Commands 1.2 Commands 2.0
Self test 3 3
Random Numbers 2 2
Authorization 7 18 (EA)
TPM management 33 28
Total 92 108
9
Research & Exploratory Development Department (REDD)
Algorithms
10
Research & Exploratory Development Department (REDD)
Algorithm Differences
Algorithm flexibility
1.2: ONLY RSA (512, 1024, 2048); SHA-1; NO exposed symmetric
2.0: Any Asymmetric, hash, or symmetric algorithm
Need to be approved by Technical Committee, Platform spec
Right now this means:
RSA / ECC (curves under discussion)
SHA-1 / SHA-2 (Russian, Chinese algorithms also likely)
AES (GOST, SMS4 also likely)
11
Research & Exploratory Development Department (REDD)
Symmetric Keys
Bulk encryption
May or may not be required by PC Spec
HMAC signing
12
Research & Exploratory Development Department (REDD)
Hierarchies
13
Research & Exploratory Development Department (REDD)
Multiple Hierarchies
One hierarchy for platform manufacturer
For use by BIOS and SMM only-
Uses new authorization re-created at each boot
Likely contains permanent keys not to contain user info
Privacy Hierarchy
Endorsement key control
Can have as many endorsement keys as you like
Can have as many keys below it as you would like
Storage Hierarchy
Can have as many SRKs as you like
Null Hierarchy
For use of TPM as crypto accelerator
Hierarchy disappears on TPM reset
14
Research & Exploratory Development Department (REDD)
Seed based hierarchies
Random number seed for each hierarchy
16
Research & Exploratory Development Department (REDD)
Authorization
17
Research & Exploratory Development Department (REDD)
Extended Authorization
You can make as simple or as complicated an authorization policy
for an object as you wish.
18
Research & Exploratory Development Department (REDD)
Extended Authorization (continued
You can make as simple or as complicated an authorization policy
for an object as you wish.
19
Research & Exploratory Development Department (REDD)
Mix and match
20
Research & Exploratory Development Department (REDD)
Policy is represented by a single hash
OR
AND
21
Research & Exploratory Development Department (REDD)
Policy is represented by a single hash
Bill is authorized by
a CAC card with public key A,
an HMAC
and PCRs of the system being in a particular state.
CAC card
HMAC
AND Authorized
PCRS
22
Research & Exploratory Development Department (REDD)
A more complicated policy
A Policy built for Bill OR Sally
OR
Sallys CAC card
Sallys biometric
AND
PCRS
23
Research & Exploratory Development Department (REDD)
A Policy Hash with a single authentication based on a signature
Always start with all zeros (32 bytes of zero for SHA256) = P1
Final Policy = P2
1
We look up TPM_CC_PolicySigned in Table 10 in Part 2 (Structures) Section 6.5.3
of the spec and find it equals 0x00000160
2
label is a reference so you know what you are authorizing.
24
Research & Exploratory Development Department (REDD)
Details of calculating the Policy Hash with AND
CAC card AND HMAC AND PCRs
CAC card
Authorized
HMAC
AND
PCRS
Final policy = P4
AND is done with a kind of hash extend like a PCR.
25
Research & Exploratory Development Department (REDD)
Details of satisfying this policy
26
Research & Exploratory Development Department (REDD)
Details of what this policy means
(continued)
When you try to satisfy this policy you will do as follows:
Step 3: Tell the TPM you will be using an hmac to authorize an object.
The TPM extends TPM_CC_PolicyAuthValue into the policy buffer.
The policy buffer now equals P3
The TPM also sets a session HMAC flag that an hmac will be required for any
executed command.
Step 4: Tell the TPM you want it to extend certain specific PCR indexes
into the session policy buffer.
The TPM extends TPM_CC_PolicyPCR, PCRs, digest of those PCRs
The policy buffer = p4
The TPM sets a session PCR flag =0.
If PCRs change now, the PCR flag will be incremented.
Start session
Sign nonce, label with CAC TPM
card Send signature to TPM Session Policy Buffer
for verification. 0x00000000
0x00000000
TPM calculates P2
Signature
Session nonce N
N
N=0xBB443FE5
0xA3B62234
SHA256 (0x00000000 || TPM_CC_POLICYSIGN|| SHA256(A) ||0x01)
Signature Verifies!
28
Research & Exploratory Development Department (REDD)
In pictures: Authorizing with a CAC card policy
Signature of Hello
Hello
Key Policy matches Buffer!
29
Research & Exploratory Development Department (REDD)
In pictures: Authenticate with a CAC card
and PCRs
Start session
Sign nonce, label with CAC TPM
card Send signature to TPM Session Policy Buffer
for verification. 0x00000000
0x00000000
TPM calculates P2
Signature
Session nonce N
N
N=0xBB443FE5
0xA3B62234
SHA256 (0x00000000 || TPM_CC_POLICYSIGN|| SHA256(A) ||0x0000)
Signature Verifies!
30
Research & Exploratory Development Department (REDD)
In pictures: Authenticate with CAC card
and PCRs
PCR state = 0
Certain PCRs can be configured in the TPM to not trigger a PCR state change
31
Research & Exploratory Development Department (REDD)
In pictures: Authorizing with a CAC card and
PCR policy
Signature of Hello
Hello
Key Policy matches Buffer!
PCR state = 0
32
Research & Exploratory Development Department (REDD)
In pictures: What happens when a PCR changes
after authentication, before authorization?
PCR 0 is changed
Load Signing Key (not shown)
TPM
Ask TPM to sign Hello with
Key Session Policy Buffer
0x0EE51220
0x00000000
TPM checks if policy Buffer
matches key Policy Key Policy matches Buffer
The policy Buffer matches PCR state !=0 FAIL!!!
the keys policy, BUT PCR
state is not 0! Therefore it
does NOTHING. Signing Key policy = 0x0EE51220
Hello
1
PCR state = 0
33
Research & Exploratory Development Department (REDD)
A simple OR example: Matt OR Kathy
Matt can authenticate with his CAC card, with public key A
Kathy can authenticate with her CAC card, with public key B
34
Research & Exploratory Development Department (REDD)
Matt Authenticates with his CAC card
P2=0xA3B62234, P3=0xD37712245, P4=0x667FFE34
Start session
TPM
Sign nonce, label with CAC card
Send signature and A Session Policy Buffer
to TPM for verification. 0x00000000
0x00000000
TPM calculates P2
Signature
OR command sent Session nonce N
With P2, P3 N=0xBB443FE5
N
TPM sees current value
matches P2!
OR, 0xA3B62234, 0xD37712245 0xA3B62234
0x667FFE34
SHA256 P1||TPM_CC_PolicyOR||0xA3B62234||,
SHA256( (0x00000000 || TPM_CC_POLICYSIGN|| SHA256(A) || 0x0000)
0xD37712245)
Start session
Sign nonce with CAC card TPM
NO! When the PCRs are measured, a bit is created in the policy and
set to zero. If any PCRs change after that point, the bit is flipped.
37
Research & Exploratory Development Department (REDD)
How can you put an HMAC in a policy?
The session doesnt know what object you are going to authorize.
NO! The policy just says I will authorize with HMAC at execution
38
Research & Exploratory Development Department (REDD)
Cant anyone replace a biometric sensor?
The Biometric sensor must have a public / private key pair, used to
sign both the identified person, and the session nonce
39
Research & Exploratory Development Department (REDD)
Some additional comments
OR
40
Research & Exploratory Development Department (REDD)
Policies can be Fine grained
Matt can sign with this key, but only Emily can copy it, and only
James can certify it
Further, Matt can only sign this year, using his CAC card for
authorization
James can only certify the key, and he must have the PC in a
certain state (as measured by PCRs) as well a know a password
and have a PIV card.
41
Research & Exploratory Development Department (REDD)
Break for questions about EA
42
Research & Exploratory Development Department (REDD)
PCR brittleness
43
Research & Exploratory Development Department (REDD)
PCRs are brittle in 1.2. Are they different now?
You can lock not just to a certain set of PCRs equals a certain value
You can also lock to: Any set of PCRs / values signed by an
authority, as represented by this public key
Examples:
You can lock to PCR 0 (the BIOS) as signed by DELL
Thereafter upgrading your BIOS to a signed DELL BIOS wont
cause problems!
45
Research & Exploratory Development Department (REDD)
Sessions
Password session
Always considered created (Default handle)
Does not encrypt passwords sent to TPM
Auth session
Need to be created
Can be used for HMAC authorization
Can be used for Policy authorization
Can be encrypted and/or salted
Audit session
Need to be created as an auth session
Are converted when used as audit sessions
Can be used in concert with auth sessions
46
Research & Exploratory Development Department (REDD)
Tips on Reading the Spec
47
Research & Exploratory Development Department (REDD)
Reading the Spec
Four sections:
1) Architecture
How sessions work
How commands are put together
2) Structures
To build a
Various data types command
Tables of constants
you use 1-3.
3) Commands
APIs
48
4) Subroutines
Research & Exploratory Development Department (REDD)
Build a command
Write out the flow
Sign with a key (commands Part 3)
Create a key (commands Part 3)
Need structures (Part 2)
49
Research & Exploratory Development Department (REDD)
White papers
Single Sign on
Ephemeral Keys
Locked Keys
Revoking Keys
51
Research & Exploratory Development Department (REDD)
Single Sign on
Establish an NVRAM index with a restricted policy for writing: you must be
able to use a private key, and also give it auth_data
This makes the indexs name unique.
Write something to it
This makes the indexs name unforgeable
When the NVRAM index names auth_data changes, all keys/object linked
to it will also have their auth_data effectively changed
52
Research & Exploratory Development Department (REDD)
Temporary Keys
Ephemeral keys only exist between TPM resets (power on to power off)
Keys can be created on the TPM, cached off the TPM, but will not be
loadable again after the TPM is powered off.
53
Research & Exploratory Development Department (REDD)
Locked Keys
54
Research & Exploratory Development Department (REDD)
Revoking a key
There are multiple ways of revoking a key
Preventing the key (or its parent) from ever being used
Using EA to require approval from a key signing daemon for use
Killing the daemon
Requiring a bit in NVRAM to be on for a particular user/use
Changing the bit
Requiring that a NVRAM HMAC key be used
Destroying the NVRAM named index
Using an ephemeral key
Powering the TPM off
55
Research & Exploratory Development Department (REDD) JHUAPL
Questions
56
Research & Exploratory Development Department (REDD)