Trusted

Computing
Platform Alliance
–
Introduction and
Technical Overview
–
Joe Pato
HP Labs

MIT 6.805/6.857
17 October 2002
 Why Trusted
• Increase consumer and
Computing businesses confidence
Platforms?

• Reduce business risks • Protect end-user private

data
– by enabling trust in the
behavior of critical – by enabling trust in end
information systems systems behavior
 • Recognize that a platform has known
Trusted Computing properties
Platform properties – Mobile platform access to corporate
network.
– Remote Access via known public
access point.

Can I trust you

to behave in an • Identify that a system will behave as
expected expected:
manner?
– Mobile access to corporate network
with firewall and antivirus
requirements.
– Outsourced platform administration

• Enable a user to have more

confidence in the behavior of the
platform in front of them
– Trust a platform to handle my
private data I.e banking, medical…
etc…
Do I have
– Achieving WYSIWYS: What You
confidence in Can I trust you Sign Is What You See…
interacting with to be what you
this platform? say you are?
 AKA???
The Trusted
The Conspiracy in
to
Computing Prelude
Prevent
Prevent
Prevent
toAnonymity
Assembly
Apocalypse
Artistry
Platform
Alliance How?
The Cleverly
- TCPA - Parboiled Amphibian
 • An Industry work group focused
on defining and advancing the
The Trusted concept of Trusted Computing

Computing • Founded in 1999 by Compaq,

Platform HP, IBM, Intel, and Microsoft.

Alliance • 180+ members from the

hardware, software,
communications, and security
technology industries
- TCPA -
• Provide a ubiquitous and widely
adopted means to address
trustworthiness of computing
platforms

• Publish an open specification for

public review – Not security by The TCPA
obscurity
charter
• Define a technology specification
that can be applied to any type of
computing platform (not just
PCs!)
 TCPA Founded 1999
Specification revised
by membership

Generic
Technology Platform
architecture Spec Feb ‘01
specs
PC
Specific Sept ‘01
TCPA specification
2002 onwards

Servers
Mobile Internet
activity
Phones Appliances

TPM
Evaluation
PP
Common criteria completed by
NIST 8/02
conformance
specs
Platform
PP or TBB In development
• Definition:

A platform can be trusted if it behaves in

the expected manner for the intended
purpose

• TCPA technology provides mechanisms for:

– Platform Authentication and Attestation

• Identify the platform and its
properties to a challenging party TCPA concepts
– Platform Integrity Reporting
• Reliably measure and report on the
platform’s software state

– Protected Storage
• Protect private and secret data.
Protect integrity and identity
information against subversion
 The TCPA architecture relies on
the concept of a Root of Trust

• A third party can rely on information

provided by a platform’s Root of Trust

How does • The root of trust must be able to

report on software that has executed
TCPA • The root of trust must be able to keep
achieve secrets from the rest of the platform

 measure the first piece of code

this? that executes when the platform
boots
 independent computing engine
 “secret” storage
 Two Roots of
• A Root of Trust for Reporting
Trust: – The component that can be trusted
Measurement, to store and report reliable
information about the platform
Reporting

• A Root of Trust for Measurement • It is necessary to trust these Roots

– The component that can be trusted of Trust for TCPA mechanisms to
to reliably measure and report to be relied upon
the Root of Trust for reporting what => Conformance and Certification
software executes on platform boot
 • The TPM is the Root of
Trust for Reporting
• Think: smartcard-like security
capability embedded into the
platform

The Trusted – The TPM is uniquely

Platform Module bound to a single platform

- TPM - – TPM functions and

storage are isolated from
random number
generation
Non-volatile
Memory
all other components of
Processor Memory the platform (e.g., the
I/O hash

HMAC
asymmetric
key
signing and
encryption
CPU)
generation
clock/timer power detection
 • The CRTM is the first piece
of code that executes on a
platform at boot time. (I.e.
Bios or Bios BootBlock in an
The Core Root IA-32 platform)

of Trust for – It must be trusted to

properly report to the
Measurement TPM what software
executes after it.
- CRTM - – Only authorized entities
must be able to reflash
the CRTM… (those that
vouch for its behavior)
 CRTM and TPM during the boot process

The Authenticated boot process

OpRom1 OpRom 2 OpRomN

Hash code
Hash code
Hash code Hash code Hash code
CRTM - Bios
BootBlock BIOS OSLoader OS
Hand-Off Hand-Off Hand-Off

Report Hashed code

Report Hashed code

Report Hashed code TPM

 TCPA feature-set • Platform authentication

• Integrity Reporting •Protected Storage

 • TCPA provides for the TPM to have
control over “multiple pseudonymous
attestation identities”

• TPM attestation identities do not contain

any owner/user related information
=> A platform identity attests to platform
properties

Platform • No single TPM “identity” is ever used to

digital sign data
Authentication => privacy protection

• TPM Identity certification is required to

attest to the fact that they identify a genuine
TCPA platform

• The TPM Identity creation protocol allows

for to choose different Certification
Authorities (Privacy-CA) to certify each
TPM identity
=> prevent correlation
Generating an identity

CA
Certification Authority

Owner
Identity-binding
ABC
Certificates
Identity

Identity Under Owner’s

Certificate control for Privacy
• Measurements reported to the
TPM during (and after) the boot
process can not be removed or
deleted until reboot
=> No hiding code that has executed
on the platform

• The TPM will use an attestation

identity to sign the integrity report
Integrity Reporting
• The recipient of integrity
information can evaluate
trustworthiness of the information
based on the certificate of
attestation identity

 Trust that the TPM is a

genuine TPM on a genuine
Trusted Platform
 • The recipient of reporting information
relies on “signed certificates” that
attest that a given measurement
represents a known piece of code
– Cert(Phoenix BIOS v1.2 has hash
value of H)
– Cert(CorpIT config, combined hash
value)

Integrity Reporting • The recipient can verify these

(2) Integrity Metrics Certificates and
compare certified metrics to reported
metrics
 Trust that the reported metrics
correspond to certified
software

Trusting the reported software is

dependent on the recipient’s
policy, for a given application
context
 • No generic encryption device –
no export control pb
• Cryptographic keys can be
created that are protected by the
TPM
• Data can be encrypted using the
TPM, that can only be
decrypted using this same TPM
Protected Storage • A specific software
configuration can also be
specified, that will be required
for the TPM to allow data to be
decrypted, or keys to be used
 This is called Sealing:
parameters define which
Integrity Metrics the data
should be sealed to
 TPM
Protects (Stored Internally)

Storage Root Key (Asymmetric key)

Protects (Using encryption)

Storage Keys Protected Storage

Protects (using encryption) Hierarchy
Signature Secret
key Data Storage key
Asymmetric Authorization Protects (using encryption)
key secret Secret
(signs data) Data Symmetric key

Asymmetric Keys
TPM Protected Objects
Arbitrary data
 Privacy-positive design
• Notion of TPM Owner, think Platform Administrator
• Ultimate TPM functionality control goes to the Owner
• TPM Activation controlled by the Owner, and deactivation
available to the User
• No single TPM “identity” is ever used to digitally sign data
• Multiple pseudonymous IDs (limits correlation)
• Remote control of the TPM enabled by challenge response
protocols for authorization mechanisms
• Can prevent the revelation of secrets unless the software
state is in an approved state
 • Common Criteria based
• TCPA:
– TPM Protection Profile
completed
About – Platform Protection Profile to
Conformance include CRTM and connection
to platform
• Manufacturers role
– Create Security Target, and
produce product design
evaluation
 Short term TCPA benefits –
protected storage
(Platform with a TPM, associated software provided by the TPM
manufacturer)
Customers can encrypt the data on their hard disks in a way that is
much more secure than software solutions.

– The TCPA chip is a portal to encrypted data.

– Encrypted data can then only ever be decrypted on the same

platform that encrypted it.

– TCPA also provides for digital signature keys to be protected and

used by the embedded hardware chip
 Middle term TCPA benefits –
integrity checking
(Short term solution plus additional software)
Protection against hacker scripts, by automatically preventing access to
data if unauthorised programs are executed.
– TCPA provides for the measurement of integrity metrics of the
software environment on the TCPA platform.

– Allows for a remote party to verify what the software environment on a

TCPA platform is.

– The TCPA chip can then be used to encrypt data to disk so that this
data can only ever be decrypted on that same platform, and ONLY if
the platform has a given set of software environment integrity metrics.
 Long term TCPA benefits –
e-commerce
Customers and their partners/suppliers/customers can connect their
IT systems and expose only the data that is intended to be exposed.

– TCPA is designed so that platform identities and Integrity Metrics

can be proven reliably to previously unknown parties.

– Secure online discovery of platforms and services: confidence in

the information about the software environment and identity of a
remote party, enabling higher levels of trust when interacting with
this party.
and now

Palladium