2. TOPICS TO COVER
• TPM Genesis.
• Life Made Easy : Starring TPM
• TPM 2.0 – The Evolution
• Family of TPM 2.0
• TPM – The inside story : Architecture.
• Attacks history.
• Case Study
• How to enable TPM
4. LIFE MADE EASY : STARRING TPM
• DoD – Asked for all TPM based devices.
• Platform integrity - "integrity" means "behave as intended“ – e.g. -
PrivateCore vCage memory encryption
• Disk encryption - encrypt the computer's storage devices – e.g. Bit-Locker
• Password protection – Disables dictionary attacks at hardware and OS –
BIOS lock mechanism.
• Digital rights management
• Protection and enforcement of software licenses
• Prevention of cheating in online games
• How to enable TPM
5. TPM 2.0 – THE EVOLUTION
TPM 1.2
• SHA-1, RSA mandatory, AES – Optional.
• One hierarchy (storage)
• General crypto primitives are required.
• Authorization : HMAC, PCR, locality,
physical presence.
TPM 2.0
• SHA-1,SHA-256,ECC,RSA, HMAC, AES-
128.
• Three hierarchy(Platform, Storage,
Endorsement)
• All general Crypto primitives with ECC
based DAA is used. Also, Logging to
library needs key generation and key
derivation function.
• Auth : Password, HMAC and policy
6. FAMILY OF TPM 2.0
• Starting TPM 2.0
• Discrete TPMs – Dedicated Chip, Tamper resistant semiconductor
package, Most secure.
• Integrated TPMs – Part of another chip, avoids software bugs. Intel
• Firmware TPMs – Software only, uses CPU trusted execution
environment. Quite vulnerable. Qualcomm, AMD.
• Software TPMs – Software emulators, dependent on the OS
execution, Provide similar security like normal execution
environment. Similar attack vectors can be used like with OS.
• Virtual TPMs – Provided by hypervisor, hypervisors provide isolated
execution environment, For VMs they are as good as discrete TPMs.
7. TPM – THE INSIDE STORY : ARCHITECTURE.
keys, owner
authorization data
integrity measures signing keys
when in use
external
interaction
TPM control
symmetric keys,
nonces
encryption keys
hashes encrypt/decrypt
initialization
9. WEAKNESS AND ATTACKS HISTORY
Weakness
• Linear Trust system.
• SMA
• OS level weakness (Software
TPMs, Firmware TPMs)
• Linear PCR trust
• Blind trust on signing
authority – Burn out attack
• Dictionary based attacks.
• Blob replay
Attacks history
“In 2010, Christopher Tarnovsky presented an
attack against TPMs at Black Hat, where he
claimed to be able to extract TPM secrets. He
was able to do this after 6 months of work by
inserting a probe and spying on an internal
bus for the Infineon SLE 66 CL PC”
“In 2015, as part of the Snowden revelations,
it was revealed that in 2010 a US CIA team
claimed at an internal conference to have
carried out a differential power analysis attack
against TPMs that was able to extract
secrets.”
10. CASE STUDY: TPM RESET ATTACK
Background of the attack :
-> TPM is a crypto based device.
-> Enables Trusted computing -> includes secure boot, Secure storage etc, Identity
management, etc.
-> PCRs are extensively used.
The Attack :
Tools Used :
1) Logic Analyzer
2) OpenXT
PCRs under threat :
• PCR0 – CRTM, BIOS code, and Host Platform Extensions
• PCR1 – Host Platform Configuration
• PCR2 – Option ROM Code
• PCR3 – Option ROM Configuration and Data
• PCR17 – DRTM and launch control policy
• PCR18 – Trusted OS start-up code (MLE)
• PCR19 – Trusted OS (for example OS configuration)
11. GENESIS AND EVOLVEMENT OF TPM
: BEHIND THE SCENES.
• TCG
• Intel
• IBM
• Apple
• HPE
• DELL
• Nuvoton
• Google
• Oracle
• Infenion
• Microsoft
Talk about why TPM was needed in a layman terms.
People trying to fake identity.
1990s,
Change in internet,
Change in personal computers, Development and need of servers,
Talk about DoD – US Department of defense
Trusted Execution Technology (TXT), which creates a chain of trust. It could remotely attest that a computer is using the specified hardware and software
encrypt the computer's storage devices and provide integrity authentication for a trusted boot pathway that includes firmware and boot sector.
The "physical presence" feature of TPM addresses some of these concerns by requiring BIOS-level confirmation for operations such as activating, deactivating, clearing or changing ownership of TPM by someone who is physically present at the console of the machine
Client, Servers, Mobile hypervisors etc
direct anonymous attestation (DAA) —. DAA - and a method of delegating key authorization and administrative (owner-authorized) functions
mandatory, optional, or banned and detail other requirements for that
SHA-1,SHA-256 – hash, HMAC – symmetric digital generation and verification.
HMAC - Hash-based message authentication code - is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secret cryptographic key
PCR - Platform Configuration Register. - The TPM can cryptographically sign these PCRs and send them to a remote party. This party can then verify that the platform equipped with that TPM has been booted up and measured in that specific manner - TPM may not allow a platform in a different state than it was when the key was created to have access to the key. - At initialization, all PCRs are filled with 20 NULL bytes (0x00). Normally only the BIOS sees them in this state. The BIOS will then take some measurement, and Extend() it into a specified PCR.