Transcript Trusted Computing - Zoo | Yale University

Trusted Computing
Chandana Praneeth Wanigasekera
Introduction
• jetBlue
• The need for systems that can be trusted
• Embedding Privacy Policy into the applications
that use Sensitive Information
• Credit card machines
PII
• You can still retain control
• Expiration
• Remote destruction with little effort by the
corporation who has the data
• Force privacy policies
Descartes (1641)
• Meditations on First Philosophy
• Can we trust our senses?
• What if everything we experience is a delusion
created by an evil demon bent on deceiving us?
The Matrix?
Interest
• This is a question that has been weighing on
Several computer companies
• How do you know that your computer is actually
what it seems?
• Hackers and imitative programs
• Sensitive information, keystrokes and complete
control
Trust in other software
• How can one program running on your computer
trust another one?
• What if the operating system has been subverted
• Anti Virus
• How would you warn the user?
Trust in you
• Movie studios, recording companies, Health care
providers [ legitimate right ]
• Some information is given based on trust in you
• Do you have control?
• Real issues
–
–
–
–
Viruses
Trojans
Spyware
P2P networks
Implications
•
•
•
•
Implications for a P3P client
Alterations of policy
Lack of enforcement
Advantages of a trusted client and a trusted
website component
• Many implications on privacy of sensitive
information
Trusted Computing Initiatives
•
•
•
•
•
Trusted Computing Platform Alliance
Trusted Computing Group
Microsoft, Intel, IBM, HP, AMD
Hardware + Software
Attempt to build a trusted platform
Foundation of Trust
•
•
•
•
•
•
•
Descartes
“A secure reliable bootstrap architecture” (1997)
Bill Arbaugh, Dave Farber, Jonathan Smith
Booting a machine into a known state
Early PC’s – ROM BIOS and no HDD
Digital Rights Management OS Patent by Microsoft
Paul England (Secure PC team leader)
Foundation of Trust
• Ultimate aim is to end up in a known state
• Need for a core root of trust module
Known State
Post boot
Pre boot
Core Root of Trust
Trusted Computing Platform
Alliance
• Mission
“Through the collaboration of HW, SW, communications,
and technology vendors, drive and implement TCPA
specifications for an enhanced HW and OS based trusted
computing platform that implements trust into client,
server, networking, and communication platforms.”
• Replaced by Trusted Computing Group, but the TCPA
specification was adopted by TCG as their specification.
• Patent licensing policy of TCG, all new work
• Compaq, HP, IBM, Intel, Microsoft
Trusted Platform Module (TPM) v1.1
• The TPM is a collection of hardware, firmware
and/or software that support the following
protocols and algorithms:
Algorithms: RSA, SHA-1, HMAC
Random number generation
Key generation
Self Tests
• The TPM provides storage for an unlimited number
of private keys or other data using RSA
PC Specific block diagram of TCG
Secure storage in TPM
• Seal and Unseal which are simply front-ends to RSA
encrypt and decrypt
• But sealing encrypts the platform configuration register
(PCR) values with the data. Unique identifier tpmProof.
• Conditions for unsealing data
– Appropriate key is available
– TPM PCR’s must contain the same values as during sealing
(implicit key in PCR’s)
– tpmProof must be the same as during encryption
• Allows software to state the future configuration the
platform must be for unsealing.
Additional operation: Unbind
• Unbind decrypts a “blob” created outside the TPM
where the private key is stored inside the TPM.
• A blob is data + header information encrypted.
• Seal jet Blue customer data
– Can only be decrypted on the same platform
– Removes the possibility of data being accessed by
different machines
Types of keys
• Storage Root Key – one for each TPM created at the
request of the owner, migratable, unmigratable data
• Signing keys – leaves of the storage root key hierarchy
• Storage keys – used for the protected storage hierarchy
only and Binding keys
• Identity keys – used for TPM identity
• Endorsement key pair – asymmetric key pair generated
by or inserted in the TPM as proof that it is genuine.
– One to one relationship between TPM and endorsement key
– One to one relationship between TPM and platform
– Endorsement key and platform
Encryption Algorithms
•
•
•
•
•
•
•
•
RSA algorithm (must)
RSA key sizes of 512, 1024, and 2048 bits.
The RSA public exponent must be e, where e = 216+1
TPM storage keys must be equivalent to a 2048 bit RSA
key
Secure Hash Algorithm (SHA) -1 hash algorithm(160 bits)
– used in the early stages of the boot process (more
complicated later?)
RSA for signature and verification
RNG capabilities -> only accessible to TPM commands
Key generation capabilities -> protected by a private key
held in a shielded location
Self tests
• Checks RNG
• Checks Integrity Registers
• Checks integrity of endorsement key pair by
making it sign and verify a known value
• Self checks the TPM microcode
• Checks Tamper-resistance markers
• On failure the part that failed enters shut down
mode
Self test procedure
Target of evaluation (TOE)
• The new version of TCG will have TPM as a
monitoring module and doesn’t actually control the
boot process
• Hardware, software and firmware that comprise
the TPM
• Identifies threats to the TOE: T.Attack, T.Bypass,
T.Imperson, T.Malfunction etc….
• Each threat is explained and the objective is
explained in the specification, eg. O.Attack
• An example
T.Export
• Threat description: A user or an attacker may export data
without security attributes or with unsecure security
attributes, causing the data exported to be erroneous and
unusable, to allow erroneous data to be added or
substituted for the original data, and/or to reveal secrets.
• Objective (O.Export): When data are exported outside the
TPM, the TOE shall ensure that the data security
attributes being exported are unambiguously associated
with the data.
• Interesting use of “user or an attacker” here
T.Replay
• Threat description: An unauthorized individual may gain
access to the system and sensitive data through a
“replay” or “man-in-the-middle” attack that allows the
individual to capture identification and authentication data.
• T.Replay is countered by O.Single_Auth, which states:
The TOE shall provide a single use authentication
mechanism and require re-authentication to prevent
“replay” and “man-in-the-middle” attacks.
TPM Block diagram
Software
• Palladium - After the mythological statue that
defended ancient Athens against invaders
• Microsoft has discontinued use of the code name
"Palladium." The new components being
developed for the Microsoft® Windows® Operating
System, are now referred to as the NextGeneration Secure Computing Base for Windows
(NGSCB).
Next-Generation Secure Computing
Base for Windows
NGSCB
• Seal and Unseal
explained
• Nexus Computing
Agents(NCA)
Microsoft on applications
•
Bryan Willman: Suppose you run a pharmacy company. When you test a new
drug, of course it's bad if someone has a bad reaction to the drug, but it's much
worse if someone tampers with that data so that your results are skewed. That
means it's critical that all test data is entered accurately and no one tampers with
it. NGSCB ensures that those files can't be breached or modified in any way.
•
Here's another example. If you and your doctor and your pharmacist are
communicating about a medical condition you have, you want to be sure that the
information you exchange is confidential and true. Today you probably wouldn't
want to do that online from your home computer because with all that software
that you and your kids have loaded onto it, somewhere along they way it may
have picked up a virus or two, so there's no way to know for sure how safe your
information is. With NGSCB you use the right-hand side, and no matter what is
happening on the left-hand side, you can be sure that the data passed between
you and your doctor and your pharmacist hasn't been tampered with.
•
Microsoft has a separate research area called Trustworthy Computing which is
more towards what we define as “trust”
Features described by Microsoft
•
•
•
•
Memory Curtaining
Secure Input and Output
Sealed Storage
Remote Attestation <- the scariest
Memory Curtaining
• Strong hardware enforced memory isolation
• Programs are not able to read or write each others
memory
• Not even the OS
• Intruders have no access
• Implementation in hardware permits the greatest
backward compatibility with existing software,
which is a goal
Secure I/O
• Key loggers, screen grabbers
• Music and movie industry would like this a lot
• It will allow programs to determine if the input
came from a user or from a different program
• Would take out the case of a virus taking over the
output from Anti Virus software
• Good for privacy of data
Secure Storage
•
•
•
•
•
•
•
•
Similar to what we saw in the TCG specification
Addresses the failure of PC’s to store keys securely
No more .pwl’s
How can they be stored so that it’s only accessible to
legitimate users?
Generates the key based on the software requesting the
key and the platform that its running on at the time
No need to store the key, as the key can simply be
recreated when it is needed
Imposes that sealed data can only be decrypted on one
particular user platform + software combination
Is this a good thing?
Do you have control?
• Moving files from your computer
• What if you don’t like Excel anymore
• Exporting Data to a different application is very
hard
• Adversary is the owner
• License fee’s
• Upgrades/Downgrades
• Do you have a choice?
Remote Attestation
• Most revolutionary of the features
• Aims to allow detection of unauthorized changes to
Software
• Others need to be able to tell if your system is
“compromised”
• Protect a computer against it’s owner
• A cryptographic certificate of the software running
• Remote party can say if the version of software has been
altered
• Windows XP, Warcraft
• No more cheating in Network Games
Advantages
• Each feature can be used to prevent or mitigate real
attacks on computers
• Coding flaws in one application will not result in private
data being accessed by a different application
• P2P client + MS Word
• Does not stop you from running harmful programs, just
contains the area it runs in
• NGSCB itself will not inherently prevent a user from using
a particular operating system or hardware
• Spyware will become extinct (No more Gator!)
Problems
• Risks of anti-competitive or anti-consumer behavior
• Deliberate manufacturer mistakes in implementation –
handled by open source?
• Threat model supports that the owner is a threat
• Attestation cannot differentiate between changes to
software with owner’s consent and changes in software
by unauthorized intruders
• No legal backing to this, users have a legitimate right to
reverse-engineer for improvement of a program
• Third parties can compel you to choices which you
wouldn’t have made otherwise
More problems
• Websites that demand attestation
• The user cant give an attestation that he’s using IE if he’s
using Mozilla instead
• MSN not serving webpages to non Microsoft browsers
• Can be used to subject you to advertising (“approved
client”)
• Web servers/File servers that demand fees from client
developers
• Greatly increases costs of switching to rival software
• Samba -> interoperable file system created through
reverse engineering (Microsoft could permanently lock out
Samba from Windows File servers)
Interoperability
• Current issues with third party MSN Messenger
Clients
• General “lock-in” problem
• Sealed storage + Attestation
Digital Rights Management
• Microsoft and the TCG have made several attempts to
say that Trusted Computing is not designed to enforce
DRM
• Easy for DRM enforcers to enforce policies on users
• Trusted Computing maintains the rights of the owner of
the document at all costs
• Destroying documents (court order?)
• Privacy issues, back to the days when books could be
burned
• Attestation causes problems
Links between DRM and NGSCB
• Curtaining prevents information in decrypted form from
being copied
• Secure output (no screen grabbing)
• Sealed storage allows files to be stored so that only the
DRM client that stored them can access them
• Remote attestation makes sure only the above DRM
client is run
• Easy to implement DRM over NGSCB
• Microsoft filed a patent for a DRM OS -> possible link
here (same individuals involved)
Computer User as Adversary
•
•
•
•
•
•
•
•
Seth Schoen of the Electronic Frontier Foundation
A possible solution: Owner override
The owner can attest anything
Takes away some of the advantages but we still have a
free world!
Will opt-in be real?
Trusted computing aims to enable others to trust your
computer
Is this relavent?
Movies released with remote attestation
Troubling implications
• Just a way for Microsoft to make sure pirated
software wont run?
• Switch off all the computers in China?
• Remote control
• Deleting pirated music
• Digital objects created under TC remain under
ownership of the author, even if legal control has
been handed to the user
• Media Control
Related Legislation
• Fritz Hollings
(a) SHORT TITLE. -- This Act may be cited as the "Consumer Broadband and Digital
Television Promotion Act".
SEC. 2. FINDINGS.
The Congress finds:
(1) The lack of high quality digital content continues to hinder consumer adoption of
broadband Internet service and digital television products.
(2) Owners of digital programming and content are increasingly reluctant to transmit
their products unless digital media devices incorporate technologies that
recognize and respond to content security measures designed to prevent theft.
(3) Because digital content can be copied quickly, easily, and without degradation,
digital programming and content owners face an exponentially increasing piracy
threat in a digital age.
….
Hollings Bill
(18) Piracy poses a substantial economic threat to America's content industries.
(19) A solution to this problem is technologically feasible but will require government
action, including a mandate to ensure its swift and ubiquitous adoption.
(20) Providing a secure, protected environment for digital content should be
accompanied by a preservation of legitimate consumer expectations regarding
use of digital content in the home.
(21) Secure technological protections should enable owners to disseminate digital
content over the Internet without frustrating consumers' legitimate expectations to
use that content in a legal manner.
(22) Technologies used to protect digital content should facilitate legitimate home use
of digital content.
(23) Technologies used to protect digital content should facilitate individuals' ability to
engage in legitimate use of digital content for educational or research purposes.
Basic idea -> Digital Rights Management enforced! TCPA Mandated?
Thankfully this Bill was not passed 
Related Legislation
•
•
•
•
Feinstein wanted DRM
“This is Napster times 10”
Shrek
Paul Boutin – A little knowledge is a dangerous
thing (in regard to the hollings bill)
• The decision to play or not to play must be made
by the content, not the player, DRM experts warn.
It's tricky, but they'll get to it -- if the industry isn't
forced to accept a compromise standard first.
Why TCG?
• Controversial
• All the manufactures involved in the process would
profit greatly if the computer is accepted as a
general entertainment platform for the home
• Microsoft has been trying
• The patents on DRM OS are remarkably similar to
the current work on TCG
• Implications on the GNU Public License (GPL)
Importance of Open Source
•
•
•
•
User Invention
Right to reverse engineering
Controversial DMCA
Are after purchase restrictions legal?
– Cell phones that drain generic batteries
– Printers that refuse to accept cartridges that have been refilled
– Trusted Computing could add a few for computers here…
• Sony would want our computers to behave like closed
DVD players… do we want that?
Will it work for us?
• jetBlue, enforcing P3P
• Yes.
• Customers can even revoke information they
submitted and that would be destroyed from the
jetBlue database
• The trusted computing base will make it impossible
to just copy data from one place to another
• Is this a good corporate solution?
Limiting the Scope
• If we can limit the scope of the initiative to
personally identifiable information instead of
programs in general….
• We have a good solution for the problem of
sensitive information in a wired world
• People can submit data with policy’s so that they
will be destroyed on a later date
• Should not be applied generally
• Enron…
The Law and Economics of Reverse
Engineering
• Yale Law Journal (Pamela
Samuelson and Suzanne
Scotchmer)
Interoperability Debate
•
•
•
•
Reasons a firm would not want to make their software interoperable:
Example from IBM
Reverse engineering challenges interoperability
Microsoft’s APIs are trade secrets
Open Source Software Projects as
User Innovation Networks
• Study by Eric von Hippel – MIT Sloan School of
Management (2002)
• Clearly shows the advantages of user innovation
• User innovation is thwarted by the current model
towards Trusted Computing
von Hippel’s Results
von Hippel’s Results continued
Conclusion
• As developed currently, “Trusted Computing” seriously
challenges user privacy and freedom.
• Programs that call home and report how they are being
used would be a significant threat to privacy.
• Reverse engineering and open source software can not
coexist with the current model for Trusted Computing.
• The current model thwarts invention and is more suitable
as a basis for DRM (if we need that?)
• The concept of trust is based on others trusting your
computing, not you trusting your computer.
• This is a flawed concept.
Lessons
• Some of the concepts in the TCG platform can be
very useful in implementing effective privacy and
security.
• Certain features such as attestation should be
removed from the specification or a user override
feature should be provided for attestation
• Not everything that is open source is good for you!
The Battle has begun!