Trusted Platforms for Homeland Security
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Trusted Platforms for Homeland Security
By Kevin Schutz, Product Manager—Secure Products
Summary
Ongoing threats from hackers, viruses, and worms continue to make security a top priority for IT
and business professionals in both the private and government sectors. Critical homeland
infrastructures depend on IT for operations command and control. The emerging Trusted Platform
Module (TPM), as driven by the industry consortium Trusted Computing Group (TCG), is a
standard that allows affordable authentication, encryption, and network access to be
accomplished on a variety of computing platforms, most notably today's PCs. In this paper we will
examine the hardware and software applications available for immediate implementation and
discuss how the TPM chip can be adapted to address many homeland security issues and
applications.
Atmel Corporation • 2325 Orchard Parkway • San Jose, CA 95131
TEL (408) 441-0311 • FAX (408) 487-2600 • Web Site: http://www.atmel.comTRUSTED PLATFORMS FOR HOMELAND SECURITY
The Trusted Computing Group
The TCG is an industry standards body formed in 1999 by several PC industry leaders.
Originally called the Trusted Computing Platform Alliance (TCPA), the primary goal of the
group is to promote the concept of trusted computing by establishing an open industry
standard, enabling devices and transactions to be trusted, private, protected, safe, and
reliable across a wide array of platforms. The TCG establishes specifications for trusted
computing across a variety of computing platforms. The foundation for trusted computing
relies on the concept of providing a hardware-based "root of trust." Once this root of trust is
established, the boundary of trust can be extended to include software at various levels
within the computing environment. Hardware-based roots of trust can be quantifiably
measured against specific protection profiles, enabling one to begin to accurately measure
risk. Once risk can be measured, methods of risk mitigation can be developed, including
crafting appropriate policies, underwriting risk, and possibly improving or hardening the
computing environment more thoroughly.
Trusted Platform Modules
Within the concept of trusted computing, a silicon chip defined as a Trusted Platform
Module (TPM) provides the hardware-based root of trust. The TPM can be thought of as a
secure key generator and key cache management device, supporting industry-standard
cryptographic APIs such as MS CAPI and PKSC#11. The TPM contains sufficient
cryptographic functionality to generate, store, and manage cryptographic keys in hardware
while leveraging the resources of the rest of the system platform. This allows for cost-
effective "hardening" of many of today's commonly deployed applications that previously
relied solely upon software encryption algorithms with keys hidden on a hard disk drive
(HDD).
A TPM includes a true random number generator (RNG) used in the creation of RSA key
pairs internal to the TPM. The source of the "root of trust" lies in the generation of the first
key pair a TPM creates: the Storage Root Key (SRK). The SRK is never exported from the
TPM. Each SRK is unique, making each TPM unique.
Each subsequent RSA key pair that the TPM is requested to generate is bound to the
original SRK. The private keys are either securely stored in the TPM or encrypted and then
exported from the TPM and stored on a mass storage device such as an HDD. Whenever
a key that is not stored on the TPM is required for a particular operation, the encrypted key
blob is imported onto the TPM, where it is securely decrypted internally on the TPM. In
properly architected systems, unencrypted private keys are never stored outside the TPM
for any significant amount of time.
The Trusted Computing Group standard version 1.1b specifies that TPM ICs perform five
major functions:
1. public key functions for on-chip key pair generation using a hardware RNG;
2. public key signature, encryption, and decryption to enable secure storage of data and
digital secrets;
2 5062A–TPM–02/04TRUSTED PLATFORMS FOR HOMELAND SECURITY
3. storage of hashes (unique numbers calculated from pre-runtime configuration
information) that enable verifiable attestation of the machine configuration when
booted;
4. an endorsement key that can be used to anonymously establish that an identity key
was generated in a TPM; and
5. initialization and management functions that allow the owner to turn TPM functionality
on and off, reset the chip, and take ownership of its functions.
Atmel's TPMs meet the TCG standard and also provide additional features for extended
security. They integrate a high-performance processor, a cryptographic engine, a random
number generator, a secure internal memory, a real-time clock, and tamper prevention
circuitry on a single integrated circuit.
The TPM processor controls the functions and sequencing of the entire TPM, including its
internal functional blocks and its interface to the rest of the system resources, such as the
primary system processor and the mass storage available on the system. It moves data
between the system processor and the internal TPM memory and sequences the
cryptographic engine. The TPM's RNG generates the seed numbers for the cryptographic
processor's encryption, decryption, and key generation functions. By off-loading the RSA
calculation from the general-purpose system processor, Atmel TPMs improve both system
and encryption performance.
The TPM's non-volatile memory securely stores encryption keys, including the SRK,
endorsement key (EK), and other sensitive data. The TPM processor and the tamper
circuits control access to the protected memory. Atmel TPMs also include an unalterable
real-time clock (not required by TCG standard 1.1b) that provides tamper-proof, unique
date stamping for the authentication and attestation processes. Any alteration of the
system clock (e.g., changing the date) signals a possible attempt to extract information out
of the TPM. In addition, proprietary, tamper-proof circuits in Atmel TPMs monitor the
voltage, clock frequency, and other aspects of the TPM's operating environment for signs
of tampering. If the environment moves out of a prescribed range, the tamper prevention
circuits will take action to prevent access to sensitive information stored within the TPM.
For example, if the TPM's supply voltage drops below a prescribed level, internal memory
reads would not be allowed. Lowering the voltage can be a means of accessing sensitive
information. The tamper circuits are designed to thwart these attacks.
TPMs contain secure non-volatile storage space that is intended to contain measurements
of system hardware and software status. Measurement consists primarily of submitting all
system software and hardware to a hash algorithm in a predetermined sequence. If this
measurement is performed when the system is in a known trusted state, then the resulting
hash can be stored in the TPM and compared to the result of a subsequent measurement.
Any changes will be detected by the comparison, and appropriate actions can be taken to
prevent execution of modified software or hardware. This measurement capability can be
used to provide detection of any remote system modifications resulting from malicious
viruses or worms.
At this point, it is important to note that TPMs do not control any events. They only serve to
observe and track system activity. TPMs communicate with system CPUs on a non-system
bus, and only act under the control of the system CPU and the policies codified in the
3 5062A–TPM–02/04TRUSTED PLATFORMS FOR HOMELAND SECURITY
operating system and other application software. If the TPM does detect any suspicious
activity, it can only report said activity when requested. Whether to query TPMs for such
activity is a policy decision. Furthermore, it is a policy decision to decide to act in a specific
manner if the TPM does report back a suspicious result.
Finally, as originally defined, TPMs were not intended to serve as stream encryption
engines. This is not a matter of technological capability, but rather one of cost. TPMs
typically will be deployed in systems containing CPUs that are high-performance relative to
TPMs, so the TPM will hand off the stream encryption tasks to the CPU. Since stream
encryption capabilities are already present in the CPU, it should be most effective at
performing this task. TPMs do not control the encryption process; they only provide
capabilities to monitor system processes. The CPU controls any actions the TPM takes;
the CPU makes a request to the TPM, and the TPM will take an action.
Utilization of RSA
It is generally acknowledged in cryptographic circles that algorithms must be open for
public scrutiny before they can be widely accepted and can claim to have withstood critical
evaluation by skilled cryptographers. RSA has a proven track record worldwide and is
widely deployed in a variety of applications. By employing RSA encryption, TPMs can be
used by many of today's popular applications without modification, providing immediate
value to the market.
Creating Safe Storage
Traditional open systems such as PCs do not have a safe place to store confidential
information. Now that affordable TPMs are available, a TPM can provide a small safe or
depository on the motherboard in which to store such information. Even other computing
platforms that employ architectures that are not as open as a PC, such a servers, can
benefit from using TPMs, which provide certifiable secure hardware.
In many of today's non-TPM systems that employ only software encryption of data and
files, the keys are usually stored somewhere on the hard drive. If someone stumbles
across encrypted files, all they see is a blob of data. However, given enough time, a
diligent hacker - even one who is working at a remote location - will locate the keys hidden
on the hard drive. If the keys can be found, the data may as well not be encrypted! With
TPMs as part of the system, the keys need not be hidden on the disk drive but can still be
protected.
The keys can also be stored off the hard drive on a removable token such as a smart card
or USB dongle. But removable tokens are much easier to misplace or lose, and they tend
to cost much more than TPMs. TPMs provide an affordable improvement in security over
existing software-only solutions. With the advent of TPMs, OEMs now have the ability to
provide affordable, certifiable hardware security in open system architectures based on
industry standards.
4 5062A–TPM–02/04TRUSTED PLATFORMS FOR HOMELAND SECURITY
Usage Models
TPM usage models can range from simple data and file encryption to authentication of
entire computing platforms and environments. Several examples of different models follow.
Secure Access
This model is intended to address the concern of unauthorized local or remote user access
to computing resources. The solution is to permit access through automated login and
secure auto-logon to applications. TPMs are used to protect and store the encryption keys
used to encrypt/decrypt passwords. The benefits include single sign-on; assurance that
only the rightful owner has access to the client and related data and capabilities; possible
multiple-user authentication methods (compatible with smart cards, biometrics, etc.); and
credential/password management via the TPM.
Data Protection
This model is intended to address the concern of compromised integrity of data stored on a
HDD. The solution is to permit access to protected data only by lawful owners of the data.
TPMs apply by protecting and storing the encryption keys used to encrypt/decrypt data
stored on the HDD, and digital certificates to authenticate the user. The benefits include
the transparent encryption of files and folders and access to encrypted files by the OS in
the same manner as standard files.
Protected Communications
This model is intended to address the concern of compromised communications, such as
e-mail. The solution is to encrypt the communication during transmission through insecure
networks and provide digital signatures for proof of content integrity and authorship, using
a secure e-mail plug-in that integrates seamlessly into popular e-mail applications. TPMs
can protect and store the encryption keys used to decrypt the communication session key
and digital certificates to authenticate the user. The benefits of this model include proof of
authorship, integrity of content, and non-repudiation.
Secure Network Access
This model addresses the concern of restricted access by unauthorized systems to the
network. The solution is to manage and control access to resources via the Web or the
Internet and to secure the transmission of data over TCP/IP networks. TPMs can protect
and store the primary signing key used to authenticate the client. This authentication of the
client facilitates the exchange of keys with integrity, enabling the protected communications
over integrated network by only allowing network access to known clients. Similarly, for
two-way authentication, the network can authenticate the client. This model gives remote
employees secure access to corporate LANs and high-speed Internet from any dial-up,
cable/DSL, and wireless access point; enables IT staff to verify that the client is known and
to secure internal networks and portions of the network; and provides fast hardware
solutions for VPN-gateways and Peerless software-only solutions for clients.
5 5062A–TPM–02/04TRUSTED PLATFORMS FOR HOMELAND SECURITY
Example
Using a TPM, the client is able to boot up in a controlled, protected manner. The executive
may need to authenticate herself or himself to the client in order to gain access to the
client's resources. Once the executive has authenticated herself or himself to the TPM, the
client can authenticate with the access point. Both the client and the access point have the
ability challenge each other before allowing any further transactions to occur. (See Figures
1 and 2.) Once both the client and the access point have mutually authenticated each
other, the next step is to repeat the mutual authentication process between the access
point and the disk array (including any intervening nodes). (See Figure 3.) Once each
segment of the network has been mutually authenticated, each node pair can then
securely perform key exchanges that can be used to protect the communications channels
in the form of a VPN from the disk array to the client. In each step of the process, the TPM
provides the hardware protection of the keys required to authenticate and harden the
communication channel. Intermediate stages of the network may utilize open and shared
network segment, allowing transmission over the Internet.
Figure 1. Client Authenticates To Access Point
Figure 2. Access Point Authenticates To Client
6 5062A–TPM–02/04TRUSTED PLATFORMS FOR HOMELAND SECURITY
Figure 3. Network Access
Conclusion
Trusted platforms enable new usage models for protecting confidential information,
securing access, and hardening communication channels based on a measurable
hardware root of trust in the form of a TPM. These trusted platforms then become
foundations for ensuring trust in what has traditionally been an untrusted and unprotected
computing environment. Trusted platforms are commercially available today and can be
readily adopted to address homeland security issues.
About TCG
The Trusted Computing Group (TCG) is an open, industry standards organization formed
to develop, define, and promote open standards or hardware-enabled trusted computing
and security technologies, including hardware building blocks and software interfaces,
across multiple platforms, peripherals, and devices. TCG specifications enable more
secure computing environments without compromising functional integrity, privacy, or
individual rights. The primary goal is to help users protect their information assets (data,
passwords, keys, etc.) from compromise due to external software attack and physical theft.
For more information, go to www.trustedcomputinggroup.org.
Kevin Schutz, a product manager for Atmel Corporation, is currently focusing on
Application Specific Standard Products (ASSPs) for the embedded security market. He has
over 20 years of experience in a variety of engineering and business roles within the
semiconductor market. He received his B.S.E.E. degree from Colorado State University
7 5062A–TPM–02/04TRUSTED PLATFORMS FOR HOMELAND SECURITY
and his M.B.A. and M.S.E.E. degrees from the University of Colorado. Kevin is a member
of the IEEE and is active in a number of TCG working groups.
Editor's Notes
About Atmel Corporation
Founded in 1984, Atmel Corporation is headquartered in San Jose, California with
manufacturing facilities in North America and Europe. Atmel designs, manufactures and
markets worldwide, advanced logic, mixed-signal, nonvolatile memory and RF
semiconductors. Atmel is also a leading provider of system-level integration semiconductor
solutions using CMOS, BiCMOS, SiGe, and high-voltage BCDMOS process technologies.
Further information can be obtained from Atmel’s Web site at www.atmel.com.
Contact: Author’s Name, Author’s Title, Location, Country, Tel: (+33) (0) 4 42 53 61 50,
e-mail: pbishop@atmel.com
®
© Atmel Corporation 2004. All rights reserved. Atmel and combinations thereof are the registered trademarks of Atmel
Corporation. Other terms and product names may be the trademarks of others.
8 5062A–TPM–02/04You can also read
