Graeme Proudler Liqun Chen Chris Dalton Trusted Computing Platforms TPM2.0 in Context Trusted Computing Platforms ThiSisaFMBlankPage Graeme Proudler (cid:129) Liqun Chen (cid:129) Chris Dalton Trusted Computing Platforms TPM2.0 in Context GraemeProudler LiqunChen ChrisDalton Hewlett-PackardLaboratories Bristol UnitedKingdom ISBN978-3-319-08743-6 ISBN978-3-319-08744-3(eBook) DOI10.1007/978-3-319-08744-3 SpringerChamHeidelbergNewYorkDordrechtLondon LibraryofCongressControlNumber:2014957751 ©SpringerInternationalPublishingSwitzerland2014 Thisworkissubjecttocopyright.AllrightsarereservedbythePublisher,whetherthewholeorpart of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,broadcasting,reproductiononmicrofilmsorinanyotherphysicalway,andtransmissionor informationstorageandretrieval,electronicadaptation,computersoftware,orbysimilarordissimilar methodologynowknownorhereafterdeveloped.Exemptedfromthislegalreservationarebriefexcerpts inconnectionwithreviewsorscholarlyanalysisormaterialsuppliedspecificallyforthepurposeofbeing enteredandexecutedonacomputersystem,forexclusiveusebythepurchaserofthework.Duplication ofthispublicationorpartsthereofispermittedonlyundertheprovisionsoftheCopyrightLawofthe Publisher’s location, in its current version, and permission for use must always be obtained from Springer.PermissionsforusemaybeobtainedthroughRightsLinkattheCopyrightClearanceCenter. ViolationsareliabletoprosecutionundertherespectiveCopyrightLaw. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publicationdoesnotimply,evenintheabsenceofaspecificstatement,thatsuchnamesareexempt fromtherelevantprotectivelawsandregulationsandthereforefreeforgeneraluse. While the advice and information in this book are believed to be true and accurate at the date of publication,neithertheauthorsnortheeditorsnorthepublishercanacceptanylegalresponsibilityfor anyerrorsoromissionsthatmaybemade.Thepublishermakesnowarranty,expressorimplied,with respecttothematerialcontainedherein. Printedonacid-freepaper SpringerispartofSpringerScience+BusinessMedia(www.springer.com) Preface Attacks on computer platforms are unrelenting. Governments, businesses, organi- sations,andconsumersarebattlefatigued.Theycopethebesttheycanandcarryon regardless. Successful attacks disclose the secrets and private information stored and processed by computers. At the turn of the century, the computer industry respondedbystartingtodesignTrustedComputingplatformswithbuilt-insecurity mechanisms and built-in trust mechanisms. The security mechanisms are reason- ablyconventionalbutthetrustmechanismsarenovel. Security mechanisms in computers protect data by isolating data and constraining access to that isolated data. In principle, Trusted Computing enables computer users to select a spectrum of isolation and access controls from non-existentup tothe level ofthe strongest mechanismsimplemented inapartic- ularplatform. (cid:129) Thesecuritymechanismsprovidedbyrealtrustedplatformsareanticipatedtobe somewhatinferiortothoseofconventionalsecureplatformstraditionallyusedin critical infrastructures, albeit far superior to those provided by ordinary mass- marketplatforms. Onedoesn’talwaysneedtoprotectdata,however,andthereisalwaysabalance betweenconvenienceofaccesstodataandthelevelofprotectionaffordedtothat data.Sometimesonejustdoesn’tcare;orsomeinformationinaplatformmightnot need any protection, but other information might need a lot of protection; or the levelofprotectionmightvarywithtimeandothercircumstances. The real question for most computer users is whether one trusts a computer platform enough to perform the current task. In other words, is a given platform doing what the user expects it to be doing, and is that behaviour adequate for the user’s current purposes? Trusted Computing addresses this question via trust mechanisms that help to determine whether a computing service is trustworthy enoughforthecurrenttask,insteadofjusthopingthatitis. Thirteen years on (at time of writing), the greatest difficulty in Trusted Com- putinghasbeendeterminingacompromisebetweenincompatibleconsent,privacy, v vi Preface protection, and ease-of-use requirements whilst meeting legal, commercial and manufacturing constraints. The greatest business difficulty has been continually solving the chicken-and-egg business problem of introducing new technology for servicesthatdon’texistbecausethetechnologydoesn’texist.Thenextsignificant business hurdle may well be avoiding a “race to the bottom”, where trusted platforms are implemented in the cheapest but weakest possible ways, to reduce coststothebarebones. Speculative criticism ofTrustedComputinghas probablydelayed itsadoption, despitethefactthatthereisnoknowntechnicalalternativetoTrustedComputing for protecting customers’ data in mass-market platforms, short of constraining customers’ choice of software. The reader may decide for themselves whether this delay has unnecessarily exposed people and organisations to certain types of attack, or has encouraged development of closed computing ecosystems or plat- formsthatconstrainthechoiceofsoftware. ThecomputerindustryhascontinuedtoputcomponentsofTrustedComputingin place,onebyone,eventhoughthecomponentscouldn’t(andcan’t)beusedtotheir fullpotentialuntilallthecomponentsareinplace.TrustedPlatformModule(TPM1) chipshavebeeninstalledinliterallyhundredsofmillionsofcomputers.Toassuage initialconcerns,TPMswereshippedinan“off”state,sothatcustomershadtooptin inordertouseTrustedComputing.Initially,however,theonlycomputeruserswho understood what a TPM might be were enthusiasts who feared the technology because they had read sensationalist speculative descriptions. Ordinary computer users(whomTrustedComputingisintendedtoprotect)neitherknewnorunderstood, norwantedtounderstand,whatTrustedComputingisordoes.Eventuallycorporate customers came to appreciate that trusted platforms are safer platforms, but complainedthatthetechnologyhadtobeturnedonbeforeitcouldbeused.Thenit transpired that application developers were reluctant for their software to have any relianceontheTPM,lesttheTPMbe“off”andhenceunavailable.Theneteffectwas thatsomeTPMswereusedtoprotect“dataatrest”(whenaplatformwasturnedoff), viaMicrosoft’sBitLocker™technology,forexample,buttheoveralllevelofTPM usagewasverylow.Thishas(sofar)eliminatedthebusinesscasefordevelopmentof aTrustedComputinginfrastructure.2 Despite everything, Trusted Computing has gained credibility amongst those who have studied the technology. Universities3 have started teaching and researching the technology, and it has emerged that governments encourage use ofthetechnologytohelpprotectgovernmentinformation.TheUKgovernment,for 1ItisacoincidencethatTPMisalsotheacronymforTechnicalProtectionMeasure,whichisa legaltermforatechniqueusedtopreventillegalcopyingofcomputerprograms. 2AlbeittheUSA’sNISTdoesmaintainaNationalSoftwareReferenceLibrary(NSRLwww.nsrl. nist.gov,visitedApril2014),whichcontains“acollectionofdigitalsignaturesofknown,traceable softwareapplications”,includingapplicationsthatmaybemalicious. 3IncludingBirminghamUniversity(UK),RoyalHollowayCollege-UniversityofLondon(UK), IAIK (Graz, Austria), Oxford University (UK), Bochum (Germany), Darmstadt (Germany), HochschuleHannover(Germany). Preface vii example, has published the recommendation “CESG IA Top Tips – Trusted Plat- formModules”[CESG01]. TheTrustedComputingGroup(theindustryorganisationthatpromotesTrusted Computing) has become a rallying point for manufacturers to build information protectionintotheirproducts,andtheinitiativehasexpandedtocoverotheraspects of computers and computing. Besides the Trusted Platform Module chip, new platform firmware, new platform chip sets, self-encrypting hard disk drives (SEDs), trusted networks (Trusted Network Connect, TNC), and more secure parts of the pre-OS platform have been developed. In fact, SEDs and TNC are arguablybecomingimportantandsuccessfulintheirownright. The first proper trusted platform is arguably a Personal Computer running Microsoft’sWindows8™operatingsystem,whichhasaTrustedPlatformModule (TPM)initsTrustedComputingBase(TCB).ThisTCBmanagestheTPM,usesthe TPM’s functions to help protect the platform, and enables applications to use the TPMtoprotecttheirdata.ThereareasyetnomobilephonesthatsupportTrusted Computing because they are arguably really needed only for compatibility with servicesbuiltfortrustedplatforms,buttherearecurrentlynosuchservices.There’s currentlyadearthoftrustedhypervisors. Thereisnoavoidingthefactthatmass-marketcomputingneedsimproveddata protection. It’s indisputable that secrets and private information are increasingly stored as data in commercial networked computer platforms, which are under continuousandescalatingattack.Improvingthelevelofprotectioninmass-market computersandcomputernetworksisanenormoustaskand(givenachoice)theICT industry would have started afresh, instead of with computer and network archi- tecturesthatwerenotdesignedtoprotectinformation.Thetaskiscomplicatedby incompatible stakeholder requirements. Providing protection for computer plat- forms is much simpler if platforms have less flexibility, users have less control, and privacy is irrelevant, but these easy options are incompatible with many existing types of computer platform. Consequently manufacturers have had to deviseacompromisethatgivesalmosteveryonealmosteverythingtheywanted. TheTrustedComputinginitiativehasforcedeveryoneinvolvedtothinkaboutwhat trustmeans,whoandwhatistrustworthy,andwhethertheythemselvesaretrustwor- thy.Somecommentatorsfoundtheconclusionsdisturbingandwereupsetbytheeffect onthestatusquo.Somearestillupsetbecause,ifnothingelse,TrustedComputing: (cid:129) complicatesthewaythataplatformbootsandshutsdown, (cid:129) complicates access to data, and can prevent existing tools and services from working, (cid:129) canhelppreventtheplatformstatefrombeingrolledback, (cid:129) canbeusedtoimplementdigitalrightsmanagementsystems,whichareanath- ematosomecommentators, (cid:129) preventssomerepurposingofplatforms.4 4Atsomepoint,imaginativeuseofaplatformbecomesanattackonthatplatform. viii Preface Trusted Computing requires evidence that products are trustworthy, and the technologyisundoubtedlyanobstacleforthosewhowanttorepurposeplatforms. Fundamentally,however,noonecandisputethatbetterprotectionisbeneficialfor mass-marketcommunicatingcomputerplatforms,orthatanycredibledataprotec- tionmechanisminvolvesconstrainingtheenvironmentthathasaccesstoprograms anddata.Themostliberalconstraintistoallowwhoeverhasanunprotectedcopyof softwareordatatochoosetheenvironmenttoprotectthatsoftwareordata,andthat isexactlywhatTrustedComputingenables. Trusted platforms and Trusted Computing will no doubt change with time but this book should continue to provide a record of origins and justifications. The authors have worked in the field of trusted platforms and Trusted Computing for many years. Chapters 12 and 13 were written by Liqun Chen and Chris Dalton respectively.TherestofthisbookwaswrittenbyGraemeProudlerwithsomeinput fromChenandDalton. Bristol GraemeProudler May2014 LiqunChen ChrisDalton Naturally, this book also draws upon the expertise of many other people over many years. The authors are particularly obliged to colleagues for information on the Federal Information Processing Standard and on export/import regulations; to PaulWallerofCESGforcommentsandinformationaboutcertification;andtoDirk KuhlmannofHPLabs-Bristolforcompilingthisbook’sindex. Reference [CESG01] “CESG IA Top Tips - Trusted Platform Modules” (April 2014) http://www.cesg. gov.uk/publications/Documents/ciatt-01-11-trusted_platform_modules.pdf Abbreviations Acronym Description ACA AnAttestationCertificationAuthorityisaCertificationAuthorityinaPublic KeyInfrastructurethatissuescredentialsforTPM2.0keys,especiallykeys usedasTPMidentities AIK AnAttestationIdentityKeyisanasymmetricsigningkeypairinTPMv1.2thatis usedasaTPMidentity AK AnAttestationKeyisanasymmetrickeypairinTPM2.0,whichcouldbeusedas aTPMidentity BBB TheBIOSBootBlockispartoftheBasicInput/OutputSysteminaPersonal Computer BIOS TheBasicInput/OutputSystemhistoricallycomprisesthefirstinstructionsto executeinaPersonalComputer BLOB ABinaryLargeOBjectcomprisesTPMdata,usuallyencryptedandintegrity- protecteddata,thatisoutsideaTPM BSI Germany’sBundesamtfu¨rSicherheitinderInformationstechnikisasecurity agency CC TheCommonCriteriacertificationscheme—ISO15408 CESG TheUK’sNationalTechnicalAuthorityforInformationAssuranceisasecurity agency CCRA TheCommonCriteriaRecognitionAgreementisanagreementbetweengov- ernmentsaboutamethodofsecuritycertification CMK ACertifiedMigrationKeyisatypeofkeyinTPMv1.2thatcanbemigratedviaa MigrationAuthorityandundercontrolofaMigrationSelectionAuthority COTS ACommercialOffTheShelfmass-marketproductisonethatissuitablefor deploymentingovernmentsystems CRTM TheCoreRootofTrustforMeasurementcomprisesinstructionsexecutedbya RootofTrustforMeasurement(RTM) DA ADictionaryAttackisamethodofdiscoveringanauthorisationvalue(inorder tousearesourcewithoutbeinggivenpermission) DAA DirectAnonymousAttestationisanidentityprotocolbuiltintoTPMsthatpro- videsanonymityandpseudonymity (continued) ix