Monday, June 3, 2019

Trusted Platform Module (TPM)

bank political program mental faculty (TPM)Trusted Platform Module (TPM) is a term practiced to define a chip or microcontroller. This chip or microcontroller dismiss be placed into a motherboard configuration such as devices like mobile devices, or a personal computer (PCs). The requirements and occupation was presented and established by the Trusted Computing Group (TCG), to deliver a resolving where a reliable and genuine descent exists amongst hardwargon and software configurations. This facility was executed through cryptographical and hashing algorithms. Additional, TPM offers unlike confirmation, a verification and au pasttication do work for other third party software. TPM is a global regulation for a protected crypto processor, which is a devoted microcontroller or chip intended to protect ironware by joining cryptographic winders into devices.TPMs skilful requirements were established and written by TCG and launched in 2003. TCG was created as a nonprofit from inception and known to have brands like Microsoft, IBM, Intel, and Hewlett-Packard as clients. TPM just as well up as others has flaws, and suffers from attacks. These attacks include offline dictionary and OIAP attacks nevertheless, when joined with other endpoint control systems like multifactor au thereforetication, network access control, and malware attainion, TPMs contri unless whenion to a sound warrantor program is well-grounded. (Sparks, 2007)This survey is a complete review of research conducted on TPM, its components, mechanisms, application, and office protocols. Furthermore, a description of some common attacks to which TPM has been a victim pass on be presented. Finally, more recent and future performances will be discussed, such as the incorporation of TPM within mobile and smart devices and even within cloud work out. First, it is beta to start with an overview of the TPM particularation, its components, and its purpose.The TPM endureground section dis cusses in some detail an overarching summary of TPM. This will include what the motivations and advantages are to utilize TPM as well as how the antithetical types of backbones function. Also discussed is the evolution of TPM over time in how it functions in both its hardware encryption that also its capabilities.2.1 TPM SummaryA Trusted Platform Module (TPM) is a cryptographic coprocessor that replaced smart cards in the 1990s and then became present on just about commercial personal computer (PCs) and servers. TPMs are almost ubiquitous in computer hardware and typically non seen by enjoymentrs beca drug abuse of the lack of compelling applications that use them. However, this situation has changed effective with TPM version 1.16 by adding the Federal Information Processing Standards (FIPS) bit which is a static flag that verifies if the device or firmware the TPM is attached to is FIPS 140-2 cryptographic module compliant. This compliance is then registered by the consoli dated validation certificates granted when FIPS 140-2 is validated and are then registered and published at NIST as public record listed alphabetically by seller located at http//csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm. (TCG FIPS 140-2 Guidance for TPM 2.0, ver 1, rev.8, 2016) Therefore, the line of thinking of TPM has change magnitudely twist one of importance and an essential ingredient to cryptographic defense familiarity whom are required to prove their FIPS 140-2 compliance. However, this was not always the case since gage was not a mainstream issue in the early years of the Internet.2.2 Motivation to use TPMThe motivation for TPM began decades after the advent of what is known as the Internet. From the creation of Advanced Research Projects Agency (ARPA) in 1969 it took almost nineteen (19) years for us to become aware of the first known exploit called the Internet Worm in 1988. (Pearson Education, Inc., 2014) Until this time the focus had always been on the bring forthment of the computer with no security hardware and software that was easy to use. There was a real concept of information security threats. However, in the 1990s there was the concept of the potential of mer ignoretile system the Internet would have and the need to ripe the PCs that would exchange with that commerce. This prompted some computer engineers to convene and form and develop the first TPMs which became known to be as the Trusted Computing Group (TPM A Brief Introduction, 2015). A main objective of this group was a cost effective approach to create a hardware anchor for PC system security on which secure systems could be built. This first resulted in a TPM chip that was required to be attached to a motherboard and the TPM hold in set was architected to provide all functions necessary for its security use cases.2.2.1.EvolutionTPM has evolved considerably over the years to become the go fored platform it is today. The earlier TPM 1.2 standard was incorp orated into billions of PCs, servers, embedded systems, network gear and other devices, the evolving Internet of Things and increasing demand for security beyond traditional PC environment led TCG to develop a new TPM specification, which recently was adopted as an international standard ISO/IEC 118892015. For more flexibility of application and to enable more widespread use of the specification, TCG created TPM 2.0 with a library approach. This allows users to choose applicable aspects of TPM functionality for different implementation levels and levels of security. Also, new features and functions were added, such as algorithm agility, the ability to implement new cryptographic algorithms as demand (Trusted Platform Module (TPM) A Brief Introduction, 2015).ISO/IEC 11889-12015ISO/IEC 11889-12015 defines the architectural elements of the Trusted Platform Module (TPM), a device which enables trust in computing platforms in general. roughly TPM concepts are explained adequately in th e context of the TPM itself. Other TPM concepts are explained in the context of how a TPM helps establish trust in a computing platform. When describing how a TPM helps establish trust in a computing platform, ISO/IEC 11889-12015 provides some commission for platform requirements. However, the scope of ISO/IEC 11889 is limited to TPM requirements (Trusted Platform Module (TPM) Summary, 2008).2.3 TPM Working FunctionalityThe TPM (Trusted Platform Module) is a computer chip (microcontroller) that can securely chisel in artifacts used to authenticate the platform on a PC or laptop. These artifacts can include passwords, certificates, or encryption attains. A TPM can also be used to store platform preventionments that help ensure that the platform remains trustworthy. This is vituperative because Authentication and testimony are necessary to ensure safer computing in all environments. Trusted modules can be used in computing devices other than PCs, such as mobile phones or network equipment (Trusted Platform Module (TPM) Summary, 2008).. direct 1 Components of a TPM2.3.1 Hardware- found cryptographyThis cryptography pees certain that the info stored in hardware is moderate against malicious threats such as external software attacks. Also, many types of applications storing secrets on a TPM can be developed to strengthen security by increasing the difficulty of access without proper say-so. If the configuration of the platform has been altered as a result of un received activities, access to data and secrets can be denied and seal off off using these applications. TPM is not responsible for control of other proprietary or vendor software running on a computer. However, TPM can store pre-run time configuration parameters, notwithstanding it is other applications that determine and implement policies associated with this information. Also, processes can be made secure and applications such as email or secure document management. For example, if at boot tim e it is determined that a PC is not trustworthy because of unexpected changes in configuration, access to highly secure applications can be blocked until the issue is remedied. With a TPM, one can be more certain that artifacts necessary to sign secure email passs have not been affected by software attacks. And, with the use of remote attestation, other platforms in the certain network can make a determination, to which extent they can trust information from some other PC. Attestation or any other TPM functions do not transmit personal information of the user of the platform.2.3.2 CapabilitiesTPM can improve security in many areas of computing, including e-commerce, citizen-to-government applications, online banking, confidential government intercourses and many other fields where greater security is required. Hardware- ground security can improve protection for VPN, radio receiver networks, file encryption (as in Microsofts BitLocker) and password/PIN/credentials management. TP M specification is OS-agnostic, and software stacks exist for several Operating Systems.2.4TPM ComponentsTrusted Platform Module (TPM) is the core component of trusted computing. TPM is employ as a secure hardware chip and provides the hardware root word of Trust. TPM has been designed to provide trusted computing based on Trusted Computing Group (TCG) specifications. TPM functions can be implemented either in hardware or software. A secure cryptographic chip (Figure 2) can be integrated on the motherboard of a computing device according to TPM 1.2 specifications (Angela, Renu Mary, Vinodh Ewards, 2013).Figure 2 A TPM 1.2 Chip (Source http//www.infineon.com)A limpid layout of the TPM is represented downstairs (Figure 3) along with the TPM components.Figure 3 TPM Component Diagram (Zimmer, Dasari, Brogam, 2009)Information flow is managed by the I/O component through the communication bus. The I/O component handles routing of messages to heterogeneous components within the TPM and establishes access control for TPM functions and the Opt-in component.The non-volatile repositing in the TPM is a repository for storing the Endorsement Key (EK) and the Storage rout out Key (SRK). These long-term keys are the basis of key hierarchy. Owners authorization data such as password and persistent flags are also stored in the non-volatile retentivity (Trusted Computing Group, 2007).Platform conformation Registers (PCR) are reset during power-offs and system restarts and can be stored in volatile or non-volatile region. In TPM v 1.1, minimum payoff of registers that can be implemented is 16. Registers 0-7 are allocated for TPM usage leaving the remaining registers (8-15) to be used by operating system and applications (Angela, Renu Mary, Vinodh Ewards, 2013). In TPM v 1.2, tot of registers can be 24 or more and categorized as static PCRs (0-16) and dynamic PCRs (17-22).The Program Code, also known as Core determine of Trust for Measurement (CRTM) is the authorita tive source for integrity measurements. Execution engine is responsible for initializing TPM and taking measurements. The execution engine is the driver behind the program code.RNG (Random tour Generator) is used for generating keys, nonce creation and to fortify passphrase entropy. The SHA-1 engine simulated military operations a key role in creating key Blobs and hashing large blocks of data. TPM modules can be shipped with various states ranging from incapacitated, and deactivated to amply enabled. The Opt-in component ensures the state of TPM modules during shipping.The RSA engine can be used for a variety purposes including key signing, encryption/decryption using stock keys and decryption using EK. The AIK (Attestation individuality Key) is an un interchangeableal key pair typically linked to the platform module that can be used to vouch for the validity of the platforms identity and configuration. The RSA key generation engine are used for creating symmetric keys of up to 2048 bits.2.5 TPM KeysTCG keys can be categorized as signing or fund keys. Other key types defined by TCG are Platform, Identity, Binding, General and Legacy keys (Trusted Computing Group, 2007).Signing keys can be classified as general purpose keys and are asymmetric in nature. Application data and messages can be signed by the TPM using signing keys. Signing keys can be moved between TPM devices based on restrictions in place. Storage keys are asymmetric keys and primarily used for encrypting data and other keys as well as for wrapping keys. Attestation Identity Keys (AIK) are used for signing data pertaining to the TPM such as PCR register values. AIK are signing keys that cannot be exported. Endorsement Key (EK) is used for decrypting the owner authorization credentials as well as cryptic messages created by AIK. EK is not used for encryption or signing and cannot be exported. Bind keys (symmetric keys) come in handy to encrypt data on one platform and decrypt it on a differ ent platform. Legacy keys can be imported from outback(a) the TPM and used for signing and encrypting data. Authentication keys are responsible for securing the transport sessions related to TPM and are symmetric in nature.Endorsement Key (EK) in the TPM plays a critical role to maintain system security. TPM uses a private key EK to generate other keys which are bound to a specific EK. EK should be secured and protected from be compromised. A 160-bit AIK authentication value is necessary to use the AIK by TPM (Sparks, 2007). The parent key used for generating other keys should be loaded first and authenticated by users before TPM can load all other keys. The EK is unique to the TPM and embedded within the tamper resistant non-volatile memory (Angela, Renu Mary, Vinodh Ewards, 2013). Public EK is used for creating AIK certificates and during the process of encrypting data within the TPM. The private key pair of EK is not touched when generating signatures. Multiple AIKs can be sto red within a TPM to ensure anonymity between various service providers requiring proof of identity. AIK keys should be stored in secure external storage (outside the TPM) to make them persistent. AIKs can be loaded on to the volatile memory in the TPM when in use.TPM has a Storage outset Key which stays persistent. Keys are not stored permanently in TPM due to limited storage space. A apprize description of the process involved in key generation, encryption, and decryption in TPM is outlined below (Osborn Challener, 2013). A new RSA key is generated by the TPM when a key creation request is initiated by a software. TPM concatenates a value to the RSA key, appends authorization data and then the data is encrypted using the public section of the Storage Root Key and sends an encrypted blob to the requested software. A request is sent for the key to be retrieved from the blob storage when requested by the software program. TPM uses the Storage Root Key for decryption and validates t he proof value and password before loading the key into TPM memory. This loaded key is referred to as the parent key and can be used for subsequent key creation forming key hierarchies.The TMP security section discusses in some detail the various ways in which security is implemented and vulnerable. TPM authorization protocols in both version 1.2 and version 2.0 are addressed. Several examples of different types of TPM vulnerabilities are outlined as well as ways to rely the integrity of the system to protect against this vulnerabilities and what the future holds for TPM.3.1 TPM Authorization ProtocolsTPM 1.2 AuthorizationThe basic definition of TPM authorization is the process of verifying that software is allowed to use a TPM key. For TPM 1.2 this process is accomplished by utilizing a couple basic commands in an authorization session typically using passwords or values stored in the Platform Configuration Registers (PCRs) which are referred to as authorization data. The three ty pes of authorization sessions for TPM 1.2 are Object Independent Authorization Protocol (OIAP), which creates a session that allows access to multiple objects, but works only for certain commands Object Specific Authorization Protocol (OSAP), which creates a session that can manipulate only a single object, but allows for new authorization transfer and Delegate-Specific Authorization Protocol (DSAP), which delegates access to an object without disclosing the authorization data (Nyman, Ekberg, Asokan, 2014).Commands are then used to manipulate the keys within an authorization session. package can prove that it is trusted by sending a command which includes the password hash to verify it has knowledge of the password. Also the locking of non-volatile random-access memory (NVRAM) to PCRs and particular localities is utilized for two different authorizations one for reading and one for writing. While effective, these authorization mechanisms created a relatively rigid authorization sy stem which make it difficult to administrate the sharing of TPM keys and data (Osborn Chaneller, 2013).3.1.2 TPM 2.0 AuthorizationThe implementation of TPM 2.0 on the other hand, takes a couple different approaches by introducing enhanced authorization (EA). EA takes methods from the TPM 1.2 authorization methods and improves upon them by incorporating features mentioned in Table 1 below.Table 1.TPM 2.0 Authorization FeatureDescriptionPasswords in the clearReduces overhead in environments where the security of hash message authentication (HMAC) may not be feasible due to its extra cost and complexityHMAC keyIn some cases when the software talking to the TPM is trusted but the OS is untrusted (like in a remote system), it could be useful to use HMAC for authorization the same way as used in TPM 1.2 tactile sensation methodsAllows IT employees to perform maintenance on a TPM by authenticating using a smart card or additional data such as a biometric fingerprint or GPS location. This ensures that passwords cant be shared or compromised by unauthorized users and that an additional verification check is conductedPCR values as a deputy for system boot stateIf the system management module software has been compromised, this prevents the release of the full-disk encryption keyLocality as a proxy for command originsCan be used to indicate whether a command originated from the CPU in response to a special request.TimeCan limit the use of a key to certain times of the dayInternal counter valuesLimits the use of an object so that a key can only be used a certain number of times indicated by an internal counterValue in a non-volatile (NV) indexUse of a key is restricted to when certain bits are set to 1 or 0NV indexAuthorization is based on whether the NV index has been written physical presenceRequires proof that the user is physically in possession of the platform(Table created with information from (Arthur, Challener, Goldman, 2015))These features can be combined to create more complex policies by using the logical operators AND or OR which allows for the creation of policies to include multifactor/multiuser authentication of resources, limited time constraints for resources, and/or revocation of resources. (Arthur, Challener, Goldman, 2015).3.2TPM VulnerabilitiesWhen ranked against other standards, TPM comes in as highly secure but that isnt to say that it is immune to all attacks. There are several vulnerabilities that can allow an attacker to circumvent TPMs level of security. The sections below explain a few vulnerabilities that attackers can use to exploit TPM, and the mitigation techniques one could deploy to manage the risk.Dictionary AttackTPM authorization relies on a 20-byte authorization code that is sent by the requestor which if not properly locked down can result in an attacker guessing their way past the authorization. TPM issues guidance on how best to mitigate and prevent these attacks however, the guidance is not very detai led and rather leaves the specifics up to the implementer. For example, one could implement a design that has TPM disable further input whenever it encounters more than 3 failed attempts. This would effectively prevent online dictionary attacks and has the added benefit of also preventing Denial-of-Service attacks.Weve spoken about preventing online dictionary attacks but where the threat in truth comes into play is with an offline-based attack. This vulnerability comes into play when the authorization code is easily guessable, or in other words, poorly implemented. An attacker could observe a given command, the associated Key-Hash content Authentication Code (HMAC) sent by the requestor and finally, the TPM response back. Since the HMAC is created from the authorization code, session handle and nonces an attacker can utilize a dictionary attack to attack different nonces and authorization codes with the given HMAC algorithm. A match would then provide the attacker with the correc t authorization code. This offline attack bypasses TPMs lockout policy and though the attacker but sift through the random nonces and authorization codes, the method is a viable means of attack because it can be reasonably executed given the approachability of time and computing resources. The mitigation for this comes down to proper configuration and ensuring that the authorization code is not easily guessable. fluid dram AttackThough this attack is not directly against TPM, it is worth mentioning as it is a viable way to circumvent TPMs security authorization protocols. TPM maintains its keys within non-volatile memory within the TPM component however, when these keys are pulled by a requestor or requesting application, they are stored within Dynamic Random Access Memory (DRAM). It is well known that one can easily exploit DRAM to extract valuable information (keys, passcodes, etc) with this even being demonstrated against Microsofts BitLocker encryption utility. During reboot, W indows would load the encryption keys stored within TPM into DRAM, prior to even prompting the user. Given this, an attacker could go in and dump the raw memory to an external device, obtain the keys, then utilize those keys to decrypt the disk. This flaw enabled attackers to gain access to data on stolen laptops, even with full disk encryption. This hits on how a system is designed and ensuring that every detail is accounted for. Even if your system has a TPM, it is only going to be as secure as the weakest component within the overall system.OIAP Replay AttackReplay attacks are a method used by many attackers across a multitude of systems. TPM is no exception and is vulnerable to replay attacks based on several characteristics. First, a TPM Object-Independent Authorization Protocol (OIAP) session can be left open for an indefinite period. The authorized session is only closed by the requestor whenever an abnormal message is received and finally, the HMAC that wraps the message can detect alterations to the message but cannot distinguish between a deliberate alteration and a simple network illusion.For example, an attacker would first capture a requestors authorized command for later use. The attacker then sends an abnormal message to the requestor which then fools it into resetting the session. The requestor is unable to distinguish between the abnormal message and a network error so no concern is raised. Since there is no concern, the TPM keeps the authorized session open, allowing the attacker the ability to replay the previously captured command through the open session. This could range to the attacker being able to corrupt or even overwrite a subsequent command issued by the requestor. The TPM would not be able to get a line this type of attack which is truly concerning based upon the foundational principles of TPM and its assurance of being able to detect unauthorized modifications to data.3.3TPM AttestationsAttestation is the method a platform uses to prove to another platform that it is in a particular configuration by using a digitally signed set of cryptographic hash values which creates a trust between platforms (Fisher, McCune, Andrews, 2011). The network server first creates a cryptographic random value (used to prevent replay attacks) called a nonce, which is then sent to the client. Software on the client then sends the nonce to the TPM and specifies an identity key. The TPM hashes the PCR values along with the nonce and then signs the hash with a private key. The client software sends this back to the server which then verifies the platform configuration by comparing the public portion of the identity key. This process provides hardware-based assurance that software on these platforms has not been modified. (Osborn Chaneller, 2013). Figure 5 provides a visual representation of attestation as provided by (Osborn Chaneller, 2013)Figure 5 AttestationIn order for the attestation process to be valid however, it must be able to be proven that the TPM values from the client are not being spoofed. This can be accomplished using a couple of key components attestation identity keys (AIK), which are created by the TPM and securely stored on disk before being reloaded into volatile TPM memory phiz keys (EK), which are hardcoded by the manufacturer into the TPM chip and a privacy certificate authority (CA), which is a third-party validation entity.The first step of this process occurs when the public half of the AIK and EK is sent to the CA. The CA then uses the public EK certificate to verify that the request comes from a valid TPM by comparing it to a list of all valid TPM manufacturers public keys. The CA then puts the public AIK in a certificate and encrypts it with the public EK. This ensures that the only party that can decrypt it is the computer with the AIK of the corresponding TPM, therefrom confirming that the TPM from the requesting platform is trusted, and therefore, the attestation method is trusted as well. (Uppal Brandon, 2011).3.4Application of TPMWith the ever-evolving landscape of technology, there is an increased need for faster, more reliable and more secure methods of defend private and personal data. TPM is a product of those evolving requirements and has thus been incorporated into many different sets of applications. This section will expand upon those sets of applications and delve into how TPM is utilized within the labor today.EncryptionOne of the most popular uses of TPM is to ensure the confidentiality of user data by providing full encryption capabilities for disks and file systems. The full disk encryption utilizes symmetric encryption with a key created from the users supplied passcode and used during the initial configuration and system boot. This protects against the loss of the disk drive and serves to facilitate disposal or repurposing of the drive since deleting the keys will result in the drive being wiped. The same method is utilized for the encryption of file systems and can be done so to protect specific nodes.Policy EnforcementWith Bring-Your-Own-Device (BYOD) policies becoming more and more prevalent within the commercial businesses, TPM has found a use as a policy enforcement mechanism for remote access. TPM can be used to establish trust and verify a devices integrity before allowing remote connection to an organizations intranet. This utilization of TPM is comprised of a series of hashes that measure the predefined sequence of code loads, starting with the boot of the BIOS through the loading of the applications. The chain of hash measures are then compared to the stored value in order to validate the systems integrity. This is very useful for establishing the base operating environment and developing a baseline with which access control policies can be developed.Password ProtectionTPM protected storage provides a method of storing encryption/decryption keys as well as providing utility management of user pa sswords. Typically, the password manager retrieves the then encrypted password from TPM, decrypts it, and then sends it to the client application for validation. Since the passwords are usually sent to the client applications over plain-text, this is a serious vulnerability in which TPM can provide a solution for. Using the 20-byte authorization code, a TPM object is created for each user password with this then being saved in the objects authorization field. To verify a password, an application would need to send an OIAP request to access the TPM object. TPMs response to this request would indicated whether the password was correct or not. As a plus, this serves as both password storage and verification with the password never being sent to the application thus eliminating the vulnerability associated with plain-text.3.5TPM FutureTPM is compatible with many hardware and software platforms in use in todays commercial markets and is already in use by several major business functions, to include Banking, E-Commerce, Biometrics and even Antivirus applications. Looking forward, TPM will play an even bigger role in the evolving mobile market, providing more enhanced security for cell phones, GPS tracking systems, tablets and more. TPM can be used to secure the agile Operating System (OS) from being modified by attackers and can be used to further secure authorized access by implementing a hard-coded digital signature solution. For GPS devices, TPM can be used to protect against the modification of system defined location parameters, thus preventing an attacker from adjusting those parameters to satisfy their ends.The biggest constraint facing TPMs implementation within the mobile realm is the space and power constraints on mobile devices. Research is being done on whether a mobile instantiation of TPM should be based on firmware, software or even hardware. A hardware implementation would be the most secure however, the firmware-based option will likely prove to be the best approach as it will balance the security of the device with the size limitations.TPM is also being looked at with regards to providing security enhancements for cloud-based services. Cloud computing has migrated most of the standard desktop to a virtual and remotely

No comments:

Post a Comment