Hardware Security and Trusted Platform Module Overview

Slide Note
Embed
Share

This content discusses the importance of hardware security, distinguishing it from software security, and introduces the concept of Trusted Platform Module (TPM) as a trusted co-processor integrated into the platform to enhance security. It also highlights the role of the Trusted Computing Group (TCG) in developing hardware and software standards for improved security measures.

till_ace
till_ace Follow

Uploaded on Sep 16, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. Content may be borrowed from other resources. See the last slide for acknowledgements! Hardware Security: Trusted Platform Module Amir Houmansadr CS660: Advanced Information Assurance Spring 2015

  2. Hardware Security Definition: implement security protection mechanisms in hardware E.g., design trusted hardware, as opposed to (in addition to) trusted software CS660 - Advanced Information Assurance - UMassAmherst 2

  3. Trusted or Trustworthy A component of a system is trusted means that the security of the system depends on it failure of component can break the security policy determined by its role in the system A component is trustworthy means that the component deserves to be trusted e.g., it is implemented correctly determined by intrinsic properties of the component Trusted or trustworthy computation? CS660 - Advanced Information Assurance - UMassAmherst 3

  4. Why Hardware Security Software security: software protect software! Vulnerable to attacks Is the antivirus/hardware untouched? Easy infiltration Fast spread Hardware security: hardware protect software Attacks need physical access Software infiltration much more difficult CS660 - Advanced Information Assurance - UMassAmherst 4

  5. Trusted Platform Module (TPM) A chip integrated into the platform The (alleged) purpose is to provide more security It is a separate trusted co-processor The TPM represents a separate trusted coprocessor, whose state cannot be compromised by potentially malicious host system software. IBM Research Report CS660 - Advanced Information Assurance - UMassAmherst 5

  6. The Trusted Computing Group The Trusted Computing Group (TCG) is a non-profit industry consortium, which develops hardware and software standards. It is funded by many member companies, including IBM, Intel, AMD, Microsoft, Sony, Sun, and HP among others. CS660 - Advanced Information Assurance - UMassAmherst 6

  7. Attestation The TPM's most controversial feature is attestation, the ability to measure the state of a computer and send a signed message certifying that particular hardware or software is or isn't present. Controversial Provide features that can be used to secure hardware against the owner CS660 - Advanced Information Assurance - UMassAmherst 7

  8. Components Root key PKI private keys could be stored in the chip PK signatures calculated in the chip itself, never visible outside Random number generators SHA-1 encryption Monotonic counters Process isolation (encrypted I/O, prevents keystroke loggers, screen scrapers) CS660 - Advanced Information Assurance - UMassAmherst 8

  9. Goals TPMs allow a system to: Gather and attest system state Store and generate cryptographic data Prove platform identity Prevents unauthorized software Helps prevent malware CS660 - Advanced Information Assurance - UMassAmherst 9

  10. TPMs Novelty Not much novel crypto! Most, if not all, of the security ideas already exist What TPMs bring to the table is a secure sealed storage chip for private keys, on-chip crypto, and random number generators among others The state of the TPM can not be compromised by malicious host software CS660 - Advanced Information Assurance - UMassAmherst 10

  11. Limitations Advanced features will require O/S support Potential for abuse by Software vendors Co-processor or Cop-processor? Trusted Computing requires you to surrender control of your machine to the vendors of your hardware and software, thereby making the computer less trustworthy from the user s perspective Ross Anderson CS660 - Advanced Information Assurance - UMassAmherst 11

  12. Real-World Applications Hard drive encryption BitLocker in Windows 8 Trustworthy OS Google s Chromebook use TPM to prevent firmware rollback Potential applications: DRM Fighting pirate software CS660 - Advanced Information Assurance - UMassAmherst 12

  13. BitLocker Drive Encryption BitLocker Drive Encryption gives you improved data protection on your Windows Notebooks Often stolen, easily lost in transit Desktops Often stolen, difficult to safely decommission Servers High value targets, often kept in insecure locations All three can contain very sensitive IP and customer data Designed to provide a transparent user experience that requires little to no interaction on a protected system Prevents thieves from using another OS or software hacking tool to break OS file and system protections Prevents offline viewing of user data and OS files Provides enhanced data protection and boot validation through use of a Trusted Platform Module (TPM) CS660 - Advanced Information Assurance - UMassAmherst 13

  14. BitLocker Drive Encryption Architecture Static Root of Trust Measurement of boot components PreOS Static OS All Boot Blobs unlocked Volume Blob of Target OS unlocked TPM Init BIOS MBR BootSector BootBlock BootManager Start OS OS Loader

  15. Disk Layout And Key Storage OS Volume Contains Encrypted OS Encrypted Page File Encrypted Temp Files Encrypted Data Encrypted Hibernation File Where s the Encryption Key? 1. SRK (Storage Root Key) contained in TPM 2. SRK encrypts FVEK (Full Volume Encryption Key) protected by TPM/PIN/USB Storage Device 3. FVEK stored (encrypted by SRK) on hard drive in the OS Volume 3 OS Volume 2 FVEK 1 SRK System System Volume Contains: MBR, Boot manager, Boot Utilities (Unencrypted, small)

  16. Spectrum of Protection BitLocker offers a spectrum of protection, allowing an organization to customize according to its own needs Ease of Deployment / Maintenance TPM Only What it is TPM + USB What it is + what you have Protects Against: HW attacks Vulnerable To: Stolen USB key USB Only What you have TPM + PIN What it is + what you know Protects Against: Many HW attacks Vulnerable To: Hardware attacks Protects Against: HW attacks Vulnerable To: Stolen USB key No boot validation User Must: Protect USB key Protects Against: Most SW attacks Vulnerable To: Hardware attacks User Must: Protect USB key User Must: Enter PIN to boot User Must: N/A No user impact

  17. More Hardware Security USB tokens RSA SecureID Smart Cards CPU-level techniques Encryption disks CS660 - Advanced Information Assurance - UMassAmherst 17

  18. cTPM: A Cloud TPM for Cross-Device Trusted Applications Slides from authors at NSDI 14

  19. Acknowledgement Some of the slides, content, or pictures are borrowed from the following resources, and some pictures are obtained through Google search without being referenced below: 1. RandyFort, Trusted Platform Modules, class lecture 2. Shon Eizenhoefer, BitLocker Drive Encryption Hardware Enhanced Data Protection CS660 - Advanced Information Assurance - UMassAmherst 19

Related


Diploma in Hardware & Networking: Upgrade Your IT Skills

Diploma in Hardware & Networking: Upgrade Your IT Skills

melia
Trusted Agent Training Overview

Trusted Agent Training Overview

ruer710
Overview of Computer Hardware Components and Software Functions

Overview of Computer Hardware Components and Software Functions

ainhoa
Overview of Fly and Trajectory Scans in Data Acquisition

Overview of Fly and Trajectory Scans in Data Acquisition

ciha
Understanding Computer Organization and Architecture

Understanding Computer Organization and Architecture

alexei
Hold Down and Release Mechanism Hardware Simulator for Ground Deployment Testing

Hold Down and Release Mechanism Hardware Simulator for Ground Deployment Testing

aurelia
Understanding Computer Hardware Components

Understanding Computer Hardware Components

kasper
OWASP Bricks - Web Application Security Learning Platform

OWASP Bricks - Web Application Security Learning Platform

aleia
Anatomy of a Computer System: Hardware Components and Functions

Anatomy of a Computer System: Hardware Components and Functions

alaiya
Optimizing DNN Pruning for Hardware Efficiency

Optimizing DNN Pruning for Hardware Efficiency

vinicius
Mobile Device and Platform Security in Spring 2017: Lecture Highlights

Mobile Device and Platform Security in Spring 2017: Lecture Highlights

jeremias
Modernizing Personnel Security Vetting for National Intelligence and Security

Modernizing Personnel Security Vetting for National Intelligence and Security

darius
Comprehensive Online Competency Module Platform for Healthcare Professionals

Comprehensive Online Competency Module Platform for Healthcare Professionals

zeus
Understanding the Roles of a Security Partner

Understanding the Roles of a Security Partner

zaara
Comparison of Android OS and iOS in Development and Security Aspects

Comparison of Android OS and iOS in Development and Security Aspects

hermione
Analysis of Single Component Assessment Exam Feedback for S112 Module

Analysis of Single Component Assessment Exam Feedback for S112 Module

fernanda
Understanding the Role of Security Champions in Organizations

Understanding the Role of Security Champions in Organizations

irvin
Understanding Security Management in an ICT Environment

Understanding Security Management in an ICT Environment

truett
Information Security – Theory vs. Reality

Information Security – Theory vs. Reality

shoto
Overview of Electronics Maintenance and Pre-Processing Hardware at Agata Project - October 2016

Overview of Electronics Maintenance and Pre-Processing Hardware at Agata Project - October 2016

abdulqa
HIGHWIND Hardware: Team and Responsibilities Overview

HIGHWIND Hardware: Team and Responsibilities Overview

ameerah
Scholarly Project Module in MBBS Year 3 Overview

Scholarly Project Module in MBBS Year 3 Overview

redmond
Transportation Network Modeling and Analysis with C.Coupled SE Platform

Transportation Network Modeling and Analysis with C.Coupled SE Platform

choz_91
Understanding Computer Systems: Components and Organization

Understanding Computer Systems: Components and Organization

mungo

More Related Content

Understanding Computer Systems and Components
Understanding Computer Systems and Components
Understanding the Basics of BIOS in Computers
Understanding the Basics of BIOS in Computers
Understanding Operating Systems: Introduction and Functions
Understanding Operating Systems: Introduction and Functions
Efficient Data Race Detection Using Transactional Memory
Efficient Data Race Detection Using Transactional Memory
Hardware Monitoring Evolution at CERN: Lemon vs. Collectd
Hardware Monitoring Evolution at CERN: Lemon vs. Collectd
Addressing Monitoring Challenges in Hardware Offloading
Addressing Monitoring Challenges in Hardware Offloading
Introduction to Software Defined Radio (SDR) by Sandesh K.A.
Introduction to Software Defined Radio (SDR) by Sandesh K.A.
Enhancing Security with Hardware Attestation in TLS
Enhancing Security with Hardware Attestation in TLS
Overview of Social Security and Health Care System in Turkey
Overview of Social Security and Health Care System in Turkey
Comprehensive IT & Security Solutions for Home and Business Needs
Comprehensive IT & Security Solutions for Home and Business Needs
AEP Enterprise Security Program Overview - June 2021 Update
AEP Enterprise Security Program Overview - June 2021 Update
Cyber Security Toolkit for Boards: Comprehensive Briefings and Key Questions
Cyber Security Toolkit for Boards: Comprehensive Briefings and Key Questions
Automated and Modular Refinement Reasoning for Concurrent Programs
Automated and Modular Refinement Reasoning for Concurrent Programs
International Approaches to Enhance Nuclear Safety and Security
International Approaches to Enhance Nuclear Safety and Security
Understanding Cyber Security and Risks
Understanding Cyber Security and Risks
Legal Framework on Information Security in the Ministry of Trade, Tourism, and Telecommunication
Legal Framework on Information Security in the Ministry of Trade, Tourism, and Telecommunication
IndustriALL Training on Gender-based Violence and Harassment Modules Overview
IndustriALL Training on Gender-based Violence and Harassment Modules Overview
Understanding Provable Security Models in Cryptography
Understanding Provable Security Models in Cryptography
Comprehensive Guide to Designing Physical Security and Security Planning by Susan Lincke
Comprehensive Guide to Designing Physical Security and Security Planning by Susan Lincke
Certification and Training in Information Security
Certification and Training in Information Security
Enhancing SWIFT Security Measures for ReBIT: March 2018 Update
Enhancing SWIFT Security Measures for ReBIT: March 2018 Update
Understanding Computer Architecture and Digital Circuits
Understanding Computer Architecture and Digital Circuits
Evolving Security Practices in DevOps: A Holistic Approach
Evolving Security Practices in DevOps: A Holistic Approach
Understanding Computer Security Principles and Practices
Understanding Computer Security Principles and Practices