DOC

Architecture of Trusted PC

By Ronald Cooper,2014-01-26 10:19
7 views 0
Architecture of Trusted PC

    Architecture of Trusted PC ?

    ?

    NaturaISciences

    ArticlelD:l0071202(20O6)061433O4

    ArchitectureofTrustedPC

    wuShuhua,ZHUYuefei

    InstituteofInformationEngineering,Information EngineeringUniversity,Zhengzhou450002,Henan,China Abstract:Thispaper,focusingonthetrustedcomputing group'sstandards,explainedthekeyconceptoftrustedcorn

    putingandprovidedthearchitectureoftrustedPC.Itbuilt trustbottom-upbystartingwithtrustedhardwareandadding layersoftrustedsoftware.Itisasystem-levelsolutionavaila- bletoallaDplicationsrunningonthememberplatforms.This solutionreducesthesecurityburdenonapplicationsandthus simplifiesapplicationprogramming.

    Keywords:architecture;trustedPC;trustedplatform CLCnumber:TN4

    ReceiveddateI20060530

    Foundationitern:SupportedbytheNationalNaturalScienceFoun- dationofChi128(60473021)

    Biography:WUShuhua(1978),raale,Phncandidate.research

    direction:cryptographyandinformationsecurity.E-mail:wushu- hua726@sina.com

    tT0whomcorrespondenceshouldbeaddressed.E-realItzyf0136@ sina.com

0Introduction

    VoI.11No.620()61433-1436

    _n.igforma.tmioenmTechhnaolboegeynhaabsacbee.nngero.wain.g.a.ttheechs?pe.e.d

    

    andbusinesses.OneoftheversionsoftheMoore'slawfor thenetworkingindustrysaysthattheinternettrafficdoubles everyyear.Withsuchanexponentialgrowthintheinternet markettheconcernforsecurityhadalsogrown.

    TrustedcomputingistheanswergivenbytheITindustry tothegrowingconcern,expressedbyusersandthemedia, overon-linesecurityissues[11.Promotedthroughinitiatives likethetrustedcomputinggroup(TCG)andmicrosoftnext- generationsecurecomputingbase(NGSCB)technology,there islittledoubttrustedcomputing(TC),Ilrillbecomeamajor componentofthefutureITlandscape[2I.

    Computerplatformsarewidelyavailableandarecentral tothegrowingrelianceoninternetbusiness.Theneedtode

    signtrustedcomputerplatformsisincreasing,whichiscer

    tainlytrueforthecaseofthepersonalcomputers(PC)weuse directlyE.ThispaperproposedthearchitectureofTrusted PC.whichmeetstheTCGstandards[4-7].Itbuilttrustbot

    tom-upbystartingwithtrustedhardwareandaddinglayersof trustedsoftware.Itisasystem-levelsolutionavailabletoall applicationsrunningonthememberplatforms.Animportant goa1istoreducethesecurityburdenonapplicationsinorderto simplifyapplicationprogramming.Thispapermakestwocon

    tributions.One,itproposesamorecomprehensivesolutionto convertaPCtoatrustedone.Two,itdescribeshowtopro

    videtrusttosecurethenetworkusingatrustedPC. 1ArchitectureofTrustedPC

    ConvertingaPCintoatrustedonerequiresthatrootsof trustbeembeddedintheplatform,enablingtheplatformtobe 13

    l

    l1l,I__.ll-_0?一?.一一一

    trustedbybothlocalandremoteusers.Inparticular, cost-effectivesecurityhardwareactsasarootoftrustin TrustedPlatforms.

    Figure1showsthearchitectureofatrustedPC. whichcontainsatrustedplatformmodule(TPM),acore rootoftrustformeasurement(CRTM).TheTPMisa hardwarechipthat'sseparatefromthemainplatform CPU(s).

    Fig,1TBBcomponentsofatrustedplatform

    Corerootoftrustformeasurement(CRTM):The CRTMistheplatform'sinitializationcodethatexecutes uponaplatformreset.InaPC,CRTMiseitherthe BIOSbootblockortheentireBIOSwithsecuremeasure

    mentfunctions.

    Trustedplatformmodule(TPM):Itisaplatform- independentmodulethatgivessafestorageandmeasure

    mentreportingwithothercryptographickeys.TPMis oftenrepresentedasamicrocontrollerfixedtothemoth

    erboardandstorespasswords,certificatesandkeys. Tosetuptherootsoftrust,weneedmorecompo

    nentsinadditiontoCRTMandTPM.Thecombination ofthesecomponentsiscalledTrustedBuildingBlocks (TBB).AsFig.1illustrates,thesecomponents(indica

    tedwithbold)includetheCRTM,TPM,Keyboard,

CPU.RAM,theconnectionofthemtothebuscontrol

    ler,thebuscontrolleritselfandthemechanismsforde

    terminingphysicalpresence.TheTBBmustbetrusted andexpectedtobehaveinawaythatdoesn'tcompromise thegoalsoftrustedplatforms.

    ThecombinationofTBBandrootsoftrustformsa trustboundarywheremeasurement,storageandrepor

    tingcanbeaccomplishedforaminimalconfiguration,and namelyworksasafoIundationstone,overwhichtheoth

    ertrustworthyconditionsarebuilt.Thisisaprocess wheretherootoftrustgivesatrustworthydescriptionof asecondgroupoffunctions,whichisknownastransitive 1434

    trustor"InductiveTrust".Basedonthisdescription.an interestedentitycandeterminethetrustitistoplacein thissecondgroupoffunctions.Iftheinterestedentity determinesthatthetrustlevelofthesecondgroupof functionsisacceptable,thetrustboundaryisextended fromtherootoftrusttoincludethesecondgroupof functions.Inthiscase,theprocesscanbeiterated.The secondgroupoffunctionscangiveatrustworthy&scrip? tionofthethirdgroupoffunctions,etc.

    Startingfromarootoftrustinhardware.atrusted- PCperformsaseriesofmeasurementsthatrecordsulnma

    riesofsoftwarethathasexecuted(orisexecuting)ona platform.ThisprocessisillustratedinFig.2.Starting withtheCRTM,there'saboot-strappingprocessby whichaseriesoftrustedsystemcomponentsmeasurethe nextcomponentinthechain(and/orothersoftwarecorn ponents)andrecordthevalueintheTPM.Bythese

    means,eachsetofsoftwareinstructions(binarycode)is measuredandrecordedbeforeit'sexecuted.Roguesoft

    warecannothideitspresenceinaplatformbecause,after it'srecorded.therecordingcannotbeundoneuntilthe platformisrebooted.Theplatformusescryptographictech

    niquestocommunicatethemeasurementstoaninterested party,sotherecordedvaluescannotbechangedintransit. 2.Ex

    Fig.2Transitivetrust

    2IntegrityMeasurementand

    Astheprevioussectionshows,measurementsof platformcomponentsandconfigurationswillbetakenas? partofsysteminitialization.However,takingmeasure mentswillnotdetectunsafeconfigurationsnorwillit? takeactiontopreventcontinuationoftheinitialization process.ItjustrecordsintheTPMthedigestofmeas

    urementmerits.Thisresponsibilityrestswithasuitable referencemonitorsuchasanoperatingsystemtoreport toaninterestedentity.Thissectionwillintroducethe conceptionofintegritymeasurementfollowedbyintegrity Reporting.

    000?岛嗽蚺碱醣jui|?_??.

2.1IntegrityMeasurement

    Ameasurementkernelgeneratesmeasurement

    events.Ameasurementeventconsistsoftwoclassesof data;?measuredvalues-arepresentationofembedded dataorprogramcodeand?measurementdigests-a

    hashlofthosevalues.Dataarescannedbythemeasure

    mentkernelwhichgeneratesamessagedigest.Digests

    -areasnapshotofthemachinesoperationalstate. Thestoredmeasurementlog(SML)containsse

    'quencesofrelatedmeasuredvalues.TheSMLcanbe

    comeverylarge.Thereforeitdoesnotresideinthe TPM.AndtheTPMcontainsasetofregisters,called platformconfigurationregisters(PeR)containingmeas urementdigests.

    2.2IntegrityReporting

    Integrityreportingmaybeusedtodetermineaplat

    form'scurrentconfiguration.Ithastwofunctions,to exposeshielded-locationsforstorageofintegritymeas

    urements.Asecondobjectiveistoattesttotheauthen

    ticityofstoredvaluebasedontrustedplatformidentities. Toachievesuchgoals,Integrityreportsaredigitally signedtoauthenticatePeRvaluesusingattestationiden- titykey(AIK)whichisexclusivelyboundinsomeway withplatformidentities.

    TPM,asdescribedbefore,isamicrocontroller whichcontainsPCRsusedtostorethemeasurementdi- gestseauserasksforintegrityreporting,theplat

    formsecurelytransportstheentriesalongwiththe

    respectivethePeRvaluessignedbytheTPMusingan AIK.TheuserfirstverifiestheTPMbycheckingitssig

    naturewiththepublickeyintheAIKcredentialsthat vouchforTPM.IfhebelievesthatthePeRvaluesare suppliedbytheTPM.hecancomputethedigestofthe entriesandcomparewithPeRvaluetoknowtheintegri

    tvofthem.Thentheusercancheckthesemetricsde

    rivedfromtheSMLandcomparewiththeones(mayon- lyastheirdigest)providedbythetrustedthirdpartyand

    ?evaluatethetrustworthinessofthismachine.Accordingly itwilJmakeitsdecisiontocarryoutthecommunicationin atrustedoranon-trustedenvironment.

    3TPMOperation

    Aswehaveknown,TPM,thehardwaresecurity

    devicedefinedbyTCG,playsveryspecificrolesintrus

    tedcomputingarchitectures.Thissectionwillintroduce whatithasoperatedsincesystemstartsupuponaplat

    formreset.

    Whentheplatformfirstreceivespower,TPMbe- ginsaDinitializationprocess.AfterTPMcompleteinitial

    izationsuccessfully,itentersfullyoperational:mode. Fullyoperationaldoesnotimplythatallfunctionsofthe TPMareavailablebecausethereareseveralmutually-ex

    clusivemodesofoperationinwhichTPMbehaviormay belimited.Theyareasfollows:enabled/disabled,acti

    vated/deactivated,owned/un-owned.

    ThereforetheTPMneedstohaveaTPMownerand

    beenabledforallfunctionstobeavailable.ForaTPM withnoownerinstalled.theuserhastoassertphysical presencetohaveownerinstalled.Physicalpresenceisre

    quiredinordertoenablecertainTPMcommandsandby

    passownerauthorizationwhenthesharedsecretisuna- vailableortheTPMissettoanon-ownerstate.Physical presencecouldbederivedfromaphysicalswitchorjump- erormomentarybutton.

    Fromtheentiresystem'sviewpoint,TPMbeingin operationalmodeiSequivalenttobeintheclient-re

    sponsestatewhereTPMreceivecommandsfromthe mainsystem(forexample,CRTMorOS)andresponds

    tothemaccordingly.ReadersarereferredtoRef.[7]for moreinformationaboutthecommandsitshouldbesup

    ported.

    Forsecurityreasonsandduetoprivacyconcerns,al1 commandstotheTPMthataffectsecurity,privacyorre

    vea1platformsecretsmustbeauthorized.AuthOrization meansthecallermustsupplyasecretaspartofcommand invocation.usuallyasaMAC.AuthorizationinTCGis basedontheproofofknowledgeofasharedsecret:the Authorizationdata.Authorizationdataissharedbetween theTPMandauthorizedusers.

    tiondataisacompleteproofof

    tectedobject.

    Knowledgeofauthoriza-?

    ownershipofaTPM-pro

    Tosomeextent,thepair(object,authorizationdata) correspondstoacapabilityassociatedtoaTPM-protected object.Tosecurelypassaproofofknowledgeofauthoriza- tiondatafromausertotheTPM.TCGdefinesthteepro

    tocols:OIAP,0SAPandDsAP.Authorizationdatacrea

    tionandupdateismanagedbyspecificprotocols:,

    andAACP.ReadersarereferredtoRef.[6]for moreinformationabouttheseauthorizationprotocols. 4TPMArchitecture

    fulfilltheassignmentsmentionedintheprevious 1435

     sections,theTPMmustsupportaminimumsetofalgo

    rithmsandoperations.Thissectiondescribesthelogical layoutoftheTPManditsdiscretecomponentsasthe

    minimumconfiguration.ReadersarereferredtoRef.16l forimplementationdetails.TheblockdiagramFig.3 showsthemajorcomponentsofaTPM.

    TheI/Ocomponent,managesinformationflowover thecommunicationsbus.

    Fig.3TPMcomponentarchitecture

    Thecryptographicco-processorimplementscrypto

    graphicoperationswithintheTPM.Thoseoperationsin

    clude:Asymmetricencryption/decryption(RSA),and Asymmetricsignature/verification(RSA)andsoon. TheKeyGenerationcomponentcreatesRSAkey pairsandsymmetrickeys.

    TheSHAengineisatrustedimplementationofa hashalgorithm.Thehashinterfacesareexposedoutside theTPMtosupportMeasurementtakingduringplatform bootphasesandtoallowenvironmentsthathavelimited capabilitiesaccesstoahashfunctions.

    TheHMACengineprovidestwopiecesofinforma

    tiontotheTPM:proofofknowledgeoftheAuthData andproofthattherequestarrivingisauthorizedandhas nomodificationsmadetothecommandintransit. Therandomnumbergenerator(RNG)componentis thesourceofrandomnessintheTPM.TheTPMuses theserandomvaluesfornonces,keygeneration,andran

    domnessinsignatures.

    ThepowerdetectioncomponentmanagestheTPM powerstatesinconjunctionwithplatformpowerstates. TCGrequiresthattheTPMbenotifiedofallpowerstate changes.Powerdetectionalsosupportsphysicalpresence assertions.

TheOptIncomponentprovidesmechanismsand

    protectionstoallowtheTPMtobeturnedon/off,ena

    bled/disabled,activated/deactivated.

    Theexecutionengineisamicrocontrollertorun 1436

    programcodetoexecutetheTPMcommandsreceive~l fromtheI/Oport.

    Non-volatilememorycomponentisusedtostore persistentidentityandstateassociatedwiththeTPM. Volatilememorycomponentisusedtostorevolatiledata. AsabuildingblockofatrustedplatformTPMcom.. ponentsaretrustedtoworkproperlywithoutadditional oversightE.Inaddition,toenableTPM'sintegration? oilPCmotherboards,correspondingdriversandsoftware stackmustbeprovidedtosupportit.Moreinformation? aboutitcanbefoundinRefs.r9,io].

    5Conclusion

    TCisanimportantsteptowardssecuringthecompu-- tinsdeviceandtherebysecuringthenetwork.TCaimsto provideaplatformwherenoapplicationsoftwareistampe-- red.TrustedPCisoneofsuchplatforms.Thispaper,fo- cusingontheTCS'sstandards,explainsthekeyconcept ofTCandprovidesthearchitectureofTrustedPC. [121.angeK.SecurityWhatDoes"Trust"HavetoDoWithIt [EB/OI].E2oo603272.http://t;眦sans.org/reading

    room/whitepapers/windows/939.php.

    [22AndersonR.TheEconomicsofTrustedComputing[EB, 0I].[2oo21I-07].http://t.netproject.co.uk/presen

    rations~TCPA/ross_anderson.pd{.

    r3]HagemanC.TheTrustedPC:CurrentStatusofTrusted

Report this document

For any questions or suggestions please email
cust-service@docsford.com