Trusted Computing - PowerPoint PPT Presentation

About This Presentation
Title:

Trusted Computing

Description:

Embedding Privacy Policy into the applications that use Sensitive Information ... Seal jet Blue customer data. Can only be decrypted on the same platform ... – PowerPoint PPT presentation

Number of Views:165
Avg rating:3.0/5.0
Slides: 59
Provided by: chandanapr
Learn more at: https://zoo.cs.yale.edu
Category:
Tags: blue | computing | jet | trusted

less

Transcript and Presenter's Notes

Title: Trusted Computing


1
Trusted Computing
  • Chandana Praneeth Wanigasekera

2
Introduction
  • jetBlue
  • The need for systems that can be trusted
  • Embedding Privacy Policy into the applications
    that use Sensitive Information
  • Credit card machines

3
PII
  • You can still retain control
  • Expiration
  • Remote destruction with little effort by the
    corporation who has the data
  • Force privacy policies

4
Descartes (1641)
  • Meditations on First Philosophy
  • Can we trust our senses?
  • What if everything we experience is a delusion
    created by an evil demon bent on deceiving us?

5
The Matrix?
6
Interest
  • This is a question that has been weighing on
    Several computer companies
  • How do you know that your computer is actually
    what it seems?
  • Hackers and imitative programs
  • Sensitive information, keystrokes and complete
    control

7
Trust in other software
  • How can one program running on your computer
    trust another one?
  • What if the operating system has been subverted
  • Anti Virus
  • How would you warn the user?

8
Trust in you
  • Movie studios, recording companies, Health care
    providers legitimate right
  • Some information is given based on trust in you
  • Do you have control?
  • Real issues
  • Viruses
  • Trojans
  • Spyware
  • P2P networks

9
Implications
  • Implications for a P3P client
  • Alterations of policy
  • Lack of enforcement
  • Advantages of a trusted client and a trusted
    website component
  • Many implications on privacy of sensitive
    information

10
Trusted Computing Initiatives
  • Trusted Computing Platform Alliance
  • Trusted Computing Group
  • Microsoft, Intel, IBM, HP, AMD
  • Hardware Software
  • Attempt to build a trusted platform

11
Foundation of Trust
  • Descartes
  • A secure reliable bootstrap architecture (1997)
  • Bill Arbaugh, Dave Farber, Jonathan Smith
  • Booting a machine into a known state
  • Early PCs ROM BIOS and no HDD
  • Digital Rights Management OS Patent by Microsoft
  • Paul England (Secure PC team leader)

12
Foundation of Trust
  • Ultimate aim is to end up in a known state
  • Need for a core root of trust module

Known State
Post boot
Pre boot
Core Root of Trust
13
Trusted Computing Platform Alliance
  • MissionThrough the collaboration of HW, SW,
    communications, and technology vendors, drive and
    implement TCPA specifications for an enhanced HW
    and OS based trusted computing platform that
    implements trust into client, server, networking,
    and communication platforms.
  • Replaced by Trusted Computing Group, but the TCPA
    specification was adopted by TCG as their
    specification.
  • Patent licensing policy of TCG, all new work
  • Compaq, HP, IBM, Intel, Microsoft

14
Trusted Platform Module (TPM) v1.1
  • The TPM is a collection of hardware, firmware
    and/or software that support the following
    protocols and algorithms
  • Algorithms RSA, SHA-1, HMAC
  • Random number generation
  • Key generation
  • Self Tests
  • The TPM provides storage for an unlimited number
    of private keys or other data using RSA

15
PC Specific block diagram of TCG
16
Secure storage in TPM
  • Seal and Unseal which are simply front-ends to
    RSA encrypt and decrypt
  • But sealing encrypts the platform configuration
    register (PCR) values with the data. Unique
    identifier tpmProof.
  • Conditions for unsealing data
  • Appropriate key is available
  • TPM PCRs must contain the same values as during
    sealing (implicit key in PCRs)
  • tpmProof must be the same as during encryption
  • Allows software to state the future configuration
    the platform must be for unsealing.

17
Additional operation Unbind
  • Unbind decrypts a blob created outside the TPM
    where the private key is stored inside the TPM.
  • A blob is data header information encrypted.
  • Seal jet Blue customer data
  • Can only be decrypted on the same platform
  • Removes the possibility of data being accessed by
    different machines

18
Types of keys
  • Storage Root Key one for each TPM created at
    the request of the owner, migratable,
    unmigratable data
  • Signing keys leaves of the storage root key
    hierarchy
  • Storage keys used for the protected storage
    hierarchy only and Binding keys
  • Identity keys used for TPM identity
  • Endorsement key pair asymmetric key pair
    generated by or inserted in the TPM as proof that
    it is genuine.
  • One to one relationship between TPM and
    endorsement key
  • One to one relationship between TPM and platform
  • Endorsement key and platform

19
Encryption Algorithms
  • RSA algorithm (must)
  • RSA key sizes of 512, 1024, and 2048 bits.
  • The RSA public exponent must be e, where e
    2161
  • TPM storage keys must be equivalent to a 2048 bit
    RSA key
  • Secure Hash Algorithm (SHA) -1 hash algorithm(160
    bits) used in the early stages of the boot
    process (more complicated later?)
  • RSA for signature and verification
  • RNG capabilities -gt only accessible to TPM
    commands
  • Key generation capabilities -gt protected by a
    private key held in a shielded location

20
Self tests
  • Checks RNG
  • Checks Integrity Registers
  • Checks integrity of endorsement key pair by
    making it sign and verify a known value
  • Self checks the TPM microcode
  • Checks Tamper-resistance markers
  • On failure the part that failed enters shut down
    mode

21
Self test procedure
22
Target of evaluation (TOE)
  • The new version of TCG will have TPM as a
    monitoring module and doesnt actually control
    the boot process
  • Hardware, software and firmware that comprise the
    TPM
  • Identifies threats to the TOE T.Attack,
    T.Bypass, T.Imperson, T.Malfunction etc.
  • Each threat is explained and the objective is
    explained in the specification, eg. O.Attack
  • An example

23
T.Export
  • Threat description A user or an attacker may
    export data without security attributes or with
    unsecure security attributes, causing the data
    exported to be erroneous and unusable, to allow
    erroneous data to be added or substituted for the
    original data, and/or to reveal secrets.
  • Objective (O.Export) When data are exported
    outside the TPM, the TOE shall ensure that the
    data security attributes being exported are
    unambiguously associated with the data.
  • Interesting use of user or an attacker here

24
T.Replay
  • Threat description An unauthorized individual
    may gain access to the system and sensitive data
    through a replay or man-in-the-middle attack
    that allows the individual to capture
    identification and authentication data.
  • T.Replay is countered by O.Single_Auth, which
    states The TOE shall provide a single use
    authentication mechanism and require
    re-authentication to prevent replay and
    man-in-the-middle attacks.

25
TPM Block diagram
26
Software
  • Palladium - After the mythological statue that
    defended ancient Athens against invaders
  • Microsoft has discontinued use of the code name
    "Palladium." The new components being developed
    for the Microsoft Windows Operating System, are
    now referred to as the Next-Generation Secure
    Computing Base for Windows (NGSCB).

27
Next-Generation Secure Computing Base for Windows
28
NGSCB
  • Seal and Unseal explained
  • Nexus Computing Agents(NCA)

29
Microsoft on applications
  • Bryan Willman Suppose you run a pharmacy
    company. When you test a new drug, of course it's
    bad if someone has a bad reaction to the drug,
    but it's much worse if someone tampers with that
    data so that your results are skewed. That means
    it's critical that all test data is entered
    accurately and no one tampers with it. NGSCB
    ensures that those files can't be breached or
    modified in any way.
  • Here's another example. If you and your doctor
    and your pharmacist are communicating about a
    medical condition you have, you want to be sure
    that the information you exchange is confidential
    and true. Today you probably wouldn't want to do
    that online from your home computer because with
    all that software that you and your kids have
    loaded onto it, somewhere along they way it may
    have picked up a virus or two, so there's no way
    to know for sure how safe your information is.
    With NGSCB you use the right-hand side, and no
    matter what is happening on the left-hand side,
    you can be sure that the data passed between you
    and your doctor and your pharmacist hasn't been
    tampered with.
  • Microsoft has a separate research area called
    Trustworthy Computing which is more towards what
    we define as trust

30
Features described by Microsoft
  • Memory Curtaining
  • Secure Input and Output
  • Sealed Storage
  • Remote Attestation lt- the scariest

31
Memory Curtaining
  • Strong hardware enforced memory isolation
  • Programs are not able to read or write each
    others memory
  • Not even the OS
  • Intruders have no access
  • Implementation in hardware permits the greatest
    backward compatibility with existing software,
    which is a goal

32
Secure I/O
  • Key loggers, screen grabbers
  • Music and movie industry would like this a lot
  • It will allow programs to determine if the input
    came from a user or from a different program
  • Would take out the case of a virus taking over
    the output from Anti Virus software
  • Good for privacy of data

33
Secure Storage
  • Similar to what we saw in the TCG specification
  • Addresses the failure of PCs to store keys
    securely
  • No more .pwls
  • How can they be stored so that its only
    accessible to legitimate users?
  • Generates the key based on the software
    requesting the key and the platform that its
    running on at the time
  • No need to store the key, as the key can simply
    be recreated when it is needed
  • Imposes that sealed data can only be decrypted on
    one particular user platform software
    combination
  • Is this a good thing?

34
Do you have control?
  • Moving files from your computer
  • What if you dont like Excel anymore
  • Exporting Data to a different application is very
    hard
  • Adversary is the owner
  • License fees
  • Upgrades/Downgrades
  • Do you have a choice?

35
Remote Attestation
  • Most revolutionary of the features
  • Aims to allow detection of unauthorized changes
    to Software
  • Others need to be able to tell if your system is
    compromised
  • Protect a computer against its owner
  • A cryptographic certificate of the software
    running
  • Remote party can say if the version of software
    has been altered
  • Windows XP, Warcraft
  • No more cheating in Network Games

36
Advantages
  • Each feature can be used to prevent or mitigate
    real attacks on computers
  • Coding flaws in one application will not result
    in private data being accessed by a different
    application
  • P2P client MS Word
  • Does not stop you from running harmful programs,
    just contains the area it runs in
  • NGSCB itself will not inherently prevent a user
    from using a particular operating system or
    hardware
  • Spyware will become extinct (No more Gator!)

37
Problems
  • Risks of anti-competitive or anti-consumer
    behavior
  • Deliberate manufacturer mistakes in
    implementation handled by open source?
  • Threat model supports that the owner is a threat
  • Attestation cannot differentiate between changes
    to software with owners consent and changes in
    software by unauthorized intruders
  • No legal backing to this, users have a legitimate
    right to reverse-engineer for improvement of a
    program
  • Third parties can compel you to choices which you
    wouldnt have made otherwise

38
More problems
  • Websites that demand attestation
  • The user cant give an attestation that hes using
    IE if hes using Mozilla instead
  • MSN not serving webpages to non Microsoft
    browsers
  • Can be used to subject you to advertising
    (approved client)
  • Web servers/File servers that demand fees from
    client developers
  • Greatly increases costs of switching to rival
    software
  • Samba -gt interoperable file system created
    through reverse engineering (Microsoft could
    permanently lock out Samba from Windows File
    servers)

39
Interoperability
  • Current issues with third party MSN Messenger
    Clients
  • General lock-in problem
  • Sealed storage Attestation

40
Digital Rights Management
  • Microsoft and the TCG have made several attempts
    to say that Trusted Computing is not designed to
    enforce DRM
  • Easy for DRM enforcers to enforce policies on
    users
  • Trusted Computing maintains the rights of the
    owner of the document at all costs
  • Destroying documents (court order?)
  • Privacy issues, back to the days when books could
    be burned
  • Attestation causes problems

41
Links between DRM and NGSCB
  • Curtaining prevents information in decrypted form
    from being copied
  • Secure output (no screen grabbing)
  • Sealed storage allows files to be stored so that
    only the DRM client that stored them can access
    them
  • Remote attestation makes sure only the above DRM
    client is run
  • Easy to implement DRM over NGSCB
  • Microsoft filed a patent for a DRM OS -gt possible
    link here (same individuals involved)

42
Computer User as Adversary
  • Seth Schoen of the Electronic Frontier Foundation
  • A possible solution Owner override
  • The owner can attest anything
  • Takes away some of the advantages but we still
    have a free world!
  • Will opt-in be real?
  • Trusted computing aims to enable others to trust
    your computer
  • Is this relavent?
  • Movies released with remote attestation

43
Troubling implications
  • Just a way for Microsoft to make sure pirated
    software wont run?
  • Switch off all the computers in China?
  • Remote control
  • Deleting pirated music
  • Digital objects created under TC remain under
    ownership of the author, even if legal control
    has been handed to the user
  • Media Control

44
Related Legislation
  • Fritz Hollings
  • (a) SHORT TITLE. -- This Act may be cited as the
    "Consumer Broadband and Digital Television
    Promotion Act".
  • SEC. 2. FINDINGS.
  • The Congress finds
  • (1) The lack of high quality digital content
    continues to hinder consumer adoption of
    broadband Internet service and digital television
    products.
  • (2) Owners of digital programming and content are
    increasingly reluctant to transmit their products
    unless digital media devices incorporate
    technologies that recognize and respond to
    content security measures designed to prevent
    theft.
  • (3) Because digital content can be copied
    quickly, easily, and without degradation, digital
    programming and content owners face an
    exponentially increasing piracy threat in a
    digital age.
  • .

45
Hollings Bill
  • (18) Piracy poses a substantial economic threat
    to America's content industries.
  • (19) A solution to this problem is
    technologically feasible but will require
    government action, including a mandate to ensure
    its swift and ubiquitous adoption.
  • (20) Providing a secure, protected environment
    for digital content should be accompanied by a
    preservation of legitimate consumer expectations
    regarding use of digital content in the home.
  • (21) Secure technological protections should
    enable owners to disseminate digital content over
    the Internet without frustrating consumers'
    legitimate expectations to use that content in a
    legal manner.
  • (22) Technologies used to protect digital content
    should facilitate legitimate home use of digital
    content.
  • (23) Technologies used to protect digital content
    should facilitate individuals' ability to engage
    in legitimate use of digital content for
    educational or research purposes.
  • Basic idea -gt Digital Rights Management enforced!
    TCPA Mandated?
  • Thankfully this Bill was not passed ?

46
Related Legislation
  • Feinstein wanted DRM
  • This is Napster times 10
  • Shrek
  • Paul Boutin A little knowledge is a dangerous
    thing (in regard to the hollings bill)
  • The decision to play or not to play must be made
    by the content, not the player, DRM experts warn.
    It's tricky, but they'll get to it -- if the
    industry isn't forced to accept a compromise
    standard first.

47
Why TCG?
  • Controversial
  • All the manufactures involved in the process
    would profit greatly if the computer is accepted
    as a general entertainment platform for the home
  • Microsoft has been trying
  • The patents on DRM OS are remarkably similar to
    the current work on TCG
  • Implications on the GNU Public License (GPL)

48
Importance of Open Source
  • User Invention
  • Right to reverse engineering
  • Controversial DMCA
  • Are after purchase restrictions legal?
  • Cell phones that drain generic batteries
  • Printers that refuse to accept cartridges that
    have been refilled
  • Trusted Computing could add a few for computers
    here
  • Sony would want our computers to behave like
    closed DVD players do we want that?

49
Will it work for us?
  • jetBlue, enforcing P3P
  • Yes.
  • Customers can even revoke information they
    submitted and that would be destroyed from the
    jetBlue database
  • The trusted computing base will make it
    impossible to just copy data from one place to
    another
  • Is this a good corporate solution?

50
Limiting the Scope
  • If we can limit the scope of the initiative to
    personally identifiable information instead of
    programs in general.
  • We have a good solution for the problem of
    sensitive information in a wired world
  • People can submit data with policys so that they
    will be destroyed on a later date
  • Should not be applied generally
  • Enron

51
The Law and Economics of Reverse Engineering
  • Yale Law Journal (Pamela Samuelson and Suzanne
    Scotchmer)

52
Interoperability Debate
  • Reasons a firm would not want to make their
    software interoperable
  • Example from IBM
  • Reverse engineering challenges interoperability
  • Microsofts APIs are trade secrets

53
Open Source Software Projects as User Innovation
Networks
  • Study by Eric von Hippel MIT Sloan School of
    Management (2002)
  • Clearly shows the advantages of user innovation
  • User innovation is thwarted by the current model
    towards Trusted Computing

54
von Hippels Results
55
von Hippels Results continued
56
Conclusion
  • As developed currently, Trusted Computing
    seriously challenges user privacy and freedom.
  • Programs that call home and report how they are
    being used would be a significant threat to
    privacy.
  • Reverse engineering and open source software can
    not coexist with the current model for Trusted
    Computing.
  • The current model thwarts invention and is more
    suitable as a basis for DRM (if we need that?)
  • The concept of trust is based on others trusting
    your computing, not you trusting your computer.
  • This is a flawed concept.

57
Lessons
  • Some of the concepts in the TCG platform can be
    very useful in implementing effective privacy and
    security.
  • Certain features such as attestation should be
    removed from the specification or a user override
    feature should be provided for attestation
  • Not everything that is open source is good for
    you!

58
The Battle has begun!
Write a Comment
User Comments (0)
About PowerShow.com