Trusted Platforms for Homeland Security

Page created by Danny Patterson
 
CONTINUE READING
Trusted Platforms for Homeland Security
                       By Kevin Schutz, Product Manager—Secure Products

Summary
Ongoing threats from hackers, viruses, and worms continue to make security a top priority for IT
and business professionals in both the private and government sectors. Critical homeland
infrastructures depend on IT for operations command and control. The emerging Trusted Platform
Module (TPM), as driven by the industry consortium Trusted Computing Group (TCG), is a
standard that allows affordable authentication, encryption, and network access to be
accomplished on a variety of computing platforms, most notably today's PCs. In this paper we will
examine the hardware and software applications available for immediate implementation and
discuss how the TPM chip can be adapted to address many homeland security issues and
applications.

                    Atmel Corporation • 2325 Orchard Parkway • San Jose, CA 95131
                TEL (408) 441-0311 • FAX (408) 487-2600 • Web Site: http://www.atmel.com
TRUSTED PLATFORMS FOR HOMELAND SECURITY

The Trusted Computing Group
            The TCG is an industry standards body formed in 1999 by several PC industry leaders.
            Originally called the Trusted Computing Platform Alliance (TCPA), the primary goal of the
            group is to promote the concept of trusted computing by establishing an open industry
            standard, enabling devices and transactions to be trusted, private, protected, safe, and
            reliable across a wide array of platforms. The TCG establishes specifications for trusted
            computing across a variety of computing platforms. The foundation for trusted computing
            relies on the concept of providing a hardware-based "root of trust." Once this root of trust is
            established, the boundary of trust can be extended to include software at various levels
            within the computing environment. Hardware-based roots of trust can be quantifiably
            measured against specific protection profiles, enabling one to begin to accurately measure
            risk. Once risk can be measured, methods of risk mitigation can be developed, including
            crafting appropriate policies, underwriting risk, and possibly improving or hardening the
            computing environment more thoroughly.

Trusted Platform Modules
            Within the concept of trusted computing, a silicon chip defined as a Trusted Platform
            Module (TPM) provides the hardware-based root of trust. The TPM can be thought of as a
            secure key generator and key cache management device, supporting industry-standard
            cryptographic APIs such as MS CAPI and PKSC#11. The TPM contains sufficient
            cryptographic functionality to generate, store, and manage cryptographic keys in hardware
            while leveraging the resources of the rest of the system platform. This allows for cost-
            effective "hardening" of many of today's commonly deployed applications that previously
            relied solely upon software encryption algorithms with keys hidden on a hard disk drive
            (HDD).

            A TPM includes a true random number generator (RNG) used in the creation of RSA key
            pairs internal to the TPM. The source of the "root of trust" lies in the generation of the first
            key pair a TPM creates: the Storage Root Key (SRK). The SRK is never exported from the
            TPM. Each SRK is unique, making each TPM unique.

            Each subsequent RSA key pair that the TPM is requested to generate is bound to the
            original SRK. The private keys are either securely stored in the TPM or encrypted and then
            exported from the TPM and stored on a mass storage device such as an HDD. Whenever
            a key that is not stored on the TPM is required for a particular operation, the encrypted key
            blob is imported onto the TPM, where it is securely decrypted internally on the TPM. In
            properly architected systems, unencrypted private keys are never stored outside the TPM
            for any significant amount of time.

            The Trusted Computing Group standard version 1.1b specifies that TPM ICs perform five
            major functions:

            1.   public key functions for on-chip key pair generation using a hardware RNG;

            2.   public key signature, encryption, and decryption to enable secure storage of data and
                 digital secrets;

2                                                                                        5062A–TPM–02/04
TRUSTED PLATFORMS FOR HOMELAND SECURITY

    3.   storage of hashes (unique numbers calculated from pre-runtime configuration
         information) that enable verifiable attestation of the machine configuration when
         booted;

    4.   an endorsement key that can be used to anonymously establish that an identity key
         was generated in a TPM; and

    5.   initialization and management functions that allow the owner to turn TPM functionality
         on and off, reset the chip, and take ownership of its functions.

    Atmel's TPMs meet the TCG standard and also provide additional features for extended
    security. They integrate a high-performance processor, a cryptographic engine, a random
    number generator, a secure internal memory, a real-time clock, and tamper prevention
    circuitry on a single integrated circuit.

    The TPM processor controls the functions and sequencing of the entire TPM, including its
    internal functional blocks and its interface to the rest of the system resources, such as the
    primary system processor and the mass storage available on the system. It moves data
    between the system processor and the internal TPM memory and sequences the
    cryptographic engine. The TPM's RNG generates the seed numbers for the cryptographic
    processor's encryption, decryption, and key generation functions. By off-loading the RSA
    calculation from the general-purpose system processor, Atmel TPMs improve both system
    and encryption performance.

    The TPM's non-volatile memory securely stores encryption keys, including the SRK,
    endorsement key (EK), and other sensitive data. The TPM processor and the tamper
    circuits control access to the protected memory. Atmel TPMs also include an unalterable
    real-time clock (not required by TCG standard 1.1b) that provides tamper-proof, unique
    date stamping for the authentication and attestation processes. Any alteration of the
    system clock (e.g., changing the date) signals a possible attempt to extract information out
    of the TPM. In addition, proprietary, tamper-proof circuits in Atmel TPMs monitor the
    voltage, clock frequency, and other aspects of the TPM's operating environment for signs
    of tampering. If the environment moves out of a prescribed range, the tamper prevention
    circuits will take action to prevent access to sensitive information stored within the TPM.
    For example, if the TPM's supply voltage drops below a prescribed level, internal memory
    reads would not be allowed. Lowering the voltage can be a means of accessing sensitive
    information. The tamper circuits are designed to thwart these attacks.

    TPMs contain secure non-volatile storage space that is intended to contain measurements
    of system hardware and software status. Measurement consists primarily of submitting all
    system software and hardware to a hash algorithm in a predetermined sequence. If this
    measurement is performed when the system is in a known trusted state, then the resulting
    hash can be stored in the TPM and compared to the result of a subsequent measurement.
    Any changes will be detected by the comparison, and appropriate actions can be taken to
    prevent execution of modified software or hardware. This measurement capability can be
    used to provide detection of any remote system modifications resulting from malicious
    viruses or worms.

    At this point, it is important to note that TPMs do not control any events. They only serve to
    observe and track system activity. TPMs communicate with system CPUs on a non-system
    bus, and only act under the control of the system CPU and the policies codified in the

3                                                                               5062A–TPM–02/04
TRUSTED PLATFORMS FOR HOMELAND SECURITY

             operating system and other application software. If the TPM does detect any suspicious
             activity, it can only report said activity when requested. Whether to query TPMs for such
             activity is a policy decision. Furthermore, it is a policy decision to decide to act in a specific
             manner if the TPM does report back a suspicious result.

             Finally, as originally defined, TPMs were not intended to serve as stream encryption
             engines. This is not a matter of technological capability, but rather one of cost. TPMs
             typically will be deployed in systems containing CPUs that are high-performance relative to
             TPMs, so the TPM will hand off the stream encryption tasks to the CPU. Since stream
             encryption capabilities are already present in the CPU, it should be most effective at
             performing this task. TPMs do not control the encryption process; they only provide
             capabilities to monitor system processes. The CPU controls any actions the TPM takes;
             the CPU makes a request to the TPM, and the TPM will take an action.

Utilization of RSA
             It is generally acknowledged in cryptographic circles that algorithms must be open for
             public scrutiny before they can be widely accepted and can claim to have withstood critical
             evaluation by skilled cryptographers. RSA has a proven track record worldwide and is
             widely deployed in a variety of applications. By employing RSA encryption, TPMs can be
             used by many of today's popular applications without modification, providing immediate
             value to the market.

Creating Safe Storage
             Traditional open systems such as PCs do not have a safe place to store confidential
             information. Now that affordable TPMs are available, a TPM can provide a small safe or
             depository on the motherboard in which to store such information. Even other computing
             platforms that employ architectures that are not as open as a PC, such a servers, can
             benefit from using TPMs, which provide certifiable secure hardware.

             In many of today's non-TPM systems that employ only software encryption of data and
             files, the keys are usually stored somewhere on the hard drive. If someone stumbles
             across encrypted files, all they see is a blob of data. However, given enough time, a
             diligent hacker - even one who is working at a remote location - will locate the keys hidden
             on the hard drive. If the keys can be found, the data may as well not be encrypted! With
             TPMs as part of the system, the keys need not be hidden on the disk drive but can still be
             protected.

             The keys can also be stored off the hard drive on a removable token such as a smart card
             or USB dongle. But removable tokens are much easier to misplace or lose, and they tend
             to cost much more than TPMs. TPMs provide an affordable improvement in security over
             existing software-only solutions. With the advent of TPMs, OEMs now have the ability to
             provide affordable, certifiable hardware security in open system architectures based on
             industry standards.

4                                                                                           5062A–TPM–02/04
TRUSTED PLATFORMS FOR HOMELAND SECURITY

Usage Models
           TPM usage models can range from simple data and file encryption to authentication of
           entire computing platforms and environments. Several examples of different models follow.

           Secure Access
           This model is intended to address the concern of unauthorized local or remote user access
           to computing resources. The solution is to permit access through automated login and
           secure auto-logon to applications. TPMs are used to protect and store the encryption keys
           used to encrypt/decrypt passwords. The benefits include single sign-on; assurance that
           only the rightful owner has access to the client and related data and capabilities; possible
           multiple-user authentication methods (compatible with smart cards, biometrics, etc.); and
           credential/password management via the TPM.

           Data Protection
           This model is intended to address the concern of compromised integrity of data stored on a
           HDD. The solution is to permit access to protected data only by lawful owners of the data.
           TPMs apply by protecting and storing the encryption keys used to encrypt/decrypt data
           stored on the HDD, and digital certificates to authenticate the user. The benefits include
           the transparent encryption of files and folders and access to encrypted files by the OS in
           the same manner as standard files.

           Protected Communications
           This model is intended to address the concern of compromised communications, such as
           e-mail. The solution is to encrypt the communication during transmission through insecure
           networks and provide digital signatures for proof of content integrity and authorship, using
           a secure e-mail plug-in that integrates seamlessly into popular e-mail applications. TPMs
           can protect and store the encryption keys used to decrypt the communication session key
           and digital certificates to authenticate the user. The benefits of this model include proof of
           authorship, integrity of content, and non-repudiation.

           Secure Network Access
           This model addresses the concern of restricted access by unauthorized systems to the
           network. The solution is to manage and control access to resources via the Web or the
           Internet and to secure the transmission of data over TCP/IP networks. TPMs can protect
           and store the primary signing key used to authenticate the client. This authentication of the
           client facilitates the exchange of keys with integrity, enabling the protected communications
           over integrated network by only allowing network access to known clients. Similarly, for
           two-way authentication, the network can authenticate the client. This model gives remote
           employees secure access to corporate LANs and high-speed Internet from any dial-up,
           cable/DSL, and wireless access point; enables IT staff to verify that the client is known and
           to secure internal networks and portions of the network; and provides fast hardware
           solutions for VPN-gateways and Peerless software-only solutions for clients.

5                                                                                      5062A–TPM–02/04
TRUSTED PLATFORMS FOR HOMELAND SECURITY

    Example

    Using a TPM, the client is able to boot up in a controlled, protected manner. The executive
    may need to authenticate herself or himself to the client in order to gain access to the
    client's resources. Once the executive has authenticated herself or himself to the TPM, the
    client can authenticate with the access point. Both the client and the access point have the
    ability challenge each other before allowing any further transactions to occur. (See Figures
    1 and 2.) Once both the client and the access point have mutually authenticated each
    other, the next step is to repeat the mutual authentication process between the access
    point and the disk array (including any intervening nodes). (See Figure 3.) Once each
    segment of the network has been mutually authenticated, each node pair can then
    securely perform key exchanges that can be used to protect the communications channels
    in the form of a VPN from the disk array to the client. In each step of the process, the TPM
    provides the hardware protection of the keys required to authenticate and harden the
    communication channel. Intermediate stages of the network may utilize open and shared
    network segment, allowing transmission over the Internet.

    Figure 1. Client Authenticates To Access Point

    Figure 2. Access Point Authenticates To Client

6                                                                             5062A–TPM–02/04
TRUSTED PLATFORMS FOR HOMELAND SECURITY

             Figure 3. Network Access

Conclusion
             Trusted platforms enable new usage models for protecting confidential information,
             securing access, and hardening communication channels based on a measurable
             hardware root of trust in the form of a TPM. These trusted platforms then become
             foundations for ensuring trust in what has traditionally been an untrusted and unprotected
             computing environment. Trusted platforms are commercially available today and can be
             readily adopted to address homeland security issues.

About TCG
             The Trusted Computing Group (TCG) is an open, industry standards organization formed
             to develop, define, and promote open standards or hardware-enabled trusted computing
             and security technologies, including hardware building blocks and software interfaces,
             across multiple platforms, peripherals, and devices. TCG specifications enable more
             secure computing environments without compromising functional integrity, privacy, or
             individual rights. The primary goal is to help users protect their information assets (data,
             passwords, keys, etc.) from compromise due to external software attack and physical theft.
             For more information, go to www.trustedcomputinggroup.org.

             Kevin Schutz, a product manager for Atmel Corporation, is currently focusing on
             Application Specific Standard Products (ASSPs) for the embedded security market. He has
             over 20 years of experience in a variety of engineering and business roles within the
             semiconductor market. He received his B.S.E.E. degree from Colorado State University

7                                                                                      5062A–TPM–02/04
TRUSTED PLATFORMS FOR HOMELAND SECURITY

                        and his M.B.A. and M.S.E.E. degrees from the University of Colorado. Kevin is a member
                        of the IEEE and is active in a number of TCG working groups.

        Editor's Notes
                        About Atmel Corporation
                        Founded in 1984, Atmel Corporation is headquartered in San Jose, California with
                        manufacturing facilities in North America and Europe. Atmel designs, manufactures and
                        markets worldwide, advanced logic, mixed-signal, nonvolatile memory and RF
                        semiconductors. Atmel is also a leading provider of system-level integration semiconductor
                        solutions using CMOS, BiCMOS, SiGe, and high-voltage BCDMOS process technologies.

                        Further information can be obtained from Atmel’s Web site at www.atmel.com.

                        Contact: Author’s Name, Author’s Title, Location, Country, Tel: (+33) (0) 4 42 53 61 50,
                        e-mail: pbishop@atmel.com

                                                       ®
© Atmel Corporation 2004. All rights reserved. Atmel and combinations thereof are the registered trademarks of Atmel
Corporation. Other terms and product names may be the trademarks of others.

8                                                                                                 5062A–TPM–02/04
You can also read