@ -6,29 +6,27 @@ This product category form the so called \emph{smart} devices.
With all these new devices a lot of societal problems could be solved in the past few decades.
Many of them automate services to the public like managing the bank account, public transportation or health services.
There is an endless list of services that can be done by a computer.
The list of digital service is endless and will still grow in the next decades.
The downside of all these digital services is that using these services generate a lot of data.
Besides of the intended exchange of information, many of the services try to extract metadata as well.
Metadata answers some of the following questions.
Which IP is connected?
What kind of device is that?
Is the software up to date?
Is the software of the device up to date?
Was this device here in the past?
Which other sites did the user browse?
This is an endless list of questions which can be answered with a set of metadata.
And all this data is collected when users browse the Internet.
At the end the user may not be charged financially but one pay with this metadata.
The customer becomes the product.
What else did the owner on the device?
This list of questions can be continued arbitrarily.
Reselling the metadata brings the product manufacturer more margin on the product and hence more profit.
Consequently the market for metadata is growing with the Internet itself.
The result is a loss of trust in all kind of connected devices and software.
A User cannot know what is happening on a device she is using.
However when a project is financed by the public, it should be possible to show users that there is a difference in the usage.
It should be possible to prove that an application or a computer system is honest to the user.
People should be convinced of this honesty and build trust in using this kind of software.
The Institute for Networks and Security therefore introduced the project DigiDow.
It introduces a digital authentication system, which minimizes the generation of metadata and hence preserves privacy for all users of the system.
%TODO find the bridge to DigiDow
\section{introduction in project digidow}
The Project \emph{Digital Shadow} is under ongoing developüment at the Institute of Networks and Security and creates a scalable system for authentication.
\section{Project DigiDow}
The Project \emph{Digital Shadow} is under ongoing development at the Institute of Networks and Security and creates a scalable system for authentication.
Key feature is privacy by design and a provable system to create trust to the end user.
At this early stage the interfaces and interaction points are not fully defined.
@ -42,17 +40,20 @@ derive the use case of the Biometric sensor out of the above model.
\section{Goals and Definitions}
You should be able to attach a variety of sensors to the system.
The system should then fulfill the followin requirements
The system should then fulfill the following requirements
\begin{itemize}
\item\emph{Sensor Monitoring.} The System should be able to monitor the sensor itself.
\item\emph{System Monitoring.} It should be possible to track the state of the system. Especially every modification of the system should be detected.
\item\emph{Freshness of Sensor Data.} To prevent replay attacks, the system should proof that the provided biometrc data is captured live.
\item\emph{Integrity of Sensor Data.} As it is possible for an attacker to modify the provided data during the capturing process, integrity should guarantee that the data comes from the sensor in an unmodified manner.
\item\emph{Freshness of Sensor Data.} To prevent replay attacks, the system should proof that the provided biometric data is captured live.
\item\emph{Integrity of Sensor Data.} As it is possible for an adversary to modify the provided data during the capturing process, integrity should guarantee that the data originates from the BS.
\item\emph{Confidentiality of Sensor Data.} It should not be possible to eavesdrop any sensitive data out of the system.
Furthermore almost all kinds of metadata (e.\,g. information about the system or network information) should not be published
\item Usage Model of Biometric Sensor
\item\emph{Anonymity.} Given a message from a BS, an adversary should not be able to detect which BS created it
\item\emph{Unforgeability.} Only honest BS should be able to be part of the DigiDow network. Corrupt systems should not be able to send valid messages.
\end{itemize}
Usage Model of Biometric Sensor
This thesis will describe a system, which is part of the Digital Shadow network.
Therefore it has to meet the common principles in information security, namely:
\begin{itemize}
@ -66,7 +67,7 @@ This is what \emph{trust} defines in information security
\subsection{Requirements}
\begin{itemize}
\item given a set of software, this system should provide information that exaclty this version of software is running on the system. (Integrity)
\item given a set of software, this system should provide information that exactly this version of software is running on the system. (Integrity)
\item The system must furthermore show that it is a member of valid biometric sensors (Attestation)
\item All the given information should be anonymized. It should not be possible to gain any other information about the system (Anonymity)
\item It should be ensured that no sensitive data is stored at the biometric sensor
The theoretical tool that should be formed to one whole system implementation in this thesis.
\section{Definition of the Biometric Sensor}
\label{definitions}
What part fulfills the BS and what needs to be done.
Record Sensor data, Network Discovery, send sensor data via trusted channel to PIA
\subsection{What has the BS to do?}
\label{sec:bs-usecase}
\begin{enumerate}
\item Listen for a Trigger to start the Authentication Process
\item Collect Sensor Data (Picture, Fingerprint) and calculate a biometric representation
@ -15,6 +18,7 @@ Record Sensor data, Network Discovery, send sensor data via trusted channel to P
\section{Attack Vectors and Threat Model}
\subsection{The Threat Model}
\label{ssec:threatmodel}
\begin{itemize}
\item Definition of sensitive data / privacy / metadata
\item This version of BS is not owned by the user, there is no personal data in the System
@ -30,6 +34,7 @@ Record Sensor data, Network Discovery, send sensor data via trusted channel to P
\item Rogue BS Sensor data modification before transmission
\end{itemize}
\section{Trust and Security}
\label{sec:trust}
Trust is an essential term in this thesis.
In the world of IT security, the term \emph{trusted computing} defines a secured environment where special or confidential computing jobs are dispatched.
This environment or product usually meets the following requirements
@ -52,14 +57,18 @@ In Chapter 3 we will show how trust will be extended in a commodity PC.
Differentiation between trust and security --- and the problem that not everyone is using that right.
\section{Systems of Trust}
\label{sec:trustsystems}
All trust systems are built on the standards of Trusted Computing Group.
\subsection{Secure Boot, TXT, \ldots}
\label{ssec:secureboot-txt}
Trusted Boot is not the same as Secure Boot. Explain the difference
\subsection{TPM1.2}
\label{ssec:tpm12}
Initial Version of the crypto-coprocessor, successfully spread into many systems, but hardly any integration in Trust/security Software
%TODO this is an attempt to describe TPM from the beginning.
\subsection{TPM2.0}
\label{ssec:tpm20}
The \emph{Trusted Platform Module} (TPM) is a small cryptocoprocessor that introduces a variety of new features to the platform.
This module is part of a standard developed by the Trusted Computing Group (TCG), which current revision is 2.0\cite{tcg20}.
@ -86,6 +95,7 @@ Only two of them had impact on the implementation of a dedicated chip:
\item\emph{CVE-2017-15361}
\end{itemize}
\subsubsection{Using the TPM}
\label{sssec:tpm-usage}
On top of the cryptographic hardware, the TCG provides several software interfaces for application developers:
\begin{itemize}
\item\emph{System API (SAPI).} The SAPI is a basic API where the developer has to handle the resources within the application. However this API provides the full set of features.
@ -102,6 +112,7 @@ Unfortunately, the command line parameters changed several times during the majo
\subsubsection{The Hardware}
\label{sssec:tpm-hardware}
The TCG achieved with the previous mentioned software layers independence of the underlying hardware.
Hence, TCG provided different flavors of of the TPM
@ -126,10 +137,224 @@ Since TCG published its documents, several IT security teams investigated concep
\caption[DAA Attestation procedure]{The DAA attestation process requires 5 steps. The PIA may trust the Biometric Sensor afterwards.}
\label{fig:daa-attestation}
\end{figure}
\section{Integrity Measurements}
Extend the Chain of Trust beyond the boot process.
The Kernel can measure many different types of Resources.
What is a useful set of measurements
\section{Verify Trust (DA and DAA)}
Use the TPM to proof trustworthiness to other instances like the PIA
\subsection{Definitions}
For the definition of the algorithm, some notations and definitions are summarized in the following.
Greek letters denote a secret that is not known to the verifier whereas all other variable can be used to verify the desired properties.
The symbol $||$ is a concatenation of binary strings or binary representations of integers.
Given an integer $q$, $\mathbb{Z}_q$ denotes the ring of integers modulo $q$ and $\mathbb{Z}_q^*$ denotes the multiplicative group modulo $q$\cite{camenisch97}.
\subsection{Discrete Logarithm Problem}
Given a cyclic group $G =\langle g\rangle$ of order $n$, the discrete logarithm of $y\in G$ to the base $g$ is the smallest positive integer $x$ satisfying
\begin{math}
g^\alpha = y
\end{math}
if this $x$ exists.
For sufficiently large $n$ and properly chosen $G$ and $g$, it is infeasible to compute the reverse
\begin{math}
\alpha = \log_g{y}
\end{math}.
This problem is known as \emph{Discrete Logarithm Problem} and is the basis for the following cryptographic algorithms.
\subsection{Signatures of Knowledge}
Camenisch and Stadler\cite{camenisch97} describe an efficient scheme for proving knowledge of a secret without providing it.
They assume a collision resistant hash function $\mathcal{H}:\{0,1\}^*\rightarrow\{0,1\}^k$ for signature creation.
Furthermore, the algorithm is based on the Schnorr signature scheme\cite{schnorr91}.
For instance,
\begin{equation*}
SPK\{(\alpha):y=g^\alpha\}(m)
\end{equation*}
denotes a proof of knowledge of the secret $\alpha$, which is embedded in the signature of message $m$.
The one-way protocol consists of three procedures:
\begin{enumerate}
\item\emph{Setup.} Let $m$ be a message to be signed, $\alpha$ be a secret and $y:=g^\alpha$ be the corresponding public representation.
\item\emph{Sign.} Choose a random number $r$ and create the signature tuple $(c,s)$ as
\item\emph{Verify.} The verifier knows the values of $y$ and $g$, as they are usually public. The message $m$ comes with the signature values $c$ and $s$. She computes the value
\begin{equation*}
c':=\mathcal{H}(m\,||\,y\,||\,g\,||\,g^sy^c)\quad\text{and verifies, that}\quad c' = c\, .
\end{equation*}
The verification holds since
\begin{equation*}
g^sy^c = g^rg^{-c\alpha}g^{c\alpha} = g^r\, .
\end{equation*}
\end{enumerate}
Camenisch and Stadler\cite{camenisch97} state, that this scheme is extensible to proof knowledge of arbitrary number of secrets.
Furthermore, complex relations between secret and public values can be represented with that scheme.
\subsection{Bilinear Maps}
The Camenisch-Lysyanskaya (CL) Signature Scheme\cite{camenisch04} is used for the DAA-Protocol.
Furthermore, the CL-Scheme itself is based on Bilinear Maps.
Consider three groups $\mathbb{G}_1$, $\mathbb{G}_2$, with their corresponding base points $g_1$, $g_2$, and $\mathbb{G}_T$.
Let $e:\mathbb{G}_1\times\mathbb{G}_2\rightarrow\mathbb{G}_T$ that satisfies three properties\cite{camenisch04,camenisch16}:
\begin{itemize}
\item\emph{Bilinearity.} For all $P\in\mathbb{G}_1, Q\in\mathbb{G}_2$, for all $a,b \in\mathbb{Z}: e(P^a,Q^b)= e(P,Q)^{ab}$.
\item\emph{Non-degeneracy.} For all generators $g1\in\mathbb{G}_1, g2\in\mathbb{G}_2: e(g_1,g_2)$ generates $\mathbb{G}_T$.
\item\emph{Efficiency.} There exists an efficient algorithm that outputs the bilinear group\\
$(q, \mathbb{G}_1,\mathbb{G}_2,\mathbb{G}_T, e, g_1, g_2)$ and an efficient algorithm for computing $e$.
The Camenisch-Lysyanskaya (CL) Signature Scheme…\cite{camenisch04} allows efficient proofs for signature posession and is the basis for the DAA scheme discussed in section XY. %TODO reference to DAA section
It is based on a bilinear group $(q, \mathbb{G}_1,\mathbb{G}_2,\mathbb{G}_T, e, g_1, g_2)$ that is available to all steps in the protocol.
\begin{itemize}
\item\emph{Setup.} Choose $x\leftarrow\mathbb{Z}_q$ and $y\leftarrow\mathbb{Z}_q$ at random. Set the secret key $sk \leftarrow(x,y)$ and the public key $pk \leftarrow(g_2^x, g_2^y)=(X,Y)$
\item\emph{Sign.} Given a message $m$, and the secret key $sk$, choose $a$ at random and output the signature $\sigma\leftarrow(a, a^y, a^{x+xym})=(a,b,c)$
\item\emph{Verify.} Given message $m$, signature $\sigma$ and public key $pk$, verify, that $a \neq1_{\mathbb{G}_1}$, $e(a,Y)= e(b,g_2)$ and $e(a,X)\cdot e(b,X)^m = e(c,g_2)$
\end{itemize}
Camenisch et al.\@ stated in section 4.2 of their paper\cite{camenisch16} that one has to verify the equation against $e(g_1,b)$ and $e(g_1,c)$ which is proven wrong here.
\subsection{DAA History}
Direct Anonymous Attestation (DAA) is a cryptographic protocol, which aims to provide evidence that a device is a honest member of a group without providing any identification information.
Brickell, Camenisch and Chen\cite{BriCamChe04} introduce DAA and implement the protocol for the TPM 1.2 standard.
However it supports only RSA and has limitations in verifying attestation signatures.
Hence, DAA is not used with the TPM 1.2 standard.
Since the DAA protocol is quite complex, it is difficult to provide a sound security model for DAA and formally proof the security properties of it.
Chen, Morissey and Smart\cite{chen09} add linkability to the protocol.
Their approach for a formal proof is not correct, since a trivial key can be used for pass verification\cite{camenisch16}
%TODO Chronic of DAA until Camenisch16, Discussion about broken Proofs in previous papers.
Camenisch, Drijvers and Lehmann\cite{camenisch16} developed a DAA scheme for the new TPM 2.0 standard.
It supports linkability and the proofs for security and correctness still hold.
Furthermore, RSA and ECC cryptography is supported which makes it practicable for a wider variety of use cases.
However, Camenisch et.\,al.\cite{camenisch17} proposed a fix in the TPM 2.0 API to guarantee all requirements necessary for DAA.
Xaptum implemented this DAA-variant including the fixes in the TPM API.
The implementation will be discussed in Chapter 4.%TODO Reference to Xaptum discussion
Analyzing the security and integrity of this scheme would exceed the scope of this thesis.
Hence this thesis describes the DAA protocol and assumes the correctness and integrity.
\subsection{DAA Protocol}
\label{ssec:daa-protocol}
DAA is a group signature protocol, which aims to reveal no additional information about the signing host.
According to Camenisch et al.\cite{camenisch16} the DAA protocol consists of three parties.
\begin{itemize}
\item\emph{Issuer}\issuer. The issuer maintains a group and has evidence of hosts that are members in this group.
\item\emph{Host}\host. The Host creates a platform with the corresponding TPM \tpm\. Membership of groups are maintained by the TPM.
\item\emph{Verifier}\verifier. A verifier can check whether a Host with its TPM is in a group or not. Besides the group membership, no additional information is provided.
\end{itemize}
A certificate authority $\mathcal{F}_{ca}$ is providing a certificate for the issuer itself.
\texttt{bsn} and \texttt{nym}%TODO
Session ids $sid$ is already available with communication session on the network or on the link between host and TPM. %TODO check that
$\mathcal{L}$ is the list of registered group members which is maintained by \issuer. %TODO
%TODO describe \tau
\begin{itemize}
\item\emph{Setup.} During Setup \issuer is generating the issuer secret key $isk$ and the corresponding issuer public key $ipk$. The public key is published and assumed to be known to everyone.
\begin{enumerate}
\item On input \textsf{SETUP}\issuer
\begin{itemize}
\item generates $x,y \leftarrow\mathbb{Z}_q$ and sets $isk=(x.y)$ and $ipk\leftarrow(g_2^x,g_2^y)=(X,Y)$. Initialize $\mathcal{L}\leftarrow\emptyset$,
\item generates a prove $\pi\sassign SPK\{(x,y):X=g_2^x\wedge Y=g_2^y\}$ that the key pair is well formed,
\item registers the public key $(X,y,\pi)$ at $\mathcal{F}_{ca}$ and stores the secret key,
\item outputs \textsf{SETUPDONE}
\end{itemize}
\end{enumerate}
\item\emph{Join.} When a platform, consisting of host \host[j] and TPM \tpm[i], wants to become a member of the issuer's group, it joins the group by authenticating to the issuer \issuer.
\begin{enumerate}
\item On input \textsf{JOIN}, host \host[j] sends the message \textsf{JOIN} to \issuer.
\item\issuer\ upon receiving \textsf{JOIN} from \host[j], chooses a fresh nonce $n\leftarrow\{0,1\}^\tau$ and sends it back to \host[j].
\item\host[j] upon receiving $n$ from \issuer, forwards $n$ to \tpm[i]
\item\tpm[i] generates the secret key:
\begin{itemize}
\item Check, that no completed key record exists. Otherwise, it is already a member of that group.
\item Choose $gsk\sassign\mathbb{Z}_q$ and store the key as $(gsk, \bot)$.
\item Set $Q \leftarrow g_1^{gsk}$ and compute $\pi_1\sassign SPK\{(gsk):Q=g_1^{gsk}\}(n)$.
\item Return $(Q,\pi_1)$ to \host[j].
\end{itemize}
\item\host[j] forwards \textsf{JOINPROCEED}$(Q, \pi_1)$ to \issuer.
\item\issuer\ upon input \textsf{JOINPROCEED}$(Q, \pi_1)$ creates the CL-credential:
\begin{itemize}
\item Verify that $\pi_1$ is correct.
\item Add \tpm[i] to $\mathcal{L}$. %TODO what is the representative of the TPM?
\item Create the prove $\pi_2\sassign SPK\{(t):b=g_1^t\wedge d=Q^t\}$.
\item Send \textsf{APPEND}$(a,b,c,d,\pi_2)$ to \host[j]
\end{itemize}
\item\host[j] upon receiving \textsf{APPEND}$(a,b,c,d,\pi_2)$
\begin{itemize}
\item verifies, that $a\neq1$, $e(a,Y)=e(b,g_2)$ and $e(c,g_2)= e(a\cdot d, X)$.
\item forwards $(b,d,\pi_2)$ to \tpm[i].
\end{itemize}
\item\tpm[i] receives $(b,d,\pi_2)$ and verifies $\pi_2$. The join is completed after the record is extended to $(gsk, (b,d))$. \tpm[i] returns \textsf{JOINED} to \host[j].
\item\host[j] stores $(a,b,c,d)$ and outputs \textsf{JOINED}.
\end{enumerate}
\item\emph{Sign.}
After joining the group, a host \host[j] and TPM \tpm[i] can sign a message $m$ with respect to basename \texttt{bsn}.
\begin{enumerate}
\item\host[j] upon input \textsf{SIGN}$(m,\bsn)$ re-randomizes the CL-credential:
\begin{itemize}
\item Retrieve the join record $(a,b,c,d)$ and choose $r\sassign\mathbb{Z}_q$. Set $(a',b',c',d')\leftarrow(a^r,b^r,c^r,d^r)$.
\item Send $(m, \bsn, r)$ to \tpm[i] and store $(a',b',c',d')$.
\end{itemize}
\item\tpm[i] upon receiving $(m, \bsn, r)$
\begin{itemize}
\item checks, that a complete join record $(gsk, (b,d))$ exists, and
\item stores $(m, \bsn, r)$.
\end{itemize}
\item\tpm[i] completes the signature after it gets permission to do so. %TODO Why?
\begin{itemize}
\item Retrieve group record $(gsk, (b,d))$ and message record $(m, \bsn, r)$.
\item verifies $\pi$ with respect to $(m,\bsn)$ and \nym if $\bsn\neq\bot$.
\item checks, that $a\neq1$, $b\neq1$$e(a,Y)=e(b, g_2)$ and $e(c,g_2)=e(a\cdot d,X)$,
\item checks, that for every $gsk_i \in\RL: b^{gsk_i}\neq d$,
\item sets $f\leftarrow1$ if all test pass, otherwise $f\leftarrow0$, and
\item outputs \textsf{VERIFIED}$(f)$.
\end{itemize}
\end{enumerate}
\item\emph{Link.}
After proving validity of the signature, the verifier can test, whether two different messages with the same basename $\bsn\neq\bot$ are generated from the same TPM.
\begin{enumerate}
\item\verifier\ on input \textsf{LINK}$(\sigma, m, \sigma', m', bsn)$ verifies the signatures and compares the pseudonyms contained in $\sigma, \sigma'$:
\begin{itemize}
\item Check, that $\bsn\neq\bot$ and that both signatures $\sigma, \sigma'$ are valid.
\item Parse the signatures $\sigma\leftarrow(a,b,c,d,\pi,\nym)$, $\sigma'\leftarrow(a',b',c',d',\pi',\nym')$
\item If $\nym=\nym'$, set $f\leftarrow1$, otherwise $f\leftarrow0$.
\item Output \textsf{LINK}$(f)$
\end{itemize}
\end{enumerate}
\end{itemize}
%TODO: Discussion: sid removed, RL only works with private keys, etc.
Limitations due to bad implementation on BIOS-Level, no Certificate Verification Infrastructure available for TPMs? Needs to be proven for correctness.
\section{Integrity Measurement Architecture}
@ -24,3 +26,4 @@ Fallback is using the TPM2 ESAPI or SAPI, which is available on almost all Linux
\section{Direct Anonymous Attestation}
DAA Project from Xaptum: Working DAA handshake and possible TPM integration.
Requires an Attestation Key which is secured with a password policy.
