They appear as PCs, notebooks, cellular phones or embedded devices.
Especially the footprint of embedded computers became so small that they can be used in almost all electrical devices.
@ -130,40 +133,16 @@ Since the Digidow protocols are not yet finalized, some assumptions are defined
This includes USB wire tapping or debug interfaces within the system revealing sensitive information.
\end{itemize}
\section{Description of structure}
In \autoref{cha:relatedwork} we will outline a variety of projects which do not contribute to this thesis.
There is, however, scientific work that is used as scientific background to this thesis as described in \autoref{cha:background}.
This includes especially the theoretical foundations of the network protocol.
\section{Organization}
In the next chapter, we will indroduce and discuss existing contributions in the targeted scientific area.
This includes especially the theoretical foundations of the network protocol which is part of our contribution.
Together with that, we will introduce our theoretical solution for the previously stated problems in \autoref{cha:concept}.
Chapter~\ref{cha:implementation} introduces then a working implementation with all necessary parts for a working prototype.
\autoref{cha:implementation} introduces then a working implementation with all necessary parts for provisioning the environment and the used hosts accordingly.
Finally we will present the results and limitations in \autoref{cha:conclusion} and give an overview of future work.
\chapter{Related Work}\label{cha:relatedwork}
There exist already a variety projects and implementations which touch the field of trusted computing.
We will introduce some of these projects and discuss why these do not meet the purpose of this thesis.
Schear et al.\,\cite{keylime16} developed a full featured trusted computing environment for cloud computing.
They show in their paper how a TPM of a hypervisor can be virtualized and used by the guest operating system.
This includes trusted bootstrapping, integrity monitoring, virtualization, compatibility with existing tools for fleet management and scalability.
The concept of a well known virtual environment does, however, not apply to our contribution.
Furthermore, the system should be self contained as good as possible and it should be possible to get information about the system via anonymous attestation.
%TODO what about the integrity measurements of keylime?
The \emph{Fast IDentity Online} Alliance (FIDO) is an organization which standardizes online authentication algorithms.
When the first generation of TPMs were available, the consortium defined a standard for Direct Anonymous Attestation with Elliptic Curve cryptography (ECDAA).
When the newer standard, TPM 2.0, was published, FIDO decided to update their algorithm to be compatible with recent developments.
This standard is still in development; a draft version from February 2018 is published on the FIDO website\cite{fido18}
%TODO Is it noteworthy, that Xaptum claims to be compatible with FIDO ECDAA for TPM2?
\begin{itemize}
\item What exists in the field?
\item Keylime -- DONE
\item Xaptum ECDAA -- part of concept
\item FIDO 2 ECDAA -- noteworthy in background?
\item Strongswan Attestation --
\item Linux IMA -- mentioned in Background
\item Secure Boot -- in difference to trusted boot
@ -41,14 +41,13 @@ The last two entries describe vulnerabilities in dedicated TPM chips, which are
This weakness made brute force attacks against keys of up to 2048 bits length feasible.
According to Nemec et al.\cite{Nemec17}, 1024 bit keys required in the worst case scenario 3 CPU months and 2048 bit keys needed 100 CPU years when using one core of an Intel Xeon E5-2650 v3 CPU.
Infineon was able to fix that vulnerability per firmware update for all affected TPMs.
\item\emph{CVE-2019-16863}: This vulnerability is also known as "\emph{TPM fail}" \cite{moghimi20-tpmfail} and shows how to get an elliptic curve private key via timing and lattice attacks.
\item\emph{CVE-2019-16863}: This vulnerability is also known as "TPM fail" \cite{moghimi20-tpmfail} and shows how to get an elliptic curve private key via timing and lattice attacks.
The authors found TPMs from STMicroelectronics vulnerable, as well as Intel's fTPM implementation.
Infineon TPM show also some non-expected behaviour, but this could not be used for data exfiltration.
STM provided an update like Infineon did for their TPMs.
Intel's fTPM required a platform firmware update to solve the issue.
\end{itemize}
\subsection{Using the TPM}
\label{sssec:tpm-usage}
On top of the cryptographic hardware, the TCG provides several software interfaces for application developers:
@ -217,6 +216,26 @@ The user can check the resulting values in the written PCR registers against kno
These values can either be precomputed or just the result of a previous boot.
If all values match the expectations, the chain of trust exists between the SRTM and the kernel.
\subsection{Secure Boot}%
\label{sub:secure_boot}
Secure boot is another technology to prevent malware from being executed before the OS kernel is loaded.
Microsoft describe on their Documentation for Windows and UEFI what requirements are needed and how the secure boot process looks like\cite{microsoft14}.
It is part of the UEFI specification and uses, similar to trusted boot, checksums of firmware, option roms and the boot loader.
These checksums are checked against a signature database, which is held within the platform's NVRAM.
The signatures are created with the platform key (PK) which is by default owned and managed by Microsoft.
Although it is possible to install a new own PK and sign relevant software with it, you can only boot software signed from Microsoft by default when secure boot is enabled.
Shim is the gatekeeper for OSes not maintained by Microsoft.
The binary is signed with the official PK and uses itself a self signed CA to sign further executables.
A detailed description how shim works on Ubuntu is shown on their corresponding Wiki page\cite{ubuntuwiki20}.
Only this workflow enables secure boot when using Linux OSes.
Secure boot uses instead of the TPM conventional NVRAM to store private parts of its signing keys.Although there exists a signature chain for any software involved in Microsoft's boot process, using alternative OSes breaks the signature chain.
When using an own PK, you loose the benefit of having externally created and signed hash values for checking during booting.
Secure and trusted boot can, however, exist side by side on one system.
The benefit of using it seems to be very limited when not using a Microsoft OS.
\section{Integrity Measurement Architecture}%
\label{sec:integrity_measurement_architecture}
@ -306,9 +325,14 @@ In addition to these templates, the system owner can define custom policies.
Some example policies can be found in the Gentoo Wiki\cite{gentoo19}.
It is, for example, useful to exclude constantly changing log files from being measured to reduce useless entries in the measurement log.
\subsection{IMA Extensions}%
\label{ssub:ima_extensions}
Extended Verification Module (EVM)
\subsection{Other System Integrity Approaches}%
\label{sub:other_system_integrity_approaches}
Schear et al.\,\cite{keylime16} developed a full featured trusted computing environment for cloud computing.
They show in their paper how a TPM of a hypervisor can be virtualized and used by the guest operating system.
This includes trusted bootstrapping, integrity monitoring, virtualization, compatibility with existing tools for fleet management and scalability.
The concept of a well known virtual environment does, however, not apply to our use case.
Instead, the system should be self contained as good as possible and it should be possible to get information about the system via anonymous attestation.
\section{Direct Anonymous Attestation}%
\label{sec:direct_anonymous_attestation}
@ -325,35 +349,35 @@ This section describes the concept by Camenisch et al.~\cite{camenisch16} includ
Unlike the description in the original paper, we describe the practical approach, which will be used in the following concept.
\subsection{Mathematical Foundations}
The following definitions form the mathematical building blocks for DAA.
It is noteworthy that these definitions work with RSA encryption as well as with \emph{Elliptic Curve Cryptography} (ECC).
The following definitions form the mathematical building blocks for DAA.
It is noteworthy that these definitions work with RSA encryption as well as with \emph{Elliptic Curve Cryptography} (ECC).
\subsubsection{Discrete Logarithm Problem}
Given a cyclic group $G =\langle g\rangle$ of order $n$, the discrete logarithm of $y\in G$ to the base $g$ is the smallest positive integer $\alpha$ satisfying
\begin{math}
\subsubsection{Discrete Logarithm Problem}
Given a cyclic group $G =\langle g\rangle$ of order $n$, the discrete logarithm of $y\in G$ to the base $g$ is the smallest positive integer $\alpha$ satisfying
\begin{math}
g^\alpha = y
\end{math}
if this $x$ exists.
For sufficiently large $n$ and properly chosen $G$ and $g$, it is infeasible to compute the reverse
\begin{math}
\end{math}
if this $x$ exists.
For sufficiently large $n$ and properly chosen $G$ and $g$, it is infeasible to compute the reverse
\begin{math}
\alpha = \log_g{y}
\end{math}.
This problem is known as \emph{Discrete Logarithm Problem} and is the basis for the following cryptographic algorithms.
\subsubsection{Signature Proof of Knowledge (SPK)}
A SPK is a signature of a message which proves that the creator of this signature is in possession of a certain secret.
The secret itself is never revealed to any other party.
Thus, this algorithm is a \emph{Zero Knowledge Proof of Knowledge} (ZPK).
Camenisch and Stadler~\cite{camenisch97} introduced the algorithm based on the Schnorr Signature Scheme.
It only assumes a collision resistant hash function $\mathcal{H}:\{0,1\}^*\rightarrow\{0,1\}^k$ for signature creation.
For instance,
\begin{equation*}
\end{math}.
This problem is known as \emph{Discrete Logarithm Problem} and is the basis for the following cryptographic algorithms.
\subsubsection{Signature Proof of Knowledge (SPK)}
A SPK is a signature of a message which proves that the creator of this signature is in possession of a certain secret.
The secret itself is never revealed to any other party.
Thus, this algorithm is a \emph{Zero Knowledge Proof of Knowledge} (ZPK).
Camenisch and Stadler~\cite{camenisch97} introduced the algorithm based on the Schnorr Signature Scheme.
It only assumes a collision resistant hash function $\mathcal{H}:\{0,1\}^*\rightarrow\{0,1\}^k$ for signature creation.
For instance,
\begin{equation*}
SPK\{(\alpha):y=g^\alpha\}(m)
\end{equation*}
denotes a proof of knowledge of the secret $\alpha$, which is embedded in the signature of message $m$.
The one-way protocol consists of three procedures:
\begin{enumerate}
\end{equation*}
denotes a proof of knowledge of the secret $\alpha$, which is embedded in the signature of message $m$.
The one-way protocol consists of three procedures:
\begin{enumerate}
\item\emph{Setup.} Let $m$ be a message to be signed, $\alpha$ be a secret and $y:=g^\alpha$ be the corresponding public representation.
\item\emph{Sign.} Choose a random number $r$ and create the signature tuple $(c,s)$ as
\begin{equation*}
@ -369,51 +393,51 @@ Unlike the description in the original paper, we describe the practical approach
The Camenisch-Lysyanskaya (CL) Signature Scheme~\cite{camenisch04} is based on the LRSW assumption and allows efficient proofs for signature posession and is the basis for the DAA scheme discussed below.
It is based on a bilinear group $(q, \mathbb{G}_1,\mathbb{G}_2,\mathbb{G}_T, e, g_1, g_2)$ that is available to all steps in the protocol.
The Camenisch-Lysyanskaya (CL) Signature Scheme~\cite{camenisch04} is based on the LRSW assumption and allows efficient proofs for signature posession and is the basis for the DAA scheme discussed below.
It is based on a bilinear group $(q, \mathbb{G}_1,\mathbb{G}_2,\mathbb{G}_T, e, g_1, g_2)$ that is available to all steps in the protocol.
\begin{itemize}
\item\emph{Setup.} Choose $x\leftarrow\mathbb{Z}_q$ and $y\leftarrow\mathbb{Z}_q$ at random.
Set the secret key $sk \leftarrow(x,y)$ and the public key $pk \leftarrow(g_2^x, g_2^y)=(X,Y)$.
\item\emph{Sign.} Given a message $m$ and the secret key $sk$, choose $a$ at random and output the signature $\sigma\leftarrow(a, a^y, a^{x+xym})=(a,b,c)$.
\item\emph{Verify.} Given message $m$, signature $\sigma$ and public key $pk$, verify that $a
\neq 1_{\mathbb{G}_1}$, $e(a,Y) = e(b,g_2)$ and $e(a,X)\cdot e(b,X)^m = e(c,g_2)$.
\end{itemize}
Camenisch et al.\@ stated in section 4.2 of their paper~\cite{camenisch16} that one has to verify the equation against $e(g_1,b)$ and $e(g_1,c)$ which is not correct.
\end{itemize}
Camenisch et al.\@ stated in section 4.2 of their paper~\cite{camenisch16} that one has to verify the equation against $e(g_1,b)$ and $e(g_1,c)$ which is not correct.
\subsection{DAA Protocol on LRSW Assumption}
\label{ssec:daa-protocol-on-lrsw-assumption}
DAA is a group signature protocol, which aims with a supporting TPM to reveal no additional information about the signing host besides content and validity of the signed message $m$.
According to Camenisch et al.~\cite{camenisch16}, the DAA protocol consists of three parties:
\begin{itemize}
\subsection{DAA Protocol on LRSW Assumption}
\label{ssec:daa-protocol-on-lrsw-assumption}
DAA is a group signature protocol, which aims with a supporting TPM to reveal no additional information about the signing host besides content and validity of the signed message $m$.
According to Camenisch et al.~\cite{camenisch16}, the DAA protocol consists of three parties:
\begin{itemize}
\item\emph{Issuer}\issuer. The issuer maintains a group and has evidence of hosts that are members in this group.
\item\emph{Host}\host. The host creates a platform with the corresponding TPM \tpm{}.
Membership of groups are maintained by the TPM.
Only the key owner (TPM, passive) and the message author (Host, active) form a full group member.
\item\emph{Verifier}\verifier. A verifier can check, whether a host with its TPM is in a group or not. Besides the group membership, no additional information is provided.
\end{itemize}
A certificate authority $\mathcal{F}_{ca}$ is providing a certificate for the issuer itself.
The basename \bsn{} is some clear text string, whereas \nym{} represent the encrypted basename $bsn^{gsk}$.
$\mathcal{L}$ is the list of registered group members which is maintained by \issuer.
The paper of Camenisch et al.~\cite{camenisch16} introduces further variables that are necessary for their proof of correctness.
These extensions were omitted in the following to understand the protocol more easily.
\begin{itemize}
\end{itemize}
A certificate authority $\mathcal{F}_{ca}$ is providing a certificate for the issuer itself.
The basename \bsn{} is some clear text string, whereas \nym{} represent the encrypted basename $bsn^{gsk}$.
$\mathcal{L}$ is the list of registered group members which is maintained by \issuer.
The paper of Camenisch et al.~\cite{camenisch16} introduces further variables that are necessary for their proof of correctness.
These extensions were omitted in the following to understand the protocol more easily.
\begin{itemize}
\item\emph{Setup.} During setup, \issuer{} is generating the issuer secret key $isk$ and the corresponding issuer public key $ipk$. The public key is published and assumed to be known to everyone.
\begin{enumerate}
\item On input \textsf{SETUP}, \issuer
@ -501,13 +525,22 @@ Unlike the description in the original paper, we describe the practical approach
\item If $\nym=\nym'$, set $f\leftarrow1$, otherwise $f\leftarrow0$.
\item Output \textsf{LINK}$(f)$.
\end{itemize}
\end{itemize}
\end{itemize}
Camenisch et al.~\cite{camenisch16} extend the general group concept scheme with their concept.
The feature of linking messages together requires further security features within the DAA scheme, which the authors also prove in their paper along with the other properties of the scheme:
\begin{itemize}
Camenisch et al.~\cite{camenisch16} extend the general group concept scheme with their concept.
The feature of linking messages together requires further security features within the DAA scheme, which the authors also prove in their paper along with the other properties of the scheme:
\begin{itemize}
\item\emph{Non-frameability}: No one can create signatures that the platform never signed, but that link to messages signed from that platform.
\item\emph{Correctness of link}: Two signatures will link when the honest platform signs it with the same basename.
\item\emph{Symmetry of Link}: It does not matter in which order the linked signatures will be proven. The link algorithm will always output the same result.
\end{itemize}
\end{itemize}
%TODO Überleitung zum nächsten Kapitel und FIDO einbauen
\subsection{Standardization of DAA}%
\label{sub:standardization_of_daa}
The \emph{Fast IDentity Online} Alliance (FIDO) is an organization which standardizes online authentication algorithms.
When the first generation of TPMs were available, the consortium defined a standard for Direct Anonymous Attestation with Elliptic Curve cryptography (ECDAA).
When the newer standard, TPM 2.0, was published, FIDO decided to update their algorithm to be compatible with recent developments.
This standard is still in development; a draft version from February 2018 is published on the FIDO website\cite{fido18}
This standard implements a close variant of the previously described concept.
