\chapter{Introduction} We all live in a world full of digital systems. They appear as PCs, notebooks, cellular phones or embedded devices. Especially the footprint of embedded computers became so small that they can be used in almost all electrical devices. These embedded systems form the so called \emph{smart} devices. All these new devices made life a lot easier in the past decades. Many of them automate services to the public like managing the bank account, public transportation or health services. The list of digital service is endless and will still grow in the future. The downside of all these digital services is that using these services generate a lot of data. Besides the intended exchange of information, many of the services try to extract metadata as well. Metadata answers some of the following questions. Which IP address is sending or receiving? What kind of device is that? Is the software of the device up to date? Was this device here in the past? What else did the owner on the device? This set of questions is not complete. Aggregating metadata is not required to fulfill the function of the requested service. However, aggregating and reselling the metadata brings the provider more margin on the product and hence more profit. Consequently, the market for metadata is growing and yet only partly regulated. Since metadata aggregation is one downside of using smart services, providers try to downplay or to hide these aggregation features where possible. Often a proprietary layer is used either on the client or the server side to hide those functions. The result is a piece of software which is provided as binary and the user cannot prove what this software is exactly doing besides the visible front end features. There are of course other purposes for delivering software in a closed source manner. Firmware of hardware vendors is usually not disclosed. Instead, vendors provide an API where an \emph{Operating System} (OS) can connect to. Some companies deliver complete closed source devices with internet connection. In such cases, the feature of closed source is to protect the intellectual property of those companies. Any user of these closed source products must use them as black box and needs to \emph{trust} the vendor that it is working correctly. There is, however, a special need for users to keep sensitive data secret. Especially when providing confidential data like passwords or biometric data, a certain level of trust is required. This means that the user assumes that the provided sensitive data is handled properly for only the designated usage. One may argue that a password can easily be changed when revealed to the public. Unfortunately, this does not apply to a fingerprint since a human usually has only ten of them during lifetime. \section{Trust} When using a system with an authentication method, trust plays a key role. For black box systems this trust is cast to the vendor of the system or device. There is however no mathematical proof that the device is indeed executing the software as intended from the vendor. This thesis will therefore use the term \emph{trust} as a cryptographic chain of proofs, that a system is behaving in an intended way, a so called \emph{Chain of Trust}. By providing a Chain of Trust, a user can ask the vendor for a certification of its devices and consequently comprehend the state of the system at hand. The Chain of Trust will be separated into two parts, namely the creation of trust on a certain system, and the transfer of trust over the network for verification purposes. \section{Project Digidow} The Institute for Networks and Security is heavily using the cryptographic form of trust in the project \emph{Digital Shadow} (Digidow). DigiDow introduces an electronic authentication system, which aims to minimize any generation of metadata on system and network level and hence maximizes the level of privacy for their users. The project furthermore aims to specify a scalable solution for nationwide or even worldwide applications including provable trust and integrity to the user. \begin{figure} \centering \includegraphics[width=0.9\textwidth]{../resources/globalview} \caption{Overview of the Digidow authentication process} \label{fig:globalview} \end{figure} The picture in \autoref{fig:globalview} provides an overview of the authentication process within Digidow. At the time of this writing, the exact order and definition of every step is not yet finished and may change during the progress of the whole project. DigiDow introduces three main parties which are involved in a common authentication process. \begin{itemize} \item\emph{Personal Identity Agent} (PIA): The PIA is the digital shadow of an individual who wants to be authenticated. This individual is also the owner of the PIA and should be able to manage sensitive data and software on it. \item\emph{Verifier} (V): This is the party that verifies the whole authentication process and may finally trigger the desired action if all went well. \item\emph{Biometric Sensor} (BS): For authentication, an individual has to be uniquely identified. Therefore, the BS records biometric data from the individual and passes it into the DidiDow network. \end{itemize} For scalability, we assume that there are large numbers of all parties. The illustration also shows a draft of how which steps need to be performed between above mentioned parties during an authentication process. \begin{enumerate} \item[(1)] All relevant parties need to find each other via the Digidow network. When this step is finished, it is assumed that for every step the individual hosts for communication are identifiable and ready for the authentication process. \item[(2)(3)] Eventually an individual wants to authenticate itself and the BS records the biometric data. With this data and a corresponding unique ID, the BS knows which PIA to contact. \item [(4)(5)(6)] The BS contacts the PIA and sends the recorded dataset as well as a cryptographic signature to proof that the sensor is valid and this is an honest authentication attempt. \item [(7)] The PIA proves authenticity of the received signature and compares the data with its own saved biometric datasets. Assuming all is correct, the PIA certifies that the person standing in front of the BS is indeed the owner of the PIA. The verifier checks the certification and finally triggers the desired action for the asking individual. \end{enumerate} The above illustration is an early draft of the whole setup and is under constant development. A more recent version of the whole system can be found at the Digidow project page\footnote{\url{https://digidow.eu}}. This thesis will contribute a prototype setup the Biometric Sensor and discuss how to create trust into this system. \section{Our Contribution: Deriving Trust from the Biometric Sensor} The Digidow network is designed to preserve privacy and to build trust for any user. A key feature is to show the user that all involved parts of the system are working as intended. So we design a prototype based on the common x86 architecture and use the cryptographic features of \emph{Trusted Platform Modules} (TPM). A TPM is a passive crypto coprocessor available on many modern PC platforms which has an independent storage for crypto variables and provides functions to support above mentioned features. We define a solution for installing and booting a Linux Kernel with TPM-backed integrity measurements in place. We use an attached camera as example for a biometric sensor hardware to create the dataset to continue with the authentication process. This dataset will be combined with the integrity measurements of the system and a signature from the TPM and finally sent to the PIA for verification and further computation. By building a system with an integrated TPM, the system should be able to provide the following properties: \begin{itemize} \item \emph{Sensor Monitoring.} The system should be able to monitor the hardware sensor (fingerprint sensor, camera, etc.) itself. \item \emph{System Monitoring.} It should be possible to track the state of the system. Especially every modification of the system at hardware level should be detected. \item \emph{Freshness of Sensor Data.} To prevent replay attacks, the system should prove that the provided biometric data is captured live. \item \emph{Integrity of Sensor Data.} As it is possible for an adversary to modify the provided data during the identification process, integrity should guarantee that the data is unmodified until identification is done. \item \emph{Confidentiality of Sensor Data.} It should not be possible to eavesdrop any sensitive data out of the system. Furthermore almost all kinds of metadata (e.\,g. information about the system or network information) should not be published. \item \emph{Anonymity.} Given a message from a BS, an adversary should not be able to detect which BS created it. \item \emph{Unforgeability.} Only honest BS should be able to be part of the Digidow network. Corrupt systems should not be able to send valid messages. \end{itemize} The thesis focuses on a working setup as basis for future research. Since the Digidow protocols are not yet finalized, some assumptions are defined for this work and the prototype implementation: \begin{itemize} \item Any network discovery (Step 1 in \autoref{fig:globalview}) is omitted. BS and PIA are assumed to be reachable directly via TCP/IP. \item We look into a protocol which proves trustworthiness from BS to PIA. Any further proofs necessary for a Digidow Verifier are also not focused in this thesis. \item The sensitive datasets will be transmitted in cleartext between BS and PIA. It is considered easy to provide an additional layer of encryption for transportation. However this should be considered in the Digidow network protocol design. This thesis focuses only on the trust part between BS and PIA. \item Any built system is considered secure on a hardware level. Any threats which are attacking the system without changing any running software on the system may remain undetected. This includes USB wire tapping or debug interfaces within the system revealing sensitive information. \end{itemize} %TODO edit pointer \section{Description of structure} In \autoref{cha:relatedwork} we will outline a variety of projects which do not contribute to this thesis. There is, however, scientific work that is used as scientific background to this thesis as described in \autoref{cha:background}. This includes especially the theoretical foundations of the network protocol. Together with that, we will introduce our theoretical solution for the previously stated problems in \autoref{cha:concept}. Chapter~\ref{cha:implementation} introduces then a working implementation with all necessary parts for a working prototype. Finally we will present the results and limitations in \autoref{cha:conclusion} and give an overview of future work. \chapter{Related Work}\label{cha:relatedwork} There exist already a variety projects and implementations which touch the field of trusted computing. We will introduce some of these projects and discuss why these do not meet the purpose of this thesis. Schear et al.\,\cite{keylime16} developed a full featured trusted computing environment for cloud computing. They show in their paper how a TPM of a hypervisor can be virtualized and used by the guest operating system. This includes trusted bootstrapping, integrity monitoring, virtualization, compatibility with existing tools for fleet management and scalability. The concept of a well known virtual environment does, however, not apply to our contribution. Furthermore, the system should be self contained as good as possible and it should be possible to get information about the system via anonymous attestation. %TODO what about the integrity measurements of keylime? The \emph{Fast IDentity Online} Alliance (FIDO) is an organization which standardizes online authentication algorithms. When the first generation of TPMs were available, the consortium defined a standard for Direct Anonymous Attestation with Elliptic Curve cryptography (ECDAA). When the newer standard, TPM 2.0, was published, FIDO decided to update their algorithm to be compatible with recent developments. This standard is still in development; a draft version from February 2018 is published on the FIDO website\footnote{\url{https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-ecdaa-algorithm-v2.0-id-20180227.html}}. %TODO reference to the discussion why TPM1.2 is not recommended anymore %TODO Is it noteworthy, that Xaptum claims to be compatible with FIDO ECDAA for TPM2? \begin{itemize} \item What exists in the field? \item Keylime -- DONE \item Xaptum ECDAA -- part of concept \item FIDO 2 ECDAA -- noteworthy in background? \item Strongswan Attestation -- \item Linux IMA -- mentioned in Background \item Secure Boot -- in difference to trusted boot \item Intel TXT \item Trusted Execution Environment (TEE) \item nanovm (\url{nanovms.com}) \end{itemize}