\documentclass{beamer} \usepackage{graphicx} \usepackage{color} \usepackage{dingbat} \usetheme{Madrid} \title[TPM Provisioning]{TPM Provisioning} \author{Ariel Segall \\ ariels@alum.mit.edu} %\institute{MITRE Corporation} \date{Day 1\\ \bigskip Approved for Public Release: 12-2749. \\Distribution unlimited} %\date{May 30, 2012} \begin{document} \begin{frame} \maketitle \end{frame} \begin{frame}{License} All materials are licensed under a Creative Commons ``Share Alike'' license. \begin{itemize} \item http://creativecommons.org/licenses/by-sa/3.0 \end{itemize} \includegraphics[width=4in]{creativecommons.png} \end{frame} \begin{frame}{What We'll Be Covering} \begin{itemize} \item What do we mean by provisioning? \item Turning on the TPM \item The Endorsement Key: Theory vs. Reality \item Provisioning TPM Keys \item Certifying the EK (and other variations) \end{itemize} \end{frame} \begin{frame}{What is TPM Provisioning?} In short: getting the TPM ready to use. \medskip Several components; not all required in all cases \begin{itemize} \item Turning the TPM on \item Making sure it has an Endorsement Key \item Making sure it has an Endorsement Credential \item Taking ownership \item Creating any initial keys \item Certifying these keys \end{itemize} \end{frame} \begin{frame}{Why Provisioning Matters} We can do all kinds of wonderful things by rooting trust in hardware. But: \medskip \textbf{How do we know we're actually communicating with the TPM?} \medskip Provisioning is how we establish trust in the TPM itself. \medskip \textbf{\color{red} If provisioning is not done properly, an adversary can undetectably pretend to be our TPM.} \end{frame} \begin{frame}{Where Trust is Established} \begin{itemize} \item We prove that we are talking to the TPM using keys. \item All of our trust is rooted in \textbf{the association of a key with the TPM}. \item The TPM has capabilities for certifying new keys, given a root key. \item \textbf{Security is essential when provisioning and certifying the root key}. \item Other steps in the provisioning process, like turning on the TPM, are less sensitive. \begin{itemize} \item If we're wrong about having turned it on, just a DoS \item No loss of trust in the TPM \end{itemize} \end{itemize} \end{frame} \begin{frame}{What We'll Be Covering} \begin{itemize} \item What do we mean by provisioning? \item {\color{red}Turning on the TPM} \item The Endorsement Key: Theory vs. Reality \item Provisioning TPM Keys \item Certifying the EK (and other variations) \end{itemize} \end{frame} \begin{frame}{Turning on the TPM} \begin{itemize} \item TPMs are turned on in the BIOS menu. \item Each BIOS varies in location \begin{itemize} \item Common: ``Security'', ``TPM Security'', ``Security Chip'' \end{itemize} \item TPM technically has two different versions of ``on/off'': \begin{itemize} \item Activated/Deactivated \item Enabled/Disabled \end{itemize} \item To use the TPM, it must be both Activated and Enabled. \begin{itemize} \item Some BIOSes group these into a single option. \end{itemize} \item A few systems require multiple reboots to turn the TPM on. \end{itemize} \end{frame} \begin{frame}{Aside: Clearing the TPM} \begin{itemize} \item Some BIOSes also provide a \textbf{Clear} option for the TPM \item Clearing the TPM erases the Storage Root Key and owner \begin{itemize} \item This makes all keys and encrypted data useless! \end{itemize} \item Normally used before transferring machine to new owner \item Some BIOSes automatically turn the TPM off after clearing. \end{itemize} \textbf{If your BIOS offers a Clear option, adding a BIOS password reduces the risk of an accidental DoS.} \end{frame} \begin{frame}{Demo: Turning on a TPM in the BIOS} \end{frame} \begin{frame}{What We'll Be Covering} \begin{itemize} \item What do we mean by provisioning? \item Turning on the TPM \item {\color{red}The Endorsement Key: Theory vs. Reality} \item Provisioning TPM Keys \item Certifying the EK (and other variations) \end{itemize} \end{frame} \begin{frame}{Review and Expand: Endorsement Key} \begin{itemize} \item EK is root key for reporting \item TPM's unique identifier \item Only directly used to establish trust in TPM identities \begin{itemize} \item ..but identities certify all other keys and sign TPM reports \end{itemize} \item Source of all remote trust in TPM \begin{itemize} \item ``EK belongs to good TPM; key K in same TPM as EK; so trust K'' \item ``K belongs to good TPM, so PCR quote is reliable'' \item All comes back to EK! \end{itemize} \item Generally last lifetime of TPM \begin{itemize} \item Revokable EKs are in spec, but not always implemented \end{itemize} \end{itemize} \end{frame} \begin{frame}{The Endorsement Key, According to the TCG} According to the TPM spec: \begin{itemize} \item The TPM manufacturer creates the TPM's EK as part of manufacturing \begin{itemize} \item Unique to each TPM and secret; process not specified \end{itemize} \item Each TPM is shipped with an \textit{Endorsement Credential (EC)} in NVRAM \begin{itemize} \item Signed by manufacturer \item Claim: ``I created this TPM, and this is its root key'' \item Anyone can verify to trust TPM if they trust manufacturer \end{itemize} \item TPMs can be trusted immediately, by tracing keys back to EK \end{itemize} \medskip \begin{center} \onslide<2-> Reality is somewhat different. \end{center} \end{frame} \begin{frame}{The Endorsement Key, Today} \begin{itemize} \item Many TPM manufacturers do not include an EK at all. \begin{itemize} \item \onslide<2->{\textbf{EK must be created during provisioning.}} \end{itemize} \item Most TPM manufacturers that do include an EK do not include EC \begin{itemize} \item \onslide<2->{\textbf{New or not, EK must be certified during provisioning}} \end{itemize} \item If EC included, verification process unclear \end{itemize} \medskip \begin{center} For today's machines, we can't rely on the TCG process to establish EK trust. \end{center} \end{frame} \begin{frame}{What We'll Be Covering} \begin{itemize} \item What do we mean by provisioning? \item Turning on the TPM \item The Endorsement Key: Theory vs. Reality \item {\color{red}Provisioning TPM Keys} \item Certifying the EK (and other variations) \end{itemize} \end{frame} \begin{frame}{The Provisioning Process} In brief: \begin{enumerate} \item Establish trusted environment \item Create EK, if necessary \item Record public EK for later certification \item Take ownership of TPM \item (Optional) Create additional TPM keys; save for later use \item (Optional) Record public half of additional keys for later certification \end{enumerate} \end{frame} \begin{frame}{Establishing a Trusted Environment (1/2)} \begin{itemize} \item Threat to avoid: malware or adversary masquerading as TPM \begin{itemize} \item Low risk, catastrophic damage-- all future trust undermined \end{itemize} \item Ideal: minimal, trusted, software; no network access \begin{itemize} \item Boot CD with minimal Linux, no network drivers \item Data transferred off via writeable CD \end{itemize} \item Enterprises sometimes require compromises \begin{itemize} \item Live CD requires technician running program on every machine:\\ high trust, high cost, hard to scale \item Script remotely run on windows: extremely low trust, but fast and scalable \end{itemize} \end{itemize} \end{frame} \begin{frame}{Establishing a Trusted Environment (2/2)} \textbf{Recommendation:} \begin{itemize} \item Use trusted process when machines first acquired \begin{itemize} \item IT department installing software anyway \item Low additional overhead, trained personnel \end{itemize} \item Use lower-security process for most machines in field \begin{itemize} \item Average machine has lifespan of only a few years \item Threat often not a big enough concern to warrant cost \end{itemize} \item Use high-security on-site process for critical machines \begin{itemize} \item Limited set; reduced scaling problems \item Maintain maximal trust where it matters most \end{itemize} \item \textbf{Certify with different keys, so low-trust machines can be phased out easily over time} \end{itemize} \end{frame} \begin{frame}{The Provisioning Process} In brief: \begin{enumerate} \item Establish trusted environment $\checkmark$ \item Create EK, if necessary \item Record public EK for later certification \item Take ownership of TPM \item (Optional) Create additional TPM keys; save for later use \item (Optional) Record public half of additional keys for later certification \end{enumerate} \end{frame} \begin{frame}{Creating the Endorsement Key} \begin{itemize} \item \texttt{TPM\_CreateEndorsementKeyPair} \begin{itemize} \item Some platforms provide more user-friendly tools \begin{itemize} \item \texttt{tpm\_createek} command line tool in linux tpm-tools package \end{itemize} \item Creates EK permanent for life of TPM \item \textbf{Usually used} \end{itemize} \item \texttt{TPM\_CreateRevocableEK} \begin{itemize} \item Optional command; some TPMs may not support it \item No convenient preexisting utilities \item Creates EK which can be revoked using authorization set at creation \item Tradeoffs: more control over TPM history, but opens DoS avenue \end{itemize} \item Either command will produce an error if an EK already exists. \end{itemize} \end{frame} \begin{frame}{The Provisioning Process} In brief: \begin{enumerate} \item Establish trusted environment $\checkmark$ \item Create EK, if necessary $\checkmark$ \item Record public EK for later certification \item Take ownership of TPM \item (Optional) Create additional TPM keys; save for later use \item (Optional) Record public half of additional keys for later certification \end{enumerate} \end{frame} \begin{frame}{Retrieving the Public EK} \begin{itemize} \item \texttt{TPM\_ReadPubek} \begin{itemize} \item Retrieves public portion of Endorsement key \begin{itemize} \item No way to retrieve private portion! \end{itemize} \item Must be executed before ownership is taken! \begin{itemize} \item The public EK can be read later, but much more complicated \end{itemize} \end{itemize} \item Public EK must be saved for transfer to CA \item \textbf{Recommend human write down key fingerprint for verification} \begin{itemize} \item Or other out-of-band mechanism to make sure saved key is the one certified \end{itemize} \item Note: Public EK is (as name suggests) not secret: we only care about integrity \end{itemize} \end{frame} \begin{frame}{The Provisioning Process} In brief: \begin{enumerate} \item Establish trusted environment $\checkmark$ \item Create EK, if necessary $\checkmark$ \item Record public EK for later certification $\checkmark$ \item Take ownership of TPM \item (Optional) Create additional TPM keys; save for later use \item (Optional) Record public half of additional keys for later certification \end{enumerate} \end{frame} \begin{frame}{Taking Ownership (1/2)} When taking ownership, two authorization values (passwords) are set: \begin{itemize} \item An owner authorization value \begin{itemize} \item Used to change TPM configuration, create identities \item Less security critical than, e.g., root password \item Enterprises may wish to use standard values to simplify management \item Owner privileges can be individually delegated if access needed \end{itemize} \item A SRK authorization value \begin{itemize} \item Called for whenever the SRK is used\ldots which is often! \item Unless you're doing something unusual, \textit{every time you load another TPM key}. \item \textbf{Strongly recommend using the well-known secret} \begin{itemize} \item Effectively, no password. \end{itemize} \item If you want to protect data with a password, create another key later. \end{itemize} \end{itemize} \end{frame} \begin{frame}{Taking Ownership (2/2)} \begin{itemize} \item \texttt{TPM\_TakeOwnership} \item Linux utility tpm\_takeownership exists in tpm-tools package \item Windows 7 has a utility that will enable the TPM and take ownership, but: \begin{itemize} \item \textbf{There are reports that taking ownership with the Windows utility will result in a TPM unable to be used by anything except Bitlocker.} \end{itemize} \item Taking ownership creates the SRK and set the owner authorization. \item Owner remains until TPM is cleared, although auth can be changed. \end{itemize} \end{frame} \begin{frame}{The Provisioning Process} In brief: \begin{enumerate} \item Establish trusted environment $\checkmark$ \item Create EK, if necessary $\checkmark$ \item Record public EK for later certification $\checkmark$ \item Take ownership of TPM $\checkmark$ \item (Optional) Create additional TPM keys; save for later use \item (Optional) Record public half of additional keys for later certification \end{enumerate} \end{frame} \begin{frame}{Creating Additional TPM Keys} How of key creation later. For now: Why? \begin{itemize} \item Creating keys during provisioning can be practical \begin{itemize} \item Identity keys require owner approval; easiest now if owner is IT \item Can create and put in standard locations for apps \item Can make sure all users have standard utility set \end{itemize} \item Can shortcut key certification \begin{itemize} \item \textit{Not recommended long-term approach!} Not scalable. \item Key certification complicated-- more on that later \item Already doing direct certification of EK; can certify other keys as well with no decrease in trust \item \textit{In this case}, public halves of keys should be recorded for certification \item As with the EK, a fingerprint or other verification mechanism recommended. \end{itemize} \item No keys other than EK, SRK required! \end{itemize} \end{frame} \begin{frame}{The Provisioning Process} In brief: \begin{enumerate} \item Establish trusted environment $\checkmark$ \item Create EK, if necessary $\checkmark$ \item Record public EK for later certification $\checkmark$ \item Take ownership of TPM $\checkmark$ \item (Optional) Create additional TPM keys; save for later use $\checkmark$ \item (Optional) Record public half of additional keys for later certification $\checkmark$ \end{enumerate} \end{frame} \begin{frame}{What We'll Be Covering} \begin{itemize} \item What do we mean by provisioning? \item Turning on the TPM \item The Endorsement Key: Theory vs. Reality \item Provisioning TPM Keys \item {\color{red} Certifying the EK (and other variations)} \end{itemize} \end{frame} \begin{frame}{Certifying the EK} We currently have: \begin{itemize} \item A TPM with an uncertified EK \item A public EK with verification mechanism \end{itemize} We want to create an Endorsement Credential: \begin{itemize} \item Certificate claiming EK is Endorsement Key of legit TPM \item Signed by enterprise CA \item Containing relevant info about TPM \begin{itemize} \item e.g., machine identifier, TPM manufacturer, version\ldots \end{itemize} \end{itemize} \end{frame} \begin{frame}{Challenges of EK Certification} \begin{itemize} \item Most commercial CAs expect x.509 certificate signing requests \begin{itemize} \item Self-signed request \item EK not capable of signing request! (Nor are most other TPM keys.)\ \item Need to update CA to accept request based on good process \begin{itemize} \item No actual security loss- self-signing adds nothing to trust \end{itemize} \end{itemize} \item Certification, like provisioning, needs to guarantee association \begin{itemize} \item Is the public EK being certified the same was created? \item If sent over network, rewritable media: verify integrity \end{itemize} \end{itemize} Otherwise, certification is pretty standard. \end{frame} \begin{frame}{Certifying Non-EK Keys} \begin{itemize} \item Can establish trust in other provisioned keys in same way as EK \item Same challenges apply! \item Certificates should clearly establish key type \begin{itemize} \item Should not be possible to mistake for EK! \end{itemize} \item If multiple certification mechanisms used (more on this soon), distinguish provisioning-certified keys from cryptographically certified keys \begin{itemize} \item Just good practice! Allows better revocation if needed. \end{itemize} \end{itemize} \end{frame} \begin{frame}{Provisioning Review} \begin{itemize} \item Process to establish initial trust in TPM \item Performed in trusted environment for security \item Create and certify Endorsement Key \item Take ownership, creating SRK \item Optionally create other TPM keys \end{itemize} \end{frame} \begin{frame}{Questions?} \end{frame} \end{document}