\chapter{Introduction} We all live in a world full of digital systems. They appear as PCs, notebooks, cellular phones or embedded devices. Especially the footprint of embedded computers became so small that they can be used in almost all electrical devices. These embedded systems form the so called \emph{smart} devices. With all these new devices, a lot of societal problems could be solved in the past few decades. Many of them automate services to the public like managing the bank account, public transportation or health services. The list of digital service is endless and will still grow in the next decades. The downside of all these digital services is that using these services generate a lot of data. Besides of the intended exchange of information, many of the services try to extract metadata as well. Metadata answers some of the following questions. Which IP is connected? What kind of device is that? Is the software of the device up to date? Was this device here in the past? What else did the owner on the device? This set of questions is not complete. Aggregating metadata is not required to fulfill the function of the requested service. However, reselling the metadata brings the provider more margin on the product and hence more profit. Consequently, the market for metadata is growing and yet only partly regulated. This is a downside of the service which may prevent users from actually using it. So the providers are hiding the aggregation functions in a proprietary layer. Either the software on a client device or the counterpart on the server side is using such a layer. The result is a piece of software which is provided as binary and the user cannot prove what this software is exactly doing besides the visible front end features. There are of course other purposes for delivering software in a closed source manner. Firmware of hardware vendors is usually not disclosed and provide an API where an \emph{Operating System} (OS) can connect to. Some companies deliver complete devices with internet connection. In this case a user has no chance to detect what the device is doing in this very moment. Especially when providing confidential data like passwords or biometric data, a certain level of trust is required. This means that the user assumes that the provided sensible data is handled properly for only the designated usage. One may argue that a password can easily be changed when revealed to the public. Unfortunately, this does not apply to a fingerprint since a human usually has only ten of them during lifetime. \section{Trust} When using a system with an authentication method, trust plays a key role. For black box systems this trust is cast to the vendor of the system or device. There is however no mathematical proof that the device is indeed executing the software as intended from the vendor. This thesis will therefore use the term \emph{trust} as a cryptographic chain of proofs, that a system is behaving in an intended way, a so called \emph{Chain of Trust}. By providing a Chain of Trust, a user can ask the vendor for a certification of its devices and consequently comprehend the state of the system at hand. \section{Project DigiDow} The Institute for Networks and Security is heavily using the cryptographic form of trust in the project \emph{Digital Shadow} (DigiDow). DigiDow introduces an electronic authentication system, which aims minimize generation of metadata on the system level and hence preserves privacy for their users. It furthermore should be scalable for nationwide or even worldwide applications and provide provable trust and integrity to the user. \begin{figure} \centering \includegraphics[width=0.9\textwidth]{../resources/globalview} \caption{Overview of the DigiDow authentication process} \label{fig:globalview} \end{figure} The picture in \autoref{fig:globalview} provide an overview of the authentication process within DigiDow. At the time of this writing, the exact order and definition of every step is not yet finished and may change during the progress of the whole project. DigiDow introduces three main parties which are involved in a common authentication process. \begin{description} \item[\emph{Personal Identity Agent} (PIA):] The PIA is the digital shadow of an individual who wants to be authenticated. This individual is also the owner of the PIA and should be able to manage sensible data and software on it. \item[\emph{Verifier} (V):] This is the party that verifies the whole authentication process and may finally trigger the desired action if all went well. \item[\emph{Biometric Sensor} (BS):] For Authentication, an individual has to be uniquely identified. The BS records therefore biometric data from the individual and passes it into the DidiDow network. \end{description} For scalability, we assume that there are large numbers of all parties. The illustration also shows a draft of how which steps need to be performed between above mentioned parties during an authentivation process. \begin{enumerate} \item[(1)] All relevant parties need to find each other via the DigiDow network. When this step is finished, it is assumed that for every step the individual hosts for communication are identifiable and ready for the authentication process. \item[(2)(3)] Eventually an individual wants to authenticate itself and the BS records the biometric data. With this data and a corresponding unique ID, the BS knows which PIA to contact. \item [(4)(5)(6)] The BS contacts the PIA and sends the recorded data set as well as a cryptographic signature to proof that the sensor is valid and this is an honest authentication attempt. \item [(7)] The PIA proofs authenticity of the received signature and compares the data with its own saved biometric data sets. Assuming all is correct, the PIA certifies that the person standing in front of the BS is indeed the owner of the PIA. The verifier checks the certification and finally triggers the desired action for the asking individual. \end{enumerate} The above illustration is an early draft of the whole setup and is under constant development. A more recent version of the whole system can be found at the DigiDow Project Page\footnote{\url{https://digidow.eu}}. This thesis will contribute a prototype setup the Biometric Sensor and discuss how to create trust into this system. \section{Our Contribution: Deriving Trust from the Biometric Sensor} The DigiDow network is designed to preserve privacy and build trust for any user. A key feature is to show the user that all involved parts of the system are working as intended. So we design a prototype based on the common x86 architecture and use the cryptographic features of the \emph{Trusted Platform Module} (TPM). A TPM is a passive crypto coprocessor available on many modern PC platforms which has an independent storage for crypto variables and provides functions to support above mentioned features. We define a solution for installing and booting a Linux Kernel with integrity measurements in place. Finally we use an attached camera as sensor to create the data set to continue with the authentication process. This data set will be forwarded to the PIA with the integrity measurements of the system and a signature from the TPM. The thesis focuses on a working setup as basis for future research. Since the DigiDow protocols are not yet finalized some assumptions are defined for this work and the prototype implementation: \begin{itemize} \item Any betwork discovery (Step 1 in \autoref{fig:globalview}) is omitted. BS and PIA are assumed to be reachable directly via TCP/IP \item We look into a protocol which proofs trustworthiness from BS to PIA. Any further proofs necessary for the Verifier are also not focused in this thesis. \item The sensible data sets will be transmitted in cleartext between BS and PIA. It is considered easy to provide an additional layer of encryption for transportation. However this should be considered in the DigiDow network protocol design. This thesis focuses only on the trust part between BS and PIA. \item Any built system is considered secure on a hardware level. Any threats which are attacking the system without changing any running software on the system may be not detected. This includes USB wire tapping or debug interfaces within the system revealing sensible information. \end{itemize} %TODO edit pointer \section{Goals and Definitions} You should be able to attach a variety of sensors to the system. The system should then fulfill the following requirements \begin{itemize} \item \emph{Sensor Monitoring.} The system should be able to monitor the hardware sensor (fingerprint sensor, camera, etc.) itself. \item \emph{System Monitoring.} It should be possible to track the state of the system. Especially every modification of the system should be detected. \item \emph{Freshness of Sensor Data.} To prevent replay attacks, the system should proof that the provided biometric data is captured live. \item \emph{Integrity of Sensor Data.} As it is possible for an adversary to modify the provided data during the capturing process, integrity should guarantee that the data originates from the BS. \item \emph{Confidentiality of Sensor Data.} It should not be possible to eavesdrop any sensitive data out of the system. Furthermore almost all kinds of metadata (e.\,g. information about the system or network information) should not be published \item \emph{Anonymity.} Given a message from a BS, an adversary should not be able to detect which BS created it \item \emph{Unforgeability.} Only honest BS should be able to be part of the DigiDow network. Corrupt systems should not be able to send valid messages. \end{itemize} Usage Model of Biometric Sensor This thesis will describe a system, which is part of the Digital Shadow network. Therefore it has to meet the common principles in information security, namely: \begin{itemize} \item \emph{Availability}: \item \emph{Integrity}: ISO 27000 (Data Integrity) \item \emph{Confidentiality}: ISO 27000 \end{itemize} Upon AIC it should be possible for users to prove honesty of the system. This is what \emph{trust} defines in information security \subsection{Requirements} \begin{itemize} \item given a set of software, this system should provide information that exactly this version of software is running on the system. (Integrity) \item The system must furthermore show that it is a member of valid biometric sensors (Attestation) \item All the given information should be anonymized. It should not be possible to gain any other information about the system (Anonymity) \item It should be ensured that no sensitive data is stored at the biometric sensor \end{itemize} Scope of this thesis is on implementing the system from from hardware to application layer. Is is not supposed to think about the network communication. \section{Description of structure} In Chapter~\autoref{cha:relatedwork} we will outline a variety of projects which do not contribute to this thesis. There is, however, scientific work that contribute to our project as described in \autoref{cha:concept}. Together with that, we will introduce our theoretical solution for the previously stated problems. This includes an overview of the cryptographic system and the used standards. Chapter~\ref{cha:implementation} introduces then a working implementation with all necessary parts for correct function. Finally we will present the results and limitations in \autoref{cha:conclusion} and give an overview of future work. \chapter{Related Work}\label{cha:relatedwork} There exist already many interesting projects and implementations which touch the field of trusted computing. We will introduce some of these projects and discuss why these do not meet the purpose of this thesis. Schear el.\,al.\@ developed a full featured trusted computing environment for cloud computing. They show in their paper how a TPM of a hypervisor can be virtualized and used by the guest operating system. This includes trusted bootstrapping, integrity monitoring, virtualization, compatibility with existing tools for fleet management and scalability\cite{keylime16}. The concept of a well known virtual environment does, however, not apply to our contribution. Furthermore, the the system should be self contained as good as possible and it should be possible to get information about the system via anonymous attestation. %TODO what about the integrity measurements of keylime? \begin{itemize} \item What exists in the field? \item Keylime -- DONE \item Xaptum ECDAA \item FIDO 2 ECDAA \item Strongswan Attestation \item Linux IMA \item Secure Boot \item Intel TXT \item Trusted Execution Environment (TEE) \item nanovm (\url{nanovms.com}) \end{itemize}