\documentclass[naustrian,notes]{beamer} \input{header} %Titelinformationen \title[Digidow Biometric Sensor]{Digital Shadow: Biometric Sensor} \subtitle{Master's Thesis Seminar} \author[Michael Preisach]{Michael Preisach} \date{November 19, 2019} \institute[INS]{\includegraphics[width=0.1\textwidth]{../../resources/ins}} \begin{document} \begin{frame} \titlepage \end{frame} \begin{frame} \frametitle{Project Overview Digital Shadow} \begin{figure} \centering \includegraphics[width=0.9\textwidth]{../../resources/globalview} \end{figure} \end{frame} \begin{frame} \frametitle{Chain of Trust} \begin{itemize} \item Manufacturer of TPM creates certificate \item Core Root of Trust: key seed \item \texttt{tpm2\_CreatePrimary} to generate new EK \end{itemize} \begin{figure} \centering \includegraphics[width=0.9\textwidth]{../../resources/tpmcert} \end{figure} \end{frame} \begin{frame} \frametitle{Chain of Trust - Platform Configuration Register (PCR)} \begin{itemize} \item Booting with TPM2 (PCR0-7) \begin{description} \item[\texttt{PCR0}] EFI Boot Services, EFI Runtime Services, Platform Firmware \item[\texttt{PCR1}] ACPI, SMBIOS, \ldots \item[\texttt{PCR2}] Option ROMs, Drivers from disks, \ldots (not relevant) \item[\texttt{PCR4}] EFI/Legacy os Loader \item[\texttt{PCR5}] EFI Partition, GPT, OS Partition Table \end{description} \item Grub2.04 supports TPM2 (PCR8,9) \footnote{\url{www.gnu.org/software/grub/manual/grub/grub.html\#Measured-Boot}} \begin{description} \item[\texttt{PCR8}] Kernel-, Module- and all other commands \item[\texttt{PCR9}] All files read by GRUB \end{description} \item Linux uses PCR10-15 \end{itemize} \end{frame} \begin{frame} \frametitle{Problem: Create Trust between BS and PA} \begin{itemize} \item Network discovery \item \textbf{No Knowledge about BS} \begin{itemize} \item \textbf{Hardware} \item \textbf{Software} \item \textbf{Am I talking to a valid BS} \item Correct client to certify identity for given biometric data \end{itemize} \item \textbf{BS faces same problem with PA} \item Establish a secure channel to submit sensitive data \end{itemize} \end{frame} \begin{frame} \frametitle{Solution: Direct Anonymous Attestation (DAA)} \begin{center} \includegraphics[width=0.7\textwidth]{../../resources/daa} \end{center} \begin{itemize} \item based on group signatures \item Zero Knowledge Proof to verify group membership \item defines 3 Parties \begin{itemize} \item \emph{Issuer}: provides public key for a group (e.g. all Biometric Sensors) and manages group memberships \item \emph{Member}: holds a group private key to sign messages (e.g. a Biometric Sensor) \item \emph{Verifier}: knows the group public key and is able to verify correctness of signature (e.g. Personal Agent) \end{itemize} \end{itemize} \end{frame} \begin{frame} \frametitle{ECDAA Setup} \begin{itemize} \item Choose TPM-supported pairing-firendly Elliptic Curve: FP256BN \item Generate Issuer keypair \item $isk = (x,y)$ \item $ipk = (q,\mathbb{G}_1, \mathbb{G}_2, \mathbb{G}_T, g_1, g_2, e, X, Y)$ \item Publish ipk \end{itemize} \end{frame} \begin{frame} \frametitle{ECDAA Member Join} \begin{center} \includegraphics[width=0.9\textwidth]{../../resources/daajoin} \end{center} \end{frame} \begin{frame} \frametitle{ECDAA Member Sign} \begin{center} \includegraphics[width=0.9\textwidth]{../../resources/daajoin} \end{center} \end{frame} \begin{frame} \frametitle{ECDAA Member Verify} \begin{center} \includegraphics[width=0.9\textwidth]{../../resources/daajoin} \end{center} \end{frame} \begin{frame} \frametitle{DAA Setup: Issuer creates Bilinear Group and Keys} \[ q,\mathbb{G}_1, \mathbb{G}_2, \mathbb{G}_T, g_1, g_2, e \] \begin{itemize} \item $\mathbb{G}_1, \mathbb{G}_2, \mathbb{G}_T$: groups of prime order $q$ \item $g_1 \in \mathbb{G}_1$, $g_2 \in \mathbb{G}_2$: generator points \item $e$: bilinear map with properties \begin{itemize} \item \emph{Bilinear}: For all $P \in \mathbb{G}_1, Q \in \mathbb{G}_2$, for all $a,b \in \mathbb{Z}$, $ e(P^a,Q^b) = e(P,Q)^{ab}$ \item \emph{Non-degenerate}: There exists some $P \in \mathbb{G}_1, Q \in \mathbb{G}_2$ such that $e(P,Q) \neq 1$, where 1 is the identity of $\mathbb{G}_T$ \item \emph{Efficient}: There exists an efficient algorithm for computing $e$ \end{itemize} \item Choose secret key $x\leftarrow\mathbb{Z}_q$, $y\leftarrow\mathbb{Z}_q$ \item generate public key $X=g_2^x$, $Y=g_2^y$ \item $ipk = (q,\mathbb{G}_1, \mathbb{G}_2, \mathbb{G}_T, g_1, g_2, e, X, Y)$ \item $isk = (x,y)$ \end{itemize} \end{frame} \begin{frame} \frametitle{Bilinear Maps - Sign Messages} \begin{itemize} \item Simplified Example: $\mathbb{G}_1 = \mathbb{G}_2$ \item $pk = (q,\mathbb{G}_1, \mathbb{G}_T, g_1, g_T, e, X, Y)$ \item Given message $m$ \end{itemize} \begin{columns}[t] \begin{column}{4cm} \emph{Signer:} \begin{itemize} \item Compute Signature $\sigma(a,b,c)$ \begin{itemize} \item $a \in \mathbb{G}_1$ \item $b = a^y$ \item $c = a^{x+mxy}$ \end{itemize} \item Send(m, $\sigma$) \end{itemize} \end{column} \begin{column}{6cm} \emph{Verifier:} \begin{itemize} \item Check, that \begin{small} \begin{displaymath} \underline{e(a,Y)} = e(a,g^y) = e(a^y,g) = \underline{e(b,g)} \end{displaymath} \begin{displaymath} \underline{e(X,a)\cdot e(X,b)^m} = e(g,a)^x \cdot e(g,a)^{xym} \end{displaymath} \begin{displaymath} = e(g,a)^{x+xym} = \underline{e(g,c)} \end{displaymath} \end{small} \end{itemize} \end{column} \end{columns} \end{frame} \begin{frame} \frametitle{Bilinear Maps: Zero Knowledge Proofs} \begin{itemize} \item Do the same as before, but choose to additional random variables $r$ and $r'$ \end{itemize} \end{frame} \begin{frame} \frametitle{DAA Join: Member joins to Issuer's Group} \begin{center} \begin{footnotesize} \begin{tabular}{|lclcl|}\hline \multicolumn{1}{|c}{TPM}&&\multicolumn{1}{c}{Host}&&\multicolumn{1}{c|}{Issuer}\\\hline &&&$\xrightarrow{\text{JOIN}}$&$n\leftarrow\{0,1\}^{ln}$\\ $gsk\leftarrow\mathbb{Z}$&$\xleftarrow{\makebox[5mm]{n}}$&&$\xleftarrow{\makebox[5mm]{n}}$&\\ $Q\leftarrow g_1^{gsk}$&&&&\\ $\pi_1\rightarrow SPK\{(\alpha):g_1^\alpha\}$&$\xrightarrow{Q,\pi_1}$&&$\xrightarrow{Q,\pi_1}$&verify $\pi_1$\\ &&&&$r\leftarrow\mathbb{Z}_q$\\ &&&&$a\leftarrow g_1^r$\\ &&&&$b\leftarrow a^{x+ym}$\\ &&&&$c\leftarrow a^x\cdot Q^{rxy}$\\ &&&&$d\leftarrow Q^{ry}$\\ &&&&$\pi_2\leftarrow SPK\{(t):$\\ &&$e(a,X)\cdot e(c,Y)$&$\xleftarrow{a,b,c,d,\pi_2}$&$ b=g_1^t \wedge d=Q^t\}$\\ verify $\pi_2$&$\xleftarrow{b,d,\pi_2}$&$\stackrel{?}{=}e(b,g_2)$&&\\ store($gsk, b, d$)&$\xrightarrow{JOINED}$&store($a,b,c,d$)&&\\\hline \end{tabular} \end{footnotesize} \end{center} \end{frame} \end{document}