6.857 Computer and Network Security
October 17, 2002
Lecture Notes 12 : TCPA and Palladium
Lecturer: Pato/LaMacchia
Scribe: Barrows/DeNeui/Nigam/Chen/Robson/Saunders/Walsh
Joe Pato of Hewlett-Packard presented the Trusted Computing Platform Alliance (TCPA). Brian
LaMacchia of Microsoft presented Palladium. Barrows, DeNeui, and Nigam scribed the notes on
TCPA. Chen, Robson, Saunders, and Walsh scribed the notes on Palladium. Slides from both
speakers are available on the 6.857 Web site.
TCPA
Outline
Why Trusted Computing Platforms
The Trusted Computing Platform Alliance
TCPA Concepts
TCPA Feature Set
Benefits of TCPA
1
Why Trusted Computing Platforms
The overall goals of a trusted computing platform are to increase business and customer confidence
with the security of a platform, to reduce business risks associated with insecurely storing data, and
additionally to protect end-user private data.
A trusted computing platform should address questions such as: Can I trust a target machine to
behave in an expected manner (maybe based on past performance)? Can I have confidence in
interacting with the platform? Can I trust you (the user) to be what you say you are?
A Trusted Computing Platform should:
Recognize that a platform has known properties
Identify that a system will behave as expected
Enable a user to have more confidence in the behavior of the platform in front of them
0
May be freely reproduced for educational or personal use.
1
2
3
TCPA CONCEPTS
Reduce business risks by enabling trust in the behavior of critical information systems
Protect end user private data and information by enabling trust in end systems (unknown if
current technology trajectory will lead to this result)
2
The Trusted Computing Platform Alliance (TCPA)
Doomsayers claim the TCPA is the conspiracy to prevent artistry, anonymity, or assembly. Others
wonder if TCPA is the conspiracy in prelude to the apocalypse, and wonder if this is the end of free
computing. Some skeptics question how the TCPA will know the end has been reached and wonder
if we are getting on the slippery slope to 'Big Brother' baked into a computer. Joe Pato said that
his lecture will demonstrate that TCPA is none of these.
History
The TCPA is an industry group started in 1998. It was founded by Compaq, HP, IBM, Intel, and
Microsoft. Currently the group has 180 members from the hardware, software, communications,
and security technology industries. The group is focused on defining and advancing the concept
of trusted computing. Competition in the security space and the need for cheap cryptography
prompted creation of this group. The companies also needed to bypass crypto export regulations,
and as a result wanted to work towards this goal with other players in the field.
The TCPA Charter
Provide a ubiquitous and widely adopted means to address trustworthiness of computing plat-
forms
Publish an open specification for public review
Define a technology specification that can be applied to any type of computing platform
3
TCPA Concepts
Definition: A platform can be trusted if it behaves in the expected manner for the intended purpose.
TCPA Technology provides the mechanisms for:
Platform authentication and attestation -- is this platform actually a TCPA platform?
Platform integrity reporting -- has this TCPA platform been modified in any fashion?
Protected storage -- enabling secure stable storage in the presence of adversaries, architecture
enables root of trust that allows third parties to rely on this trust
3
Figure 1: The Authenticated Boot Process (courtesy of Joe Pato, HP Labs)
To achieve this, TCPA relies on the concept of a root of trust. A third party can rely on information
provided by a platform's root of trust. The root of trust must be able to report on software that has
been executed, and must be able to keep secrets from the rest of the platform. There are two roots
of trust and it is necessary to trust these roots of trust for TCPA mechanisms to be relied upon.
A root of trust for reporting -- The component that can be trusted to store and report reliable
information about the platform
A root of trust for measurement -- The component that can be trusted to reliably measure
and report to the root of trust for reporting what software executes on platform boot
The Trusted Platform Module (TPM)
The TPM is the Root of Trust for Reporting and is uniquely bound to a single platform. TPM
functions and storage are isolated from all other components of the platform. The TPM is tamper
resistant and tamper evident. It also contains various cryptographic functions and properties includ-
ing PRNG, key storage, and some cryptographic functions. However, there is no bulk cryptography
built into the TPM.
The Core Root of Trust for Measurement (CRTM)
The CRTM is the first piece of code that executes on a platform at boot time. It must be trusted
to property report to the TPM what software executes after it. The CRTM reports a hash of the
BIOS to the TPM, the TPM stores this, and then CRTM passes off control to the BIOS. The BIOS
hashes various ROMS associated (i.e. the OS Loader) with bootup, TPM securely stores this, the
BIOS then loads and executes ROM procedures.
Q: How does CRTM ensure that the boot is authentic?
A: The CRTM builds a chain of hash codes for each portion of the boot. This chain is used to
ascertain exactly what software was loaded on boot, the user can then check this with past
boot chains and gauge if the boot sequence has been tampered with.
4
4
THE TCPA FEATURE SET
4
The TCPA Feature Set
Platform Authentication
Integrity Reporting
Protected Storage
Platform Authentication
TCPA provides for the TPM to have control over multiple pseudonymous attestation identities. TPM
attestation identities do not contain any owner or user related information. A platform identity
attests to platform properties. No single TPM identity is ever used to digitally sign data, this
provides privacy protection. A TPM identity certification is required to attest to the fact that they
identify a genuine TCPA platform. The TPM identity creation protocol allows for the choice of
different Certification Authorities (Privacy-CA) to certify each TPM identity to prevent correlation
of the TPMs.
Integrity Reporting
To trust that the TPM is a genuine TPM on a genuine trusted platform, the measurements reported
to the TPM during (and after) the boot process cannot be removed or deleted until reboot. Adding
each step in the boot process to the TPM hash vector ensures that no hiding code can execute on
a platform. The TPM will use an attestation identity to sign the integrity report. The recipient
of integrity information can evaluate trustworthiness of the information based on the certificated of
this attestation identity.
Protected Storage
The TCPA allows for protected storage, but no generic encryption device is required. Cryptographic
keys can be created that are protected by the TPM. Data can be encrypted using the TPM and can
only be decrypted using this same TPM. Additionally, the root TPM key can be used to create a
hierarchy of sealed keys, of which only the root key lives in the TPM while others live (encrypted)
on the hard drive. This allows the user to build new keys from the original TPM key and ensures
that the TPM public key is not released. Keys in this hierarchy-space can be migrateable, or not,
depending on how they are created by the software/OS or by the manufacturer.
Privacy-Positive design
The ultimate TPM functionality control goes to the owner (i.e. platform administrator). TPM
activation is controlled by the owner, while TPM deactivation is available to the individual users.
Additionally, to ensure privacy no single TPM identity is ever used to digitally sign data and multiple
pseudonymous IDs are allowed, which limits correlation. Remote control of the TPM is enabled by
5
challenge response protocols for authorization mechanisms. Unfortunately, since the CA knows all
the keys that have been generated, the CA can correlate identities to platforms.
Conformance
The parties involved have various responsibilities. The TCPA's role is that the TPM protection
profile is to be completed and will include CRTM and connection to platform. The manufacturers'
role is to create a security target, and produce a product design evaluation.
5
Benefits of TCPA
In the short and middle term, TCPA allows for more securely encrypted data and provides for the
measurement of integrity metrics of the software environment on the TCPA platform. In the long
term, we can learn what software is running on a machine and have confidence in the information
about the software environment and identity of a remote party, enabling higher levels of trust when
interacting with this party.
PDF 
ZIP