Trusted Computing & Pseudonymity : An Introduction and Survey Gaurav Veda Email: [email protected] Supervisors: Dr. Deepak Gupta, Dr. Dheeraj Sanghi Supervisors’ Email: fdeepak, [email protected] Department of Computer Science and Engineering Indian Institute of Technology Kanpur, UP, INDIA - 208016 Abstract— This report is in two parts. In the first part I talk Trusted Computing about Trusted Computing, while in the second part the focus is on pseudonymity. I. INTRODUCTION AND MOTIVATION In today’s world, security is of primary concern. Data of ever increasing value is being created and stored on PC’s. At A. Client security is important the same time, more and more vulnerabilities are being found in existing software . Till now, the main focus of security has In today’s world, security is of primary concern. Data of been servers and networks, while clients have remained relatively ever increasing value such as passwords, credit card num- unprotected. Also, most of the mechanisms in place for client security are software based. It is increasingly being felt that bers etc. is being created and stored on PC’s. At the same client security should be given much more importance and that time, attacks are outpacing today’s protection models. Highly a purely software based mechanism is inadequate in providing sophisticated tools are now readily available. Moreover due the required level of security. It was with this in mind that to the internet and ubiquitous connectivity (wired as well as people and organizations started exploring the idea of security wireless), attackers have remote access to the clients. Many through hardware enhancements and a whole new paradigm of Trusted Computing was born. The idea was to come up with times, they also have financial incentives for attaking a client. appropriate hardware modifications that would help in providing More and more vulnerabilities are being found in existing security against software attacks on clients. Here, I will present software and attackers are exploiting them continually to their the suggested enhancements and look at the proposed security advantage. Till now, the main focus of security has been mechanism. This technology is no longer on paper and companies servers and networks, while clients have remained relatively such as Intel, IBM etc. have started selling PC’s with some of the required enhancements. unprotected. Due to the above reasons and many more, it has An important component of Trusted Computing is Attestation. become important to protect clients as well. This is the ability of a system to prove its security properties to a remote system. However, this immediately raises questions of B. Software alone is not good enough privacy. Although we want to prove our credentials to a remote host, we do not want it to know any other identifying information Today, most of the mechanisms in place for client security about us. This leads us to the more general problem of protecting are purely software based eg. passwords, antivirus etc. It is user privacy. Users want the ability to control the information increasingly being felt that a purely software based approach that others know about them and also to be able to monitor and control its use. Currently, the way computers are used to is not good enough. Many of these approaches rely on the carry out transactions, user privacy is being compromised since OS. So, if the OS is compromised, then they are rendered organisations and other users get to know much more informa- ineffective. Since the OS is a large piece of code (easily over tion than what is necessary. We need anonymity in transactions. a million lines of code), there are many vulnerabilities in the At the same time, we want to safeguard against malicious users OS code itself that are being continually found and exploited. who try to exploit the system. In this report, I will present a simple anonymous credential system proposed by Chaum [1]. A Also, many malicious software (such as viruses, keyloggers credential system is a system in which users can obtain credentials etc.) hide themselves behind normal programs and often the from some organizations and demonstrate their possession. It is user doesn’t even know that they have been installed. We come said to be anonymous when no one (apart from maybe a few to know of a virus only after it has been there for some time on trusted third parties) can say whether two transactions are being the system and has (potentially) done some damage. Instead, carried out by the same user. I will conclude by presenting the basic mathematics underlying the anonymous credential system we must have some pre-emptive protection mechanism that proposed by Camenisch and Lysyanskaya [2] that is actually would not even allow such programs to get installed. Due to used in the above security framework (Trusted Computing) for all these reasons, it is increasing being felt that we need to achieving anonymous attestation. look at other approaches to security. C. Hardware based security & the TCG • Sealed Storage Due to the above reasons, people started looking towards – An application can ensure that no other application hardware based approaches to security. Soon, smart cards can read what it stores were introduced. However, they only provided authetication. – The storage is also platform specific They were largely useless against software based attacks and • Secure IO attacks over the network. After this, the big companies like – The input and output to the applications running in IBM, Intel, Microsoft, HP etc. started thinking about bringing secure mode is guaranteed to be secure. That is, no additional changes to hardware. It soon became apparent that other application can get to know what it is and no unless there was some standardization, there would be no other application can change it. compatibility between the new PC’s and that this would be • Attestation highly inacceptable to most people. Thus, the TCPA (Trusted Computing Platform Alliance) was formed in October 1999 – This is the ability of a system to prove its security by Intel, IBM, Compaq, HP and Microsoft. In April 2003, properties to a remote system. the name of TCPA was changed to TCG (Trusted Computing II. HARDWARE CHANGES REQUIRED Group). The stated goal of this group is to “develop and promote open industry standard specifications for trusted com- The TCG specifications mandate a host of changes in the puting hardware building blocks and software interfaces across PC hardware. These are as follows. multiple platforms, including PC’s, servers, PDA’s, and digital A. Changes in the CPU phones”. This is an open industry association and now has over 40 members. The following changes are needed in a TCG enabled com- The approach taken by this organization is to bring about a puter CPU. host of hardware and software changes. It mandates changes • A new mode flag that enables the CPU to run in both a in the CPU, chipset and IO devices and the introduction of standard mode and a nexus mode. a completely new hardware component - the TPM (Trusted • Support for nexus-mode initialization Platform Module). Along with this, a small secure OS kernel The TCG specifications mandate a new CPU instruction (the nexus in MS terminology) needs to be added. The (the SENTER instruction in Intel terminology). The job applications also need to be changed if they want to take of this instruction is to bring up the nexus and pass advantage of this new secure platform. The normal OS needs control onto it after verifying that it (the nexus) has not just the introduction of a new device driver component. In such been compromised with (ie. the code identity (a hash a system, there would be a parallel operating environment in value) matches with some stored value). This instruction which both the normal OS and this secure OS kernel will run is executed by a program in the normal OS that wants to simultaneously. do some computation or start some application in secure mode. When this instruction comes to the CPU, it must D. Threat model pause execution of all other processes and process this The threat model that the TCG has in mind is as follows. instruction completely (without any context switches). Malicious software can • CPU must be able to context switch between standard • Read Memory / HDD and nexus modes. – Expose secrets • Pages of physical memory are marked as trusted and the CPU should ensure that they are accessible only when • Change Memory the CPU is running in nexus mode – Change values of data or programs • Manipulate input and output B. Changes in the chipset • Can change request for information • It must support page-granular DMA protection in collab- It is important to note that this technology is aimed at oration with the CPU providing protection against software based attacks only. It This means that the pages of memory that are marked does not intend to provide protection against hardware based protected, must not be allowed access by the DMA attacks. controller. • Memory, I/O controller, and bus bridges must follow the E. Major Security Enhancements parameters set by the DMA exclusion vector, which is an The major security enhancements provided by the TCG are in-memory, 1-bit-per-page table entity that may be cached • Strong Process Isolation (Protected Execution) and that ensures that DMA devices do not read or write – The protected operating environment isolates a se- to the secure area of memory cure area of memory (RAM) that is used to process • DMA exclusion vector programming must be under nexus data with higher security requirements control – Even the normal OS can not access this portion of • It must provide memory reset (ie.