trusted computing: opportunities and challenges
Post on 14-Jan-2016
67 Views
Preview:
DESCRIPTION
TRANSCRIPT
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1
Trusted Computing: Opportunities and Challenges.
David Grawrock
TCG TPM Workgroup Chair
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #2
Agenda
• Trusted Computing Overview
• TCG Introduction
• TCG Technologies
• Trusted Applications
• Summary
• Questions and Answers
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #3
Risk Management• Most current security efforts
follow a similar progression– Network (intranets, firewalls, VPNs,
etc.)– Servers (load balancers, HSMs,
SSO, web authentication, etc.)– Policies & processes (response
plans, disaster recovery, etc.)– Identity & access (badges, tokens,
digital certificates, etc.)
• Client PC protection is either non-existent or vulnerable– Mobile workers operate both inside and outside the firewall
– Mobile devices (laptops) can easily store business critical information insecurely
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #4
Today’s Deployments Often Leave Clients Relatively Unprotected
• Highly regulated SW/HW configuration
• Controlled physical access (24x7)
• Intrusion detection SW• Firewalls• Anti-virus• Network segmentation• Encrypted data• Real-time monitoring• Auditing & analysis
tools• Multi-factor user auth.• Configuration monitors• Patch, Configuration, &
Policy Control
Server
• Encryption (IPSec, SSL)
• VPN
• Layered firewalls
• Intrusion detection SW
• 24x7 monitoring
• Network segmentation
• 802.1x (Radius)
• Multi-factor authentication
• Domain controllers
• Policy management
• Configuration monitors
Network
• Passwords• Anti-virus• User authentication• Patch, Configuration,
& Policy Control • Intrusion detection SW
Client
Mismatch between security measures and the Mismatch between security measures and the financial value of data created & stored on clientsfinancial value of data created & stored on clients
Mismatch between security measures and the Mismatch between security measures and the financial value of data created & stored on clientsfinancial value of data created & stored on clients
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #5
Trusted Computing – Bottom to Top
Trusted Hardware
PC Hardware
BIOS Firmware
Operating System
System Services
Applications
User Services Security at any layer can be defeated by accessing the next lower layer
Trusted Computing requires security hardware as the foundation for platform security
Plus security enablement features in each layer
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #6
TCG Mission
Develop and promote open, vendor-neutral, industry standard specifications for trusted computing building blocks and software interfaces across multiple platforms
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #7
TCG Structure
• TCG is incorporated as a not-for-profit corporation, with international membership– Open membership model
• Offers multiple membership levels: Promoters, Contributors, and Adopters
– Board of Directors • Promoters and member elected Contributors
– Typical not-for-profit bylaws– Industry typical patent policy (Reasonable and
Non Discriminatory) for all published specifications – Working Groups
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #8
TCG Organization
Marketing Workgroup Nancy Sumrall, Intel
Board of DirectorsJim Ward, IBM, President and Chairman, Geoffrey Strongin, AMD, Mark Schiller, HP, David Riss, Intel, Steve Heil,
Microsoft, Tom Tahan, Sun, Nicholas Szeto, Sony, Bob Thibadeau, Seagate, Thomas Hardjono, Verisign
Server Specific WGLarry McMahan, HPMarty Nicholes, HP
Position KeyGREEN Box: Elected OfficersBLUE Box: Chairs Appointed by BoardRED Box: Chairs Nominated by WG,
Appointed by BoardBLACK Box: Resources Contracted by TCG
User Auth WGLaszlo Elteto, SafeNet
Mark Nesline, RSA Sec.
TSS Work GroupDavid Challener, IBM
TPM Work GroupDavid Grawrock, Intel
Storage Systems Robert Thibadeau,
Seagate
AdministrationVTM, Inc.
Advisory Council Invited Participants
Best Practices Jeff Austin, Intel
Technical Committee Graeme Proudler, HP
Public Relations
Anne Price, PR Works
EventsMarketingSupportVTM, Inc.
Peripherals WGColin Walters, Comodo
PDA WGJonathan Tourzan, Sony
PC Client WGMonty Wiseman, Intel
Mobile Phone WGPanu Markkanen, Nokia
Infrastructure WGThomas Hardjono, Verisign
Ned Smith, Intel
Conformance WGManny Novoa, HP
Hard Copy WGBrian Volkoff, HP (interim)
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #9
TCG Membership86 Total Members as of November 3, 2004 7 Promoter, 64 Contributor, 15 Adopter
PromotersAMDHewlett-PackardIBMIntel CorporationMicrosoftSony CorporationSun Microsystems, Inc.
AdoptersAli Corporation American Megatrends, Inc. Enterasys NetworksFoundry NetworksFoundstone, IncGatewayIndustrial Technology Research Inst.MCINevis Networks, USA Senforce TechnologiesSilicon Integrated Systems Corp. Softex, Inc. Toshiba Corporation ULi Electronics Inc.Winbond Electronics Corporation
ContributorsMotorola Inc. National Semiconductor nCipher Network Associates Nokia NTRU Cryptosystems, Inc. NVIDIA OSA Technologies, Inc Philips Phoenix Pointsec Mobile Technologies Renesas Technology Corp. RSA Security, Inc. SafeNet, Inc. Samsung Electronics Co. SCM Microsystems, Inc. Seagate Technology SignaCert, Inc. Silicon Storage Technology, Inc. Sinosun Technology Co., Ltd. Standard Microsystems Corporation STMicroelectronics Sygate Technologies, Inc. Symantec Symbian Ltd Synaptics Inc. Texas Instruments Transmeta Corporation Trend Micro Utimaco Safeware AG VeriSign, Inc. Vernier Networks VIA Technologies, Inc. Vodafone Group Services LTD Wave Systems Zone Labs, Inc.
ContributorsAgere Systems ARM ATI Technologies Inc. Atmel AuthenTec, Inc. AVAYA Broadcom Corporation Certicom Corp. Comodo Dell, Inc. Endforce, Inc. Ericsson Mobile Platforms AB Extreme Networks France Telecom Group Fujitsu Limited Fujitsu Siemens Computers Funk Software, Inc. Gemplus Giesecke & Devrient Hitachi, Ltd. Infineon InfoExpress, Inc. iPass Juniper Networks Lenovo Holdings Limited Lexmark International M-Systems Flash Disk Pioneers Meetinghouse Data Communications
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #10
• Protect user keys (digital identification) and files (data)• Protect secrets (passwords)• Enable a protected computing environment
• Ensuring the user’s control• Protecting user’s privacy
While…
TCG defines mechanisms that
Goals of the TCG Architecture
Design Goal: Delivering robust security with user control and privacy
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #11
TPM Abstract Architecture• Module on the motherboard
– Can’t be removed or swapped– Secrets in module can’t be read by HW or SW
attackers
• Stores Private Keys– Perform the private key operation on board so that
private key data never leaves TPM
• Hold Platform Measurements– PC measures software, TPM is repository of
measurements
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #12
The Trusted Platform Module• Enhances many aspects of platform security
– Specified by Trusted Computing Group (TCG)
• Major functions include– Protected non-volatile storage of platform secrets– Special purpose protected processing
• Digital signatures• RSA key generation• Data protection
– Spoof-resistant platform authentication capability
TPMTPM
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #13
TPM PC Market Projection
152
4
170
35
187
60
202
115
217
175
0
50
100
150
200
WWPCsIn
Millions
2003 2004 2005 2006 2007
Total PCs Shipped TPM-Enabled PCs Shipped
152
4
170
35
187
60
202
115
217
175
0
50
100
150
200
WWPCsIn
Millions
2003 2004 2005 2006 2007
Total PCs Shipped TPM-Enabled PCs Shipped
(Source: IDC)
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #14
GoalsGoals
Trusted Computing
• Trusted Computing is a concept to protect and strengthen the computing platform against software-based attacks
Protect business data and communications against current
and future software attacks
Provide opportunities for value-added services
Enable broadly-adoptable security technologies with
immediate utility to business users and IT
Deploy in a responsible manner that maintains user privacy,
choice and control
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #15
Security and Trust Services
Applications and ServicesTrusted Device Eco-System
Cell Phones
PC
Peripherals
ConsumerElectronics
Communications
TransactionsIdentity
DeviceAdministration
Control
Content Services
AccessControl
EmbeddedControllers
KeyManagement
Attestation
ConfigurationManagement
PDATrusted
Platform Module
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #16
TPM Hardened Applications
Type Description
File/Folder Encryption
• Keys protected by TPM• E.g. Wave *, Softex*, IBM*, HP*, Infineon*, Information Security Corp.*
Client-based Single Logon
• Username/Password auto fill. User only have to remember one password. TPM app lets user register other passwords and automatically fills them in when password dialog is presented.
• E.g. Softex*, Wave*, IBM*, Congizance*
Protected Information Repository
• Use TPM wrapping/sealing capability to protect sensitive information like credit cards, account numbers, or even biometric templates.
• Some with auto form filling capabilities• E.g. Wave*, IBM*, Softex*
E-mail Integration
• Encryption, Signature schemes supporting MS-CAPI or PKCS#11• E.g. Outlook*, Netscape*, Information Security Corp.*
Digital Signature
• Digital signature application to E-mail, Adobe’s PDF files, e-purchasing, etc.• E.g. Microsoft*, Adobe*, Netscape*
Enterprise Logon
• Platform authentication using TPM• E.g. Cognizance*, Wave Trust Server*
Remote Access
• Remote access credentials are protected by the TPM. Can be used for VPN, Wireless 802.1x and similar type authentications.
• E.g. SecurID*, Checkpoint VPN-1 SecureClient*
Hardened PKI • Protect & Manage Certificate Authority issued credentials using TPM• E.g. VeriSign PTA*, Checkpoint*, RSA*
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #17
Authentication and Federated Identity
• Problem: Federated identity systems need strong, multifactor authentication for high value web services
– Strength of initial user authentication into networks of federated identity determine the level of trust and non-repudiation for web services
– Authentication contexts are defined and communicated by Liberty Alliance, Web Services – Federation, and SAML protocols
• Solution:– TPM attestation credentials combined with user PIN/passwords are
authenticated through TCG Trusted Third Party server to provide access to Identity Provider servers and then passed to Federation Gateway servers.
– Initial strong authentication of user identity is communicated within ‘trust circles’ to other federated identity partners as basis for determining strength of authentication.
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #18
ServiceProvider
A
Service Provider
B
Service Provider
C
LibertyAlliance
WS-F
eder
ation
OASIS - SAML
Identity Federation
Federation Gateway
Strong Authentication and Federated Identity
• Credentials• PIN / PW
IdentityProvider
TCGAttestation
Server
AuthenticationContext
(TCG Strong Authentication)
User Device w/TPM
Logon
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #19
TPM Authentication to VPN• Problem: Only allow VPN access from trusted platforms
– Digital certificates used for VPN access are stored in software– Adding hardware level authentication needs to be done with
minimal changes to the existing VPN server systems
• Solution:– PCs with TPMs store VPN credentials in hardware storage – A TCG Trusted Third Party server generates Attestation Identity
Keys which are used to authenticate VPN requests are coming from trusted platforms
– VPN and Certificate Servers can easily add support for authentication using digital certificates and AIKs from trusted platforms to control VPN access
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #20
TPM Platforms with a VPN
PCw/ TPM
VPN Server
1. User Request for VPN Access 8. User VPN
Session Established
ActiveDirectory
2. Valid Request?3. Needs
Certificate
TCGAttestation Credential Manager
4. Request AIK key
7. Directory Updated with AIK/Cert
Digital Certificate
Server
5. Request Certificate using AIK credential
6. AIK Checked for Validity
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #21
Trusted Computing – Bottom to Top
Trusted Hardware
PC Hardware
BIOS Firmware
Operating System
System Services
Applications
User Services Security at any layer can be defeated by accessing the next lower layer
Trusted Computing requires security hardware as the foundation for platform security
Plus security enablement features in each layer
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #22
TCG Information
• For Information on TCG Membership and Programs
TCG Administration
5440 SW Westgate Dr., Suite 217
Portland, OR 9722
PH: 503.291.2562 FX: 503.297.1090
admin@trustedcomputinggroup.org
www.trustedcomputinggroup.org
• For Technical Information & Specification Questions
techquestions@trustedcomputinggroup.org
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #23
Questions
top related