futuretpm · activity tracking: to increase the trust of users of cloud-based activity tracking...
TRANSCRIPT
FutureTPMFuture Proofing the Connected World:
A Quantum-Resistant Trusted Platform Module
FutureTPM will design an innovativeportfolio of high security QRalgorithms for security primitives,such as:
• Key Agreement• Encryption• Signature• Cryptographic Hashing• Message Authentication Code• Direct Anonymous Attestation
Mission
The FutureTPM project is aimed atdesigning and developing aQuantum-Resistant (QR) TrustedPlatform Module (TPM).
Contact Information
Web: https://futuretpm.eu/Email: [email protected] Coordinator: TechnikonScientific Lead: University of Surrey& Technical University of Denmark
Use Cases
Online Banking: to isolatethe e-payment process in amore protected context toprovide enhanced security
Main Goals
Secure QR CryptographicAlgorithms for the TPM
Activity Tracking: toincrease the trust of users ofcloud-based activity trackingservices
Device Management: toprotect keys on routers,mobile devices, and IoT
Standardisation
Planned outcomes include thedevelopment of standardisationproposals to push the state of theart in cryptography and the TPM.
Approach
This project has received funding from the EuropeanUnion’s Horizon 2020 research and innovationprogramme under grant agreement No 779391.
This will enable FutureTPM systemsto generate a secure root of trustfor a wide range of ICT services.
They will involve the technicalcommittees of relevant standardsbodies: ISO, IEC, ETSI and the TCG.
This will allow long-term security,privacy and operational assurancefor future ICT systems and services.
Implementation of Hardware,Software, and Virtual TPM
Run-Time Risk Assessmentand Vulnerability Analysis
Design Validation usingFormal Security Analysis
Network Device Management – Use Case Overview
Problem: Network device management solutions face trust-related issues:• Weak device identification• Device integrity not considered for management• Long lifetimes (10y+) make devices vulnerable to quantum computer attacks
Solution: Enhance device management with Trusted Computing:• Strong device identification (based on the QR TPM)• Frequent but lightweight remote attestation (trusted channels)• Network-wide routing policies based on trust state
Benefit: Increase the security of network infrastructure:• Only legitimate devices can access the network• Reduces the risk of leaks or tampering of user data• Shorter time to detect attacks acts as deterrent
3: routing policy =f(statistics, trust)
Router
Router
NMS
Router
Router
1: <- query status2: -> statistics4: <- modify routing table
1: <- query status2: -> statistics
1: <- query status2: -> statistics
1: <- query status2: -> statistics4: <- modify routing table
Trusted control channels
Fallback data path
Preferred data path
attacker
NetworkManager
systemd
mutable file
mutable filemutable file
malware
attacker
detection/protectionbarrier
Trusted Computing Base (TCB)
sshd
Telecom operatornetwork
1. Build and sign software
2. GenerateTPM key3. Request cert4. Retrieve image signature
Infrastructure management zone Device zone
7. Establish trusted TLS channel
Certificate Authority
NMS
Device (e.g. router)
6. Send certificate5. Verify &sign cert
Vendor premises
Comprehensive Integrity Verification (CIV)
• Relies on Trusted Computing and Integrity Measurement Architecture (IMA) to monitor device integrity
• Trusted channels with implicit remote attestation based on key usage• Covers risks coming from dynamic data and process interactions
• Aims at simple integration into products through TLS-based trusted channels
Current Progress
• Technical and Security Requirements and the Reference Architecture – complete• Design and development of set of QR cryptographic primitives to be
implemented in the various TPM environments – early release• TPM Security modeling, Risk assessment, Vulnerability analysis - early release
• 1st FutureTPM Workshop on Quantum-Resistant Crypto Algorithms, Oct 2018• 1st Workshop on Cyber-Security Arms Race (CYSARM) - cysarm.org, Nov 2019• Current deliverables and publications can be found on futuretpm.eu• CIV partial release available on github.com/euleros
Dissemination of Results