Practical Aspects of Modern Cryptography

Practical Aspects of Modern Cryptography

Practical Aspects of Modern Cryptography Autumn 2016 Tolga Acar Josh Benaloh Agenda Hardware crypto devices Smart cards TPMs (v1.2 and v2.0) Hardware Security Modules Authentication Tokens November 29, 2016 Practical Aspects of Modern Cryptography 2 November 29, 2016 Practical Aspects of Modern Cryptography 3

What is a smart card? Long history, invented in the 1970s Integrated Circuit Cards - ICC Initially used for pay phone systems in France Most successful deployment: GSM cell phones Payments: EMV Strong User Authentication. Some examples: National eID programs in Asia and Europe DoD CAC cards November 29, 2016 Practical Aspects of Modern Cryptography 4 Smart Cards ISO/IEC 7810 and 7816 Pin Description VCC

Power supply input RST Reset signal from the interface device, or In combination with an internal reset control circuit (optional) CLK Clock signal (optional used by the card) GND Ground voltage VPP Programming voltage input (deprecated, optional) I/O Serial data I/O

C4 Aux contact. USB devices D+ C8 Aux contact. USB devices D- November 29, 2016 Practical Aspects of Modern Cryptography 5 Smart Cards: typical 256 4KB RAM 8KB 32KB ROM 1KB 32KB EEPROM CPU 8-bit or 16-bit CPU (8051 is common) @ 16MHz 32-bit RISC @ 25 32 MHz Crypto processor: RSA, DES, 3DES, ECC, AES, SHAx Atmel, Infineon, NXP, ST Microelectronics, and many

others November 29, 2016 Practical Aspects of Modern Cryptography 6 Credit Cards with Chip 1974 Chip card description 1977 uP chip card invention 1979 Commercial smart cards 1984 French chip card rollout

1996 EMV 2007 CCPS: Contactless Comm. Protocol Spec. (L1) 2008 Contactless protocol November 29, 2016 Practical Aspects of Modern Cryptography 7 Benefits of smart cards Provides secure storage for private keys & data Tamper resistant Cryptographically secure

Provides two factor authentication Something you have The Card Something you know The PIN (Also referred to as Card Holder Verification- CHV) Programmable cards Ex.: JavaCards, .NET Cards November 29, 2016 Practical Aspects of Modern Cryptography 8 Some Applications Building access User authentication (ID) Banking and finance Mobile communications Pay phone cards E-mail security Transportation

Passports Loyalty programs November 29, 2016 Practical Aspects of Modern Cryptography 9 Possible eID scenarios Work Corp Woodgrove Bank Government Tax Agency Domain Logon Government eID Bank Smartcard Name

Address Submit/sign form Web Banking eID Issuance Email, IM, Abby Smartcard + Reader / PIN pad November 29, 2016 Michael Practical Aspects of Modern Cryptography 10 Smart Card Management System Register/Unregister

Issue Adding/Removing from the system Issuance and personalization for a smart card holder Initialization Deactivation/ Activation Lock/Unlock Revoke Activating for the first use by the card holder Putting the card on hold and re-activating it Card holder access is blocked or unblocked Card credentials are revoked Retire Card holder is disconnected from the card Delete Permanent removal of the card from the system

Backup/Restore November 29, 2016 Backup copy of the credentials on the card, and restore from a backup Practical Aspects of Modern Cryptography 11 Hardware Security Modules Physical computing device in different form factors One or more crypto processors Tamper-resistant Bus snooping prevention Side channel leakage protection Self zeroization and destruction No key export mode FIPS 140 Level 3+ certification SW Interfaces: PKCS#11, Java, CAPI, CNG, and proprietary November 29, 2016 Practical Aspects of Modern Cryptography

12 Why HSM? Compliance requirements FIPS 140 Level 3+ Common Criteria (EAL3+) All crypto keys are locked inside the HSM No cleartext keys outside the HSM Key operations via handles, key usage restrictions High-value keys: significant negative impact from key compromise Object types Asymmetric keys Symmetric keys Certificates Arbitrary data Crypto processing offload TLS accelerators, cryptographic processing offload November 29, 2016 Practical Aspects of Modern Cryptography

13 A Few Use Cases Certificate Authorities: PKI CA private key is generated and stored in the HSM Payments PCI: Payment Card Industry data protection PIN encryption EMV: Card Master Keys, key derivation TLS Crypto processing offload: accelerator Private keys are generated and used in the HSM November 29, 2016 Practical Aspects of Modern Cryptography 14 Net HSM, Security Worlds Network attached HSM, sharable cryptographic resource Multiple HSM devices sharing the same set of keys

Each device has unique HW keys Common security world keys encrypted with device key Encrypted keys are stored in files Security World keys encrypt application keys Encrypted application keys are stored in files Access cards (smart cards) are optionally required Required to add an HSM to a security world Lights-out mode: no PIN, no smart card (accelerator mode) November 29, 2016 Practical Aspects of Modern Cryptography 15 TPM for Crypto TPM based HSM Crypto Hardware

Hardware Security Security Module Module Cost: Security: Deployment: Expensive Moderate Very Secure More Secure Hard Easier Software Crypto No No Hardware Hardware

Inexpensive Moderate (OS-Dependent) Easy Following TPM sections include content from Shon Eizenhoefer, Paul England, David Wooten November 29, 2016 Practical Aspects of Modern Cryptography 16 What Is A Trusted Platform Module (TPM)? Smartcard-like module on the motherboard Protects secrets Performs cryptographic functions RSA, SHA-1/256, RNG, ECC, AES, others Performs digital signature operations Anchors chain of trust for keys and credentials

Protects itself against attacks Holds Platform Measurements (hashes) Can create, store and manage keys TPM 1.2 spec: www.trustedcomputinggroup.org Provides a unique Endorsement Key (EK) Provides a unique Storage Root Key (SRK) November 29, 2016 Practical Aspects of Modern Cryptography 17 TPM v1.2 v2.0 Algorithmic progression SHA-1 showing sign of weakness Shift from RSA to ECC Mutual lack of trust across geographies Need beyond user PCs Server use cases

Too difficult to use (Owner Security, Privacy, Platform) V1.2 and v2.0 are not compatible November 29, 2016 Practical Aspects of Modern Cryptography 18 TPM v1.2 and 2.0 Architecture V1.0 V2.0 Only one Common and platform-specific: mandatory, optional, or banned Cryptographic Required: RSA, SHA-1, MGF1, Algorithms

RNG, DAA, KeyGen Optional: AES, XOR Banned: 3DES Required: SHA-1, SHA-256, RSA, ECC (BN-256, NIST P-256), HMAC, AES128, MGF1, RNG, DAA-ECC, KeyGen, KDF Storage Root Key Multiple keys and algorithms per hierarchy (three of them) November 29, 2016 RSA-2048 with one hierarchy Practical Aspects of Modern Cryptography 19 TPMv2.0 Roots of Trust Elements that must be trusted: malice is not detectable

Measurement (RTM) Integrity relevant information (of CPU) Core Roots of Trust or Measurement is the first set of instructions executed by the CPU when a new trust chain is established (reset) These instructions send identity values to RTS Storage (RTS) Shielded TPM memory (e.g., keys) Reporting (RTR) Reports on RTS contents, i.e., signature over TPM contents PCR: Platform Configuration Registers (Quote) Audit logs Key properties November 29, 2016 Practical Aspects of Modern Cryptography

20 TPMv2.0 Primary Seeds Large random value stored persistently in the TPM Used to generate keys, seeds, and proof values Object Value = KDF(Primary Seed, Parameters) EPS: Endorsement Primary Seed Generate Endorsement Keys (EK) RTR Identity PPS: Platform Primary Seed Hierarchy controlled by platform firmware (not OS) SPS: Storage Primary Seed Hierarchies controlled by the platform owner Generates Storage Root Keys (SRK) for OS/App use November 29, 2016 Practical Aspects of Modern Cryptography 21 TPM v2.0 Crypto Subsystem

Hash functions and HMAC Asymmetric encryption and decryption Asymmetric signing and signature verification Symmetric encryption and decryption CTR, OFB, CBC, CFB, ECB Key generation Key generation from the RNG Primary Key derivation from a seed with a KDF RNG KDF Hash-based (SP800-108 and SP800-56A) HMAC as the PRF November 29, 2016 Practical Aspects of Modern Cryptography 22 TPM RNG RNG consists of Entropy source and collector

Collects entropy and removes bias Collected entropy is used to update the state register State register Input value to the mixing function Mixing function (e.g., a hash function) Typically implemented as a PRNG November 29, 2016 Practical Aspects of Modern Cryptography 23 TPM RNG Entropy Source Entropy

Entropy Random Random Bits Bits Random Random Numbers Numbers TPM2_StirRandom() DRBG RNG November 29, 2016 Practical Aspects of Modern Cryptography 24 TPM Key Features Platform measurements

TPM can measure instruction sequences & store the results in Platform Configuration Registers (PCRs) Encryption TPM can encrypt arbitrary data using TPM keys, or keys protected by TPM keys Sealed Storage TPM can encrypt arbitrary data, using TPM keys or keys protected by TPM keys and under a set of PCR values Data can only be decrypted later under the same PCR configuration Attestation (more later) November 29, 2016 Practical Aspects of Modern Cryptography 25 Sealed Storage Why is Sealed Storage useful? Provides a mechanism for defending against boot-time attacks

Sealed Storage lets a TPM encrypt data to a specific set (or subset) of PCR values Example: Full Volume Encryption (FVE) BitLocker Drive Encryption on Windows November 29, 2016 Practical Aspects of Modern Cryptography 26 Booting w/ TPM measurements PreOS Static OS All Boot Blobs unlocked Volume Blob of Target OS unlocked TPM Init BIOS

MBR BootSector BootBlock BootManager OS Loader November 29, 2016 Practical Aspects of Modern Cryptography Start OS 27 Secure Boot with TPM Where does the public key trust come from? Databases Signature Database and Revoked Signature Database Signers or image hashes (UEFI app/driver, OS Loader) Key Enrollment Key database Database of signing keys to update the signature databases Boot Sequence

Boot manager Anti-Malware Kernel Drivers Initialize User Mode processes November 29, 2016 Practical Aspects of Modern Cryptography 28 Disk Layout And Key Storage OS Volume Contains Encrypted OS Encrypted Page File Encrypted Temp Files Encrypted Data Encrypted Hibernation File Wheres the Encryption Key? 1. SRK (Storage Root Key) contained in TPM 2. SRK encrypts FVEK (Full Volume Encryption Key) protected by TPM/PIN/USB Storage Device

3. FVEK stored (encrypted by SRK) on hard drive in the OS Volume 3 OS Volume System 2 FVEK 1SRK System Volume Contains: MBR, Boot manager, Boot Utilities (Unencrypted, small) November 29, 2016 Practical Aspects of Modern Cryptography 29 TPM Attestation Attestation is an authentication technology But more than simple signing Attestation allows a TPM to sign data and a

set (or subset) of the current PCR values TPM attests to a certain software configuration whatever was measured into those PCR registers is part of its digital signature Quoting November 29, 2016 Practical Aspects of Modern Cryptography 30 TPM Attestation Attestation Attests to Endorsement Certificate Genuine TPM, TPM specification compliance. Asymmetric key embedded in a TPM and a vouching credential

Platform Certificate Contains a Root of Trust for Measurement, genuine TPM Attestation Key Certificate An asymmetric key pair protected in a genuine, but unidentified, TPM Typically relies on Endorsement and Platform Certificates Key Attestation Platform attestation to vouch for a TPM asymmetric key using an attestation key Quote Measurement to vouch for a software/firmware state, typically over a PCR using an attestation-key November 29, 2016

Practical Aspects of Modern Cryptography 31 TPM Management User has a difficult time understanding the TPM controls What is the difference between TPM enable and activate? Security and privacy functions use the same controls Need to take ownership of TPM to use the Storage Root Key but that also enables Endorsement Key operations which are privacy sensitive. PCR sealing model is brittle Makes it difficult to manage keys that rely on PCR values. System updates that change a PCR measurement can be very disruptive.

November 29, 2016 Practical Aspects of Modern Cryptography 32 PCR Brittleness Many configuration changes leading to PCR changes are benign But still result in keys becoming unusable, etc. Sometimes if you plan ahead you can prevent this E.g. seal to a future known good configuration Sometimes we can fix this with smarter external software E.g. extend hashes of authorized signing keys and check certificates November 29, 2016 Practical Aspects of Modern Cryptography

33 Virtualization Sharing a single physical platform among multiple virtual machines (VMs) with complete isolation among VMs Benefits Consolidation of workloads, Fault tolerance, Extensibility, Ease of Management, Better security November 29, 2016 Practical Aspects of Modern Cryptography 35 Virtualization With increasing h/w support, performance degradation is becoming minimal With multi-core, we can envision pervasive adoption Solutions available for server, client, and mobile platforms E.g., virtualized data centers (EC2, Azure)

And, Dilbert running his office VM on home computer November 29, 2016 Practical Aspects of Modern Cryptography 36 Virtual TPM Challenge: physical TPM itself is hard to virtualize By design, TPM resists virtualization TPM emulation Complete s/w emulation, TCG interface: vTPM [Berger06] Para-virtualized TPM sharing [England08] Hypercall interface with Hv as mediator November 29, 2016 Practical Aspects of Modern Cryptography 37

vTPM Service VM Guest 0 vTPM Guest 1 vTPM VMM TPM November 29, 2016 Practical Aspects of Modern Cryptography 38 vTPM Servic e VM Pros

Standard TCG interface High fidelity: full legacy support Vendors can add VM use-cases Migration, suspend/resume, rollback vTP M Gues t VMM TP M Cons Low resistance to physical attack Reduced resistance to software attack Hypervisor is more complex and exposed than TPM embedded OS

Trust model for TPM is complex Hypervisor security model influences vTPM security November 29, 2016 Practical Aspects of Modern Cryptography 39 Para-Virtualized TPM Sharing Guest 0 Guest 1 TPM Access Mediation Guest 0 state VMM Guest 1 state

TPM November 29, 2016 Practical Aspects of Modern Cryptography 40 Para-Virtualized TPM - Attestation Guest 0 Guest 1 HvQuote(TCB, nonce) VPCR1 VPCR1 VPCR0 VPCR0 PcrReset(15) PcrExtend(15,VPCR1) Quote((0,15), nonce)

Resettable PCR TPM PCR1 PCR0 November 29, 2016 Practical Aspects of Modern Cryptography 41

Recently Viewed Presentations

  • Which is the most developed country in Asia?

    Which is the most developed country in Asia?

    Hypothesis - Copy either;The Brandt line is still accurateorThe Brandt line is inaccurate. Choose 4countries from Asia that you want to compare.2 above the Brandt line and 2 below. Choose 3 development indicators you want to compare. 1 social e.g...
  • Bio-REGNET Retrieval of Patent Documents from Heterogeneous Sources

    Bio-REGNET Retrieval of Patent Documents from Heterogeneous Sources

    Patent Validity and Enforcement Questions involves analysis of documents in various domains - World-wide Patents, PTO File Wrappers, Scientific Publications and Court documents. The information is siloed into several diverse information sources. ... Synonym. Recombinant EPO.
  • Drugs & Alcohol

    Drugs & Alcohol

    Main drug categories- Controlled substances. 1. Narcotics/Opioids . 2. Stimulants. 3. Depressants. 4. Hallucinogens . 5. Anabolic Steroids. All controlled substances have abuse potential and are thought to alter mood, thought, and feeling through their actions on the central nervous...
  • BIG TEST ON THUR/FRI! - LBHS Biology
  • Ways to Avoid the Slide!

    Ways to Avoid the Slide!

    Don't Succumb to the Slide in Mathematics! Compiled by Christine Thereault, Math Specialist @ WKMS. Ten Marks. Register up to five students. ... SYMBALOO. Click Here for Link. Additional online resources arranged in an easy to navigate webpage. Author: Thereault,Christine...
  • Demand Deposit SLGS Investment May 17, 2011 Presented

    Demand Deposit SLGS Investment May 17, 2011 Presented

    Good liquidity and potential to earn positive arbitrage if yield curve is flat or inverted. Unique Considerations and Investment Strategies. Useful for periods of less than 30 days when you want to earn interest .
  • Fluid Flow - MTU

    Fluid Flow - MTU

    Viscosity-fluid property that influences the rate of fluid flow under stress. Fluid Flow Pressure, momentum flux and viscosity. Viscosity-fluid property that influences the rate of fluid flow under stress. The viscosity is the ratio between the shear stress and the...
  • The Expert in Tax Education Decedents Final and

    The Expert in Tax Education Decedents Final and

    Final and Fiduciary Returns. Objectives. To address common scenarios that small tax practitioners encounter with decedents' final and fiduciary returns, To provide a quality fact base with ample references, worksheets and examples for the tax professional.