Skip to main content
This revision made August 30, 2011 18:26, by ronaldtoegl
« earlier revision revert to this later revision »

Trusted Computing Primer

Trusted computing is gaining acceptance as a technology for helping to improve the security of computer systems. In the Trusted Computing approach, security is bootstrapped from a small dedicated piece of secure hardware called the Trusted Platform Module (TPM), whose specification has been developed by the Trusted Computing Group (TCG), an industry consortium. Most of the major computer manufacturers are shipping desktop and notebook computers containing TPM’s, and the market research company IDC has estimated that nearly 100 million TPM-equipped computers will be shipped in 2010 alone.

In 2007, we started the design of a high-level Java API for Trusted Computing, which is proposed as an official Java standard Java Specification Request No. 321 (JSR 321). Our goal in designing this API is to provide a simpler, high-level interface to the TPM while still adhering to the concepts and standards defined by the TCG.

The Java programming environment has seen a broad adoption ranging from large-scale business applications hosted in dedicated data centers to resource constrained environments as found in mobile phones or Personal Digital Assistants (PDAs). This platform independence makes Java an excellent choice for development aiming at heterogeneous environments. In contrast to conventional programming languages such as C or C++, Java is equipped with inherent security features supporting the development of more secure software. Among those features are automatic array-bounds checking, garbage collection and access control mechanisms. Additional aspects that distinguish Java from other environments are code-signing mechanisms and the verification of byte code when it is loaded. Over time, Java has become one of the major development environments for business applications, especially in fields that highly depend on the security and trustworthiness of computer systems, e.g., financial service providers. This commercial business environment is one of those fields where Trusted Computing technologies are expected to see first deployments. Another area of application is network-based software, where Java is a logical choice for highly distributed applications that are deployed in heterogeneous environments. Here also, Trusted Computing is very promising to further improve security as has been demonstrated by a large number of Java-based use cases.

Similar to a smart card, the TPM features cryptographic primitives but it is physically bound to its host device. A tamper-resilient integrated circuit contains implementations for public-key cryptography, key generation, cryptographic hashing, and random-number generation and provides therefore a root of trust. In particular, the TPM implements high-level functionalities such as reporting the current system configuration and providing evidence of the integrity and authenticity of this measurement. This service is also known as Remote Attestation. During the remote attestation process, the TPM receives hashes of several system-state descriptors and stores the hashes in dedicated Platform Configuration Registers (PCRs) located in the TPM. The basic integrity operation of a TPM is as follows. Before executable code is invoked, a hash value of the code is computed and stored in a PCR. Ultimately, if all components from the Basic Input/Output System (BIOS) up to a specific application are measured, the exact configuration of the platform is mapped to PCR values. This property makes it impossible to hide a malicious program on a thus protected computer. If such a system state fulfills the given security or policy requirements, we refer to the system state as a trusted state. The TPM can also bind data to the platform by encrypting it with a non-migratable key, which never leaves the TPM’s protection. An extension to this is sealing, where a key may only be used with a specific PCR configuration. Thus, decryption of sealed data can be restricted to a trusted state of the computer. TPMs also provide a limited amount of non-volatile memory (NV-RAM) to store user- or ownersupplied information. The TPM is capable of signing the current values of the PCRs together with a supplied nonce. This is called the Quote operation, which is the core operation in the Remote Attestation protocol. To protect the platform owner’s privacy, a pseudonym identity is used: an Attestation Identity Key (AIK). The authenticity of an AIK can be certified either by an on-line trusted third party, called PrivacyCA or by applying the group-signature-based DAA scheme, for instance. Then, a remote verifier may analyze the Quote result and decide whether to trust the given configuration or not. The hardware resources of a TPM are manufacturer implementation specific and typically very limited. For instance, the TPM supplies only a few cryptographic key slots and continually swaps keys to and from external storage during operation. The current TPM design establishes the need for a singleton system software component to manage the TPM device resources and arbitrate concurrent accesses. To this end, the TCG specifies an architecture that implements TPM access and management, the TCG Software Stack (TSS) which covers operating system and applications support.

From a software engineering perspective, the TSS specification follows a layered architecture. As the TSS does not include the TPM driver, its lowest layer is the Trusted Device Driver Library (TDDL) which is located in user space and exposes an OS and vendor independent set of functions that allows basic interaction with the TPM. This includes sending commands in the form of byte streams to the TPM and receiving the TPM’s responses. The next layer, the Trusted Core Services (TCS), typically is implemented as a singleton system service or daemon. Command streams are generated by the TCS and sent to the TPM via the TDDL. The TCS is responsible for key management including key creation, management of TPM key slots as well as permanent storage of TPM key material. Keys are assigned a Universally Unique Identifier (UUID) that is used to store and retrieve keys from mass storage. For integrity reporting, the TCS maintains the Stored Measurement Log where all PCR extend operations are recorded. The upper layers of the software stack may access the TCS via proprietary remote procedure calls or the platform-independent Simple Object Access Protocol (SOAP) interface. The SOAP interface is standardized in the form of a Web Service Description Language (WSDL) provided by the TCG. It is the responsibility of the TCS to manage multiple, concurrent requests to the singleton TPM. The TSS Service Provider (TSP) is the component that provides Trusted Computing services to applications. Typically, the TSP is implemented as a shared library that is directly linked to the application. Interaction with the TCS takes place via inter-process communication. The interface of the TSP is not generic but specific to the C programming language.

Trusted Computing requires integration into the Operating System. Recent years have seen successful integration of generic TPM 1.2 hardware drivers into major operating systems such an Windows (Vista and later) and Linux. Several proprietary implementations and one open source implementation IBM's TrouSerS of the TSS in C exist.

Please Confirm