Você está na página 1de 4

2ND INTERNATIONAL CONFERENCE ON CONSUMER ELECTRONICS,COMMUNICATIONS AND NETWORKS YEAR 2012

A Security-Enhanced Key Authorization Management Scheme for Trusted computing Platform


Song Cheng , Li Jing , Peng Weiping, Tian Xinji
School of Computing Science and Technology, Henan Polytechnic University Jiaozuo, Henan, China songcheng@hpu.edu.cn
AbstractSecure storage is one of the important functionalities in trusted computing platform. The key management is one of the important technologies in secure storage. There is a key synchronization problem in the existing trusted key authorization management mechanism for Trusted Computing Platform. To solve the problem, we propose a security-enhanced trusted key authorization management scheme. The new scheme can effectively enhance the trust and security of the trusted storage through adding child key information in parent key. Keywords-Trusted Computing Plaform; Key Synchronization; Trusted Storage; Authorization Data

The rest of this paper is organized as follows: In section 2 we introduce the trusted computing and secure storage management mechanism for trusted computing platform. Section 3 introduces the existing schemes and analysis their advantages and disadvantages. Section 4 describes the securityenhanced trusted key authorization management mechanism which we present. We discuss the security and feasibility of the improved scheme in section 5. Finally future work and conclusions are presented in Section 6. II. SECURE STORAGE MECHANISM FOR TRUSTED
COMPUTING PLATFORM

I.

INTRODUCTION

Along with the network and computer technology spreading over every corner, in our lives, the internet is an important part, but there are some network security issues emerging in the internet field. The traditional information security measures include firewall, Intrusion Detect System(IDS) and anti-virus. They are all passive defense technologies to ensure network security. To overcome the shortcomings and deficiencies, trusted computing which is an active defense technology has been proposed and widely studied. In both industry and academia field, trusted computing [1] is always a topic of active research in the field of information security. The trusted computing technology includes security storage, identity attestation and trusted platform remote integrity measurement, storage and reporting etc. Fortunately, the secure storage technology has been widely recognized and used in trusted computing field. Among the three core functionalities(security storage, identity attestation and trusted platform remote integrity measurement, storage and reporting) in trusted computing platform, the secure storage technology is relatively more mature and perfect than the other two technologies. Key management is the core technology of secure storage, so secure storage technology of trusted computing platform comes down to key management technology. That is to say. The key security decides the trust of the security storage technology. Although some about key management schemes for trusted computing platform were proposed, some of the existing key management schemes ignore the key synchronization problem and some are infeasible in the implementation. To address the key synchronization problem and enhance the trust and security of the trusted storage, we propose a security-enhanced trusted key authorization management scheme, the basic idea of which is to add child key information in parent key.

major components of TPM are shown in fig.1[2], which include I/O, execution engine, volatile memory, opt-in, HMAC engine, key generation, No-volatile memory, RNG, SHA-1 engine, power detection and cryptographic co-processor. In every TPM there are at least 4 concurrent monotonic counters which provide an ever-incremental value. The Value in the counters will not reset when the platform powers off or restarts. Actually TPM is chip which has the functions of crypto operation and storage. The specification about TPM is decided by TCG. Different from the traditional security technology, the trusted computing technology defend all kinds of attacks from a terminal through combining software and hardware. The idea of trusted computing technology is to turn a computing platform into a trusted one, and then improve the security of the terminal system through embedding a secure chip (usually called Trusted Platform Module, TPM) to hardware platform.
Execution Engine I/O No-Volatile Memory RNG SHA-1 Engine Power Detection Cryptographic Co-processor Volatile Memory Opt-In HMAC Engine Key Generation

for-profit organization that defines open standards for hardwareenabled trusted computing and security technologies in disparate computing platform. A core component of the specification issued by the TCG is the Trusted Platform Module(TPM)[2]. TPM is viewed as functionally equivalent to a high-end smart card. Usually TPM is a small chip soldered to the motherboard[3]. The

A. Trusted Computing The trusted computing Platform Alliance (TCPA) was formed in October 1999 by Compaq, HP, IBM, Intel and Microsoft. In 2003, TCPA was renamed Trusted Computing Group (TCG). The Trusted Computing Group(TCG)[1] is a non-

Figure 1. TPM Component Architecture

978-1-4577-1415-3/12/$26.00 2012 IEEE

1573

Trusted Computing Platform (TCP) is a computing platform which contains TPM and the matched trusted software (Trusted Software Stack, TSS) [4]. They realize the functionalities for computing platform together, such as secure storage, identity attestation, crypto operation, and platform remote integrity measurement, storage and reporting etc. The goal of TCP is to ensure the whole platform trust through establishing a chain of trust which contains a root of trust(Core Root of Trusted for Measurement, CRTM), then ensure the entire internet trust. For example, in trusted computer platform, BIOS trusts the root of trust, then Operating System(OS) trusts BIOS , then the upper application trusts the OS, and then the whole system is trusted, finally, the entire internet becomes trust.. B. Secure Storage Management Mechanism for Trusted Computing Platform In TCG specification TPM Main, Part 1[2] the storage hierarchy of key management mechanism is illustrated in fig.2. Because of many facts taken together, except for Storage Root Key (SRK) and Endorsement Key (EK), all the other keys are stored out of TPM. SRK is a 2048 bit RSA-based public private key pair which is created whenever a new owner is established. SRK is located at the top level of the hierarchy and is never exported from TPM. EK is a 2048 bit RSA-based public private key pair which is created randomly in chip at manufacture. The external storage is addressed by using key hierarchy which is shown in the fig2. All objects in the external mass-storage device are directly or indirectly protected by the SRK. Whenever a protected object is exported from TPM, its private part (AuthData and PrivKey[6] in the curve shown in Fig.2) is encrypted using the public key of the parent object. Its public part is in the rectangle. These storage keys are used to protect other Keys or data. So these storage keys form the nodes of the protected storage object hierarchy while the protected data and signing keys always are leaves.
SRK EK

There is a key management system (Key Cache Management, KCM) between TPM and the external storage space, which is a part of TSS. In the external storage space, every node is a TPM key object (TPM identity key, TPM storage key or TPM sign key). They have all the same data structure that includes the TPM key flag ID, the corresponding public key and the ciphertext block (AuthData and PrivKey) etc. The AuthData is the shared secret between TPM and the owner of the object. In the trusted computing platform, if a user wants to use an external TPM key object, the object must be loaded into TPM and decrypted by its parent key object beforehand. Although the key is loaded into the TPM, the user still cant operate the key object. There is also a core area before using the key. The user must input the matched share secret(AuthData), or else the user is refused. That is to say, the AuthData is the access rights for users to use the corresponding key object. III. RELATED WORKS

According to the introduction about TCG key hierarchy management system for trusted computing platform in section2.2, we can obviously know that the privacy part of the key pair and the corresponding authorization data is secret stored in key object node as a whole by encrypting them using parent key. Whether a user can be authorized to operate the key depends entirely on whether the external provided authorization value matching the AuthData in the key object. Under the circumstance, there lies a key synchronization problem. If the owner of a key object is ware of the AuthData insecure and wants to update the AuthData, the corresponding original key node should have been passed into disuse. However, if an attacker can obtain the original key nodes and know the AuthData, he still can be authorized to operate the key as the owner of the key object. So there is a potential insecurity problem in the TCG key hierarchy authorization management system. In [7], Zhang Xing etc. find the key synchronization problem in the TCG key hierarchy authorization management system. To solve the problem, they presented a new AuthData management scheme. Although the improved scheme overcomes the key synchronization problem that we mentioned above and improves the existing TCG key hierarchy authorization management scheme in a sense, its some technologies are complex to implement. In this scheme, firstly, the AuthData list which is composed of all keys AuthData is encrypted with SRK. SRK is based on RSA public key cryptosystem and the efficiency is relatively low. Whats more, with the number of key object adding, the list length of AuthData will also increase. Secondly, when a user wants to add a TPM key object or updating a TPM key AuthData, the list of AuthData must be decrypted, reconstructed and reencrypted in TPM. Thirdly, the big list is also not fit to encryption and decryption in TPM because there isnt enough space.

TPM
KCM

Key Cache Manager

Mass-storage
TPM storage key ID1 AuthData PubKey PrivKey TPM identity key ID2 AuthData PubKey PrivKey TPM storage key ID3 AuthData PubKey PrivKey

TPM storage key ID4 AuthData PubKey PrivKey

TPM storage keyID5 AuthData PubKey PrivKey

TPM storage key ID6 AuthData PubKey PrivKey

TPM storage key ID7 AuthData PubKey PrivKey

TPM signing key ID8 AuthData PubKey PrivKey

TPM signing key ID9 AuthData PubKey PrivKey

Figure 2. Protected storage object hierarchy

1574

IV.

SECURITY-ENHANCED TRUSTED KEY AUTHORIZATION MANAGEMENT MECHANISM

Step3: KCM validates the relevant parameter and creates relevant information(KeyInfo)[8]. Step4: TPM Generates asymmetric key according to algorithm information in keyInfo Step5: the user inputs the AuthData and fill in WrappedKey structure; TPM computes the information Hash( ID, AuthData) and fill in information in the parent key structure. In parameters, ID is the new keys identity AuthData is the new keys authorization value. the key the the and

A. Security-enhanced Trusted Key Management Scheme In order to effectively solve the key synchronization problem in TCP key management mechanism, we propose a security-enhanced trusted key authorization management mechanism. The main idea is that a data item(child key information) is added in the parent key object node. Improved key hierarchy authorization management is shown in fig.3
key ID1 information Key ID2 information Key ID3 information

S R K

TPM
EK

Step6: The parent key encrypts the private portions of the wrappedKey structure. Step7: Return the newly generated key in the wrappedKey parameter. C. Key AuthData Update Flows When a user wants to update a key AuthData, the detailed flows as follow: Assume the target object has loaded into TPM. Step1: The user inputs the AuthData of the target object. Step2: After TPM receives the inputted key AuthData, it judges whether the inputted AuthData matches the AuthData in the private portions of the target wrappedKey structure or not, then computes the key information Hash( ID, AuthData) and verifies whether the Hash( ID, AuthData) matches the corresponding key information in the parent key structure or not. If all success, execute the next step; else, halt. Step3: The user calls the command TPM_ChangeAuth and inputs new AuthData. Step4: TPM fills the AuthData in the target key structure instead of the old AuthData and computes the key information Hash( ID, newAuthData ) and fill in the information in the parent key structure instead of the old information. Step5: The parent key encrypts the private portions of the target wrappedKey structure. V. DISCUSSION

Key Cache Manager KCM

Mass-storage
TPM storage key ID1 AuthData PubKey PrivKey Key ID4 information TPM identity key ID2 AuthData PubKey PrivKey TPM storage key ID3 AuthData PubKey PrivKey key ID5 information Key ID6 information

TPM storage key ID4 AuthData PubKey PrivKey key ID7 information Key ID8 information

TPM storage keyID5 AuthData PubKey PrivKey

TPM storage key ID6 AuthData PubKey PrivKey Key ID9 information

TPM storage key ID7 AuthData PubKey PrivKey

TPM signing key ID8 AuthData PubKey PrivKey

TPM signing key ID9 AuthData PubKey PrivKey

Figure 3. Protected storage object hierarchy based on timestamp

When a user creates a new TPM key object, the KCM first performs all actions as before, and then TPM computes the key information and stores the information in parent key object node. When a user wants to update an AuthData for a key object, after the user can be authorized to operate the key object he first inputs new AuthData instead of old one, and then TPM anew computes the key information. Finally TPM stores the information in its parent key node instead of the old one. When an owner wants to use his key object, he first inputs the key AuthData, then TPM validates the AuthData and computing the key information, and then determines whether the user has right to operate the key. B. Key Creating Flows When a user wants to create a key object, the detailed flows as follow: Step1: the user calls TPM_CreateWrapKey[8]. the command

Step2: TPM validates the AuthData to use the key pointed to by parentHandle[8].

A. Security When a user wants to use a key object, he first the input the corresponding key AuthData, then the TCP not only attests the inputted AuthData but also computes the information and verifies whether Hash( ID, AuthData) Hash( ID, AuthData) matches the corresponding key information in the parent key structure or not. In our scheme, even if an attacker owns a discarded key object and knows the corresponding key AuthData, he will not be able to be authored to use the key object. The reason is that the AuthData is updated, new information Hash( ID, AuthData) is created and

1575

the Hash( ID, AuthData) that TPM computes cant match the corresponding key information in the parent key structure. B. Feasibility Our scheme is absolutely feasible in two aspects of hardware and software. Firstly, we dont need to change the hardware (TPM chip) to make it match the scheme because the existing commands can meet the scheme needs completely. Secondly, though the existing TCG Software Stack (TSS) specification vision 1.2[4] doesnt support our scheme, yet slight modification to TSS specification can solve this problem. We simply extend the existing KCM and add a data item(child key information) in key structure. VI. CONCLUSION AND FURTHER WORK

can meet the requirements of our scheme. We conclude that our scheme is secure and feasible in theory. In the future, we plan to establish the platform, extend the KCM, debug and implement our scheme in lab. REFERENCES
[1] TCG: TCG Specification Architecture Overview. TCG Specification Version 1.2, The Trusted Computing Group (TCG), Portland, Oregon, USA (April 2003). TCG: TPM Main, Part 1: Design Principles. TCG Specification Version 1.2 Revision94, The Trusted Computing Group (TCG), Portland, Oregon, USA (March 2006). TCG. Design, Implementation, and Usage Principles Version 2.0. December 2005. Trusted Computing Group, TCG Software Stack (TSS) Specification, Version 1.2, January 6, 2006. Balacheff Boris, Chen Liqun, Pearson Siani, Plaquin David, and Proudler Graeme. Trusted Computing Platforms: TCPA Technology in Context. Prentice-Hall, 2003. TCG: TPM Main, Part 2: TPM Data Structures. TCG Specification Version 1.2 Revision 94, The Trusted Computing Group (TCG), Portland, Oregon, USA (March 2006). Zhang Xing, Zhang Xiaofei, Liu Yi and Shen Changxiang. A New AuthData Management Scheme. Journal of Wuhan University(Natural Science Edition). Vol. 53(5), PP. 518-522, Oct. 2007. TCG: TPM Main, Part 3: Commands. TCG Specification Version 1.2 Revision 94, The Trusted Computing Group (TCG), Portland, Oregon, USA (March 2006).

[2]

[3] [4] [5]

In this paper we first describe the secure storage management mechanism for trusted computing platform and then analysis the existing schemes and disadvantages. Aimed at the problems of the existing schemes, a security-enhanced trusted key authorization management mechanism is proposed. Our scheme can effectively solve the key synchronization problem and disadvantages in the existing schemes, so the trust and security of the trusted storage is further enhanced. In hardware, we neednt modify the upcoming publishing TPM specification because the existing interfaces of TPM can meet the needs. In software, slight modification to TSS specification

[6]

[7]

[8]

1576

Você também pode gostar