1 / 23

Trusted Computing: Opportunities and Challenges.

Trusted Computing: Opportunities and Challenges. David Grawrock TCG TPM Workgroup Chair. Agenda. Trusted Computing Overview TCG Introduction TCG Technologies Trusted Applications Summary Questions and Answers. Most current security efforts follow a similar progression

perry
Télécharger la présentation

Trusted Computing: Opportunities and Challenges.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Trusted Computing: Opportunities and Challenges. David Grawrock TCG TPM Workgroup Chair

  2. Agenda • Trusted Computing Overview • TCG Introduction • TCG Technologies • Trusted Applications • Summary • Questions and Answers

  3. Most current security efforts follow a similar progression Network (intranets, firewalls, VPNs, etc.) Servers (load balancers, HSMs, SSO, web authentication, etc.) Policies & processes (response plans, disaster recovery, etc.) Identity & access (badges, tokens, digital certificates, etc.) Client PC protection is either non-existent or vulnerable Mobile workers operate both inside and outside the firewall Mobile devices (laptops) can easily store business critical information insecurely Risk Management

  4. Today’s Deployments Often Leave Clients Relatively Unprotected Server Network • Highly regulated SW/HW configuration • Controlled physical access (24x7) • Intrusion detection SW • Firewalls • Anti-virus • Network segmentation • Encrypted data • Real-time monitoring • Auditing & analysis tools • Multi-factor user auth. • Configuration monitors • Patch, Configuration, & Policy Control • Encryption (IPSec, SSL) • VPN • Layered firewalls • Intrusion detection SW • 24x7 monitoring • Network segmentation • 802.1x (Radius) • Multi-factor authentication • Domain controllers • Policy management • Configuration monitors Client • Passwords • Anti-virus • User authentication • Patch, Configuration, & Policy Control • Intrusion detection SW Mismatch between security measures and the financial value of data created & stored on clients

  5. User Services Applications System Services Operating System BIOS Firmware PC Hardware Trusted Hardware Trusted Computing – Bottom to Top • Security at any layer can be defeated by accessing the next lower layer • Trusted Computing requires security hardware as the foundation for platform security • Plus security enablement features in each layer

  6. TCG Mission Develop and promote open, vendor-neutral, industry standard specifications for trusted computing building blocks and software interfaces across multiple platforms

  7. TCG Structure • TCG is incorporated as a not-for-profit corporation, with international membership • Open membership model • Offers multiple membership levels: Promoters, Contributors, and Adopters • Board of Directors • Promoters and member elected Contributors • Typical not-for-profit bylaws • Industry typical patent policy (Reasonable and Non Discriminatory) for all published specifications • Working Groups

  8. TCG Organization Board of Directors Jim Ward, IBM, President and Chairman, Geoffrey Strongin, AMD, Mark Schiller, HP, David Riss, Intel, Steve Heil, Microsoft, Tom Tahan, Sun, Nicholas Szeto, Sony, Bob Thibadeau, Seagate, Thomas Hardjono, Verisign Technical Committee Graeme Proudler, HP Best Practices Jeff Austin, Intel Advisory Council Invited Participants Administration VTM, Inc. Marketing Workgroup Nancy Sumrall, Intel Public RelationsAnne Price,PR Works TPM Work Group David Grawrock, Intel Conformance WG Manny Novoa, HP Position Key GREEN Box: Elected Officers BLUE Box: Chairs Appointed by Board RED Box: Chairs Nominated by WG, Appointed by Board BLACK Box: Resources Contracted by TCG TSS Work Group David Challener, IBM PC Client WG Monty Wiseman, Intel EventsMarketingSupportVTM, Inc. Infrastructure WG Thomas Hardjono, VerisignNed Smith, Intel Mobile Phone WG Panu Markkanen, Nokia Peripherals WG Colin Walters, Comodo PDA WG Jonathan Tourzan, Sony User Auth WG Laszlo Elteto, SafeNetMark Nesline, RSA Sec. Server Specific WG Larry McMahan, HPMarty Nicholes, HP Hard Copy WG Brian Volkoff, HP (interim) Storage Systems Robert Thibadeau, Seagate

  9. 86 Total Members as of November 3, 2004 7 Promoter, 64 Contributor, 15 Adopter Contributors Motorola Inc. National Semiconductor nCipher Network Associates Nokia NTRU Cryptosystems, Inc. NVIDIA OSA Technologies, Inc Philips Phoenix Pointsec Mobile Technologies Renesas Technology Corp. RSA Security, Inc. SafeNet, Inc. Samsung Electronics Co. SCM Microsystems, Inc. Seagate Technology SignaCert, Inc. Silicon Storage Technology, Inc. Sinosun Technology Co., Ltd. Standard Microsystems Corporation STMicroelectronics Sygate Technologies, Inc. Symantec Symbian Ltd Synaptics Inc. Texas Instruments Transmeta Corporation Trend Micro Utimaco Safeware AG VeriSign, Inc. Vernier Networks VIA Technologies, Inc. Vodafone Group Services LTD Wave Systems Zone Labs, Inc. TCG Membership Contributors Agere Systems ARM ATI Technologies Inc. Atmel AuthenTec, Inc. AVAYA Broadcom Corporation Certicom Corp. Comodo Dell, Inc. Endforce, Inc. Ericsson Mobile Platforms AB Extreme Networks France Telecom Group Fujitsu Limited Fujitsu Siemens Computers Funk Software, Inc. Gemplus Giesecke & Devrient Hitachi, Ltd. Infineon InfoExpress, Inc. iPass Juniper Networks Lenovo Holdings Limited Lexmark International M-Systems Flash Disk Pioneers Meetinghouse Data Communications Promoters AMD Hewlett-Packard IBM Intel Corporation Microsoft Sony Corporation Sun Microsystems, Inc. Adopters Ali Corporation American Megatrends, Inc. Enterasys Networks Foundry Networks Foundstone, Inc Gateway Industrial Technology Research Inst. MCI Nevis Networks, USA Senforce Technologies Silicon Integrated Systems Corp. Softex, Inc. Toshiba Corporation ULi Electronics Inc. Winbond Electronics Corporation

  10. Goals of the TCG Architecture TCG defines mechanisms that • Protect user keys (digital identification) and files (data) • Protect secrets (passwords) • Enable a protected computing environment While… • Ensuringthe user’s control • Protecting user’s privacy Design Goal: Delivering robust security with user control and privacy

  11. TPM Abstract Architecture • Module on the motherboard • Can’t be removed or swapped • Secrets in module can’t be read by HW or SW attackers • Stores Private Keys • Perform the private key operation on board so that private key data never leaves TPM • Hold Platform Measurements • PC measures software, TPM is repository of measurements

  12. TPM The Trusted Platform Module • Enhances many aspects of platform security • Specified by Trusted Computing Group (TCG) • Major functions include • Protected non-volatile storage of platform secrets • Special purpose protected processing • Digital signatures • RSA key generation • Data protection • Spoof-resistant platform authentication capability

  13. TPM PC Market Projection (Source: IDC)

  14. Trusted Computing • Trusted Computing is a concept to protect and strengthen the computing platform against software-based attacks Goals Enable broadly-adoptable security technologies with immediate utility to business users and IT Protectbusiness data and communications against current and future software attacks Deploy in a responsible manner that maintains user privacy, choice and control Provide opportunities for value-added services

  15. Applications and Services Trusted Platform Module Security and Trust Services Trusted Device Eco-System Content Services Communications Transactions Identity PC Consumer Electronics Cell Phones Control Access Control PDA Peripherals Embedded Controllers Attestation Device Administration Key Management Configuration Management

  16. TPM Hardened Applications

  17. Authentication and Federated Identity • Problem: Federated identity systems need strong, multifactor authentication for high value web services • Strength of initial user authentication into networks of federated identity determine the level of trust and non-repudiation for web services • Authentication contexts are defined and communicated by Liberty Alliance, Web Services – Federation, and SAML protocols • Solution: • TPM attestation credentials combined with user PIN/passwords are authenticated through TCG Trusted Third Party server to provide access to Identity Provider servers and then passed to Federation Gateway servers. • Initial strong authentication of user identity is communicated within ‘trust circles’ to other federated identity partners as basis for determining strength of authentication.

  18. Service Provider A TCG Attestation Server WS-Federation User Device w/TPM Identity Provider Service Provider B Federation Gateway Liberty Alliance Logon • Credentials • PIN / PW Identity Federation OASIS - SAML Service Provider C Authentication Context (TCG Strong Authentication) Strong Authentication and Federated Identity

  19. TPM Authentication to VPN • Problem: Only allow VPN access from trusted platforms • Digital certificates used for VPN access are stored in software • Adding hardware level authentication needs to be done with minimal changes to the existing VPN server systems • Solution: • PCs with TPMs store VPN credentials in hardware storage • A TCG Trusted Third Party server generates Attestation Identity Keys which are used to authenticate VPN requests are coming from trusted platforms • VPN and Certificate Servers can easily add support for authentication using digital certificates and AIKs from trusted platforms to control VPN access

  20. 2. Valid Request? 3. Needs Certificate 4. Request AIK key Active Directory 5. Request Certificate using AIK credential TCG Attestation Credential Manager Digital Certificate Server 7. Directory Updated with AIK/Cert 6. AIK Checked for Validity TPM Platforms with a VPN 1. User Request for VPN Access 8. User VPN Session Established VPN Server PC w/ TPM

  21. User Services Applications System Services Operating System BIOS Firmware PC Hardware Trusted Hardware Trusted Computing – Bottom to Top • Security at any layer can be defeated by accessing the next lower layer • Trusted Computing requires security hardware as the foundation for platform security • Plus security enablement features in each layer

  22. TCG Information • For Information on TCG Membership and Programs TCG Administration 5440 SW Westgate Dr., Suite 217 Portland, OR 9722 PH: 503.291.2562 FX: 503.297.1090 admin@trustedcomputinggroup.org www.trustedcomputinggroup.org • For Technical Information & Specification Questions techquestions@trustedcomputinggroup.org

  23. Questions

More Related