Description
Zero Trust is a cybersecurity paradigm in which a network, e.g., an
enterprise network, is considered compromised. Therefore, each device of
every service request must be verified before the request is served.
This is made possible by remote attestation, which is enabled by Trusted
Platform Modules (TPMs), for example. To do this, they are authenticated
by retrieving their endorsement certificate, which links the TPM to its
manufacturer. This manufacturer guarantees that it complies with the TPM
specification to ensure its security properties. While this approach is
sufficient for hardware TPMs as they are standalone chips, for firmware
TPMs (fTPMs), any preceding firmware component can compromise the later
loaded fTPM. Therefore, it must be assumed that the manufacturer of the
fTPM is the same as that of all firmware components booted before the
fTPM to establish trust in them. The underlying problem is that the
verifier in the remote attestation procedure cannot verify the entire
boot chain up to the fTPM. We propose a remote attestation system that
provides the verifier with this capability. To compensate for the lack
of a hardware root of trust of an fTPM compared to a hardware TPM, we
introduce Device Identifier Composition Engine (DICE) as the hardware
root of trust. The verifier only needs to trust the manufacturer of
DICE, while every firmware component beyond is explicitly attested by
passing their identities to the verifier. The three benefits of our
solution are that (i) the manufacturer of the fTPM and its preceding
firmware components can be independent of each other, (ii) detection of
modification of the fTPM by a remote verifier, and (iii) protection of
the fTPM’s data-at-rest. DICE measures the first firmware component,
which is then repeated up to the fTPM. These measurements are forwarded
to the remote verifier, which can then detect potentially malicious
changes to each measured component. The fTPM’s data-at-rest is protected
by binding it to the identity of the fTPM. This means that the data of
an fTPM is only accessible to the fTPM that created it as long as its
identity does not change, which makes downgrade attacks and changes to
the fTPM less attractive to attackers.
|
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching