Graeme John Proudler

A trusted process to digitally sign a document

This paper describes a method of increasing the trust in open computing platforms, such that a person can have confidence in producing a digital signature using open platforms.The process of using a digital signature to sign a digital document is well understood. Most descriptions assume the correctness of the process of signing a document within a computing platform. In an increasing connected world, this assumption is no longer true when open computing platforms are used. This paper proposes the signing of a document in a general-purpose computing platform using a trusted process. That trusted process creates a signature over a digital image that represents the document and uses a trusted display controller in the platform plus a smart card owned by the prospective signer. The trusted display controller is part of the video processing path, and can display video data on a monitor without interference or subversion by any software components at the platform. The smart card is able to authenticate the trusted display controller, and demonstrate to the signer the results of that authentication using the trusted display controller.The most unusual aspects of the method are: (1) a thumbnail image is stored in the smart card, and used as a surround or background for an image (on a display) that is to be signed; (2) the smart card signs image data on the authority of the trusted display controller, without direct authorisation from the signer.

Securing intelligent adjuncts using trusted computing platform technology

In [1], Balacheff et al described a new paradigm for smartcard usage called the Intelligent Adjunct model. The current increasing programmability of smartcards and development of the Internet is enabling new flexible and dynamic platforms for electronic commerce and services. In particular, the Intelligent Adjunct model combined with the use of a Trusted Computing Platform enables more flexible and more reliable network-based service development. This paper describes such a method using a hardware-based component in a computing platform to enable the establishment of a trust relationship between a smartcard and the terminal to which it is connected.

Trusted Computing Platforms

Trusted virtualisation is anticipated to become the dominant form of Trusted Computing in PCs and servers because it enables isolation of applications, and simplifies determination of platforms’ trust and security properties. Trusted Computing can enable platforms to provide trusted services such as cryptographic erasure of data, negotiations for the supply of services, single-sign-on, and digital signatures. These provide greater confidence in the use of computer platforms. Nothing is free, however, and Trusted Computing is no exception: it requires a public key infrastructure and other infrastructure that is peculiar to Trusted Computing. This chapter extrapolates existing technologies and trends. It speculates that trusted virtualisation will become the dominant form of Trusted Computing (in PCs, at any rate), describes some potential usages of Trusted Computing, and describes some of the infrastructure that is necessary to make it happen. 2.1 Trusted Virtualisation It is anticipated that future computers will use trusted virtualisation, to prevent applications attacking other applications. This is because the only known generic way of preventing attacks by software on software is software isolation. If software can’t touch data and the applications that use that data, the software can’t misuse the data or subvert the applications. Future computers will use hypervisors to provide separate OS environments, possibly enhancing separation via execution on separate physical processor cores. Selected data and applications will execute in separate OS environments, so they aren’t affected by what is going on in other OS environments. The hypervisor will control the creation and destruction of the OS environments, and control communications between environments and with other platforms. Trusted platform technology will be used to ensure that secrets belonging to a particular hypervisor are only revealed to that hypervisor. In some trusted computers, trusted platform technologies will release keys to hypervisors executing in the isolated environment provided by new platform architectures. Other trusted computers will comprise a

Computing Platform Security in Cyberspace

In this paper, we start by describing the concerns people have with cyberspace security. This might seem unnecessary to security practitioners but the number of times the authors experience arguments to the contrary suggest that it would be useful to start by relating concerns expressed in this area. Cyberspace security is indeed in its infancy compared with physical security. A comprehensive programme is urgently needed to make progress in this area. After a brief overview of typical security measures currently in place and their issues, we focus on the main topic of this paper: namely platform security. We describe a particular approach of enhancing platform security that is architecture independent and aims to provide a root of trust on computing platforms.

Direct Anonymous Attestation (DAA) in More Depth

Direct Anonymous Attestation is TPM2’s method of providing mathematically-proven anonymity or pseudonymity for signing keys in trusted platforms. The simple explanation of how DAA works is that it has a single verification (public) key but a plethora of signing (private) keys. One cannot tell which of many platforms created the signature. This chapter provides a more thorough explanation and enables one to understand (amongst other things) why one can’t tell whether two anonymous DAA signatures were created under the same private key, but can tell whether two pseudonymous DAA signatures were created under the same private key. This chapter is intended for readers with a background or interest in mathematics and/or cryptography.

Security for a Connectionless Peer-to-Peer Link

This article describes a protocol designed to secure a connectionless communication channel between a mobile computer and a server. Specifically, the protocol checks that all messages have been delivered in the correct order to the correct destination, and a received message is the message that was sent.

Futures for Trusted Computing

Trusted virtualisation is anticipated to become the dominant form of Trusted Computing in PCs and servers because it enables isolation of applications, and simplifies determination of platforms’ trust and security properties. Trusted Computing can enable platforms to provide trusted services such as cryptographic erasure of data, negotiations for the supply of services, single-sign-on, and digital signatures. These provide greater confidence in the use of computer platforms. Nothing is free, however, and Trusted Computing is no exception: it requires a public key infrastructure and other infrastructure that is peculiar to Trusted Computing.

Basics of Trusted Platforms

Trusted Computing is constrained by legacy issues, customer expectations, legal matters, privacy, and disaster recovery. Many aspects of Trusted Computing come as no surprise to anyone versed in the art of information security: one must provide process isolation and can’t avoid certificates, authorisation or authentication; one must provide a good level of security, avoid global secrets, abide by the principle of separation of privilege, and deal with dictionary attacks. On the other hand, Trusted Computing is distinguished by concepts such as Roots of Trust, authenticated platform boot, platform attestation, and privacy-friendly platform identification and platform recognition. All types of trusted platform have a particular trusted platform lifecycle, from design to decommissioning.

Machine Virtualisation, Virtual Machines, and TPMs

This chapter provides some background to the concept of trusted virtualisation because, while virtualisation is not essential when implementing a trusted platform, the authors anticipate that it will become the dominant implementation of Trusted Computing in PCs, if nothing else. The main benefit of virtualisation for Trusted Computing is that it can provide process isolation. This is critical for security because one must be able to prevent a rogue software process from interfering with another software process. Trusted virtualisation depends on a hypervisor running as the lowest layer (most privileged layer) of software. The hypervisor can both use the TPM to protect the hypervisor, and use the TPM to help protect the platform.

Customer Configuration of TPM2 and Its Host Platform

Depending on the type of host platform, the customer might be able to configure aspects of TPM2’s behaviour, such as whether a secondary Trusted Computing Base can use the TPM. A customer might be able to customise a TCB to determine whether Trusted Computing is used to protect the customer’s data and/or the customer’s network infrastructure, and the degree of platform anonymity that is provided. In some platforms, customers will be able to store small pieces of data in the TPM’s non-volatile storage, and will be able to add personal TPM endorsements. Customers must always manage the password used to reset the TPM’s response to dictionary attacks, and must customise TPM2 if they change the host platform’s secondary Trusted Computing Base.