LaMacchia of Microsoft presented Palladium. Barrows, DeNeui, and Nigam scribed the notes on
TCPA. Chen, Robson, Saunders, and Walsh scribed the notes on Palladium. Slides from both
speakers are available on the 6.857 Web site.
with the security of a platform, to reduce business risks associated with insecurely storing data, and
additionally to protect end-user private data.
behave in an expected manner (maybe based on past performance)? Can I have confidence in
interacting with the platform? Can I trust you (the user) to be what you say you are?
wonder if TCPA is the conspiracy in prelude to the apocalypse, and wonder if this is the end of free
computing. Some skeptics question how the TCPA will know the end has been reached and wonder
if we are getting on the slippery slope to 'Big Brother' baked into a computer. Joe Pato said that
his lecture will demonstrate that TCPA is none of these.
Microsoft. Currently the group has 180 members from the hardware, software, communications,
and security technology industries. The group is focused on defining and advancing the concept
of trusted computing. Competition in the security space and the need for cheap cryptography
prompted creation of this group. The companies also needed to bypass crypto export regulations,
and as a result wanted to work towards this goal with other players in the field.
provided by a platform's root of trust. The root of trust must be able to report on software that has
been executed, and must be able to keep secrets from the rest of the platform. There are two roots
of trust and it is necessary to trust these roots of trust for TCPA mechanisms to be relied upon.
functions and storage are isolated from all other components of the platform. The TPM is tamper
resistant and tamper evident. It also contains various cryptographic functions and properties includ-
ing PRNG, key storage, and some cryptographic functions. However, there is no bulk cryptography
built into the TPM.
to property report to the TPM what software executes after it. The CRTM reports a hash of the
BIOS to the TPM, the TPM stores this, and then CRTM passes off control to the BIOS. The BIOS
hashes various ROMS associated (i.e. the OS Loader) with bootup, TPM securely stores this, the
BIOS then loads and executes ROM procedures.
boot chains and gauge if the boot sequence has been tampered with.
attestation identities do not contain any owner or user related information. A platform identity
attests to platform properties. No single TPM identity is ever used to digitally sign data, this
provides privacy protection. A TPM identity certification is required to attest to the fact that they
identify a genuine TCPA platform. The TPM identity creation protocol allows for the choice of
different Certification Authorities (Privacy-CA) to certify each TPM identity to prevent correlation
of the TPMs.
to the TPM during (and after) the boot process cannot be removed or deleted until reboot. Adding
each step in the boot process to the TPM hash vector ensures that no hiding code can execute on
a platform. The TPM will use an attestation identity to sign the integrity report. The recipient
of integrity information can evaluate trustworthiness of the information based on the certificated of
this attestation identity.
keys can be created that are protected by the TPM. Data can be encrypted using the TPM and can
only be decrypted using this same TPM. Additionally, the root TPM key can be used to create a
hierarchy of sealed keys, of which only the root key lives in the TPM while others live (encrypted)
on the hard drive. This allows the user to build new keys from the original TPM key and ensures
that the TPM public key is not released. Keys in this hierarchy-space can be migrateable, or not,
depending on how they are created by the software/OS or by the manufacturer.
activation is controlled by the owner, while TPM deactivation is available to the individual users.
Additionally, to ensure privacy no single TPM identity is ever used to digitally sign data and multiple
pseudonymous IDs are allowed, which limits correlation. Remote control of the TPM is enabled by
the keys that have been generated, the CA can correlate identities to platforms.
profile is to be completed and will include CRTM and connection to platform. The manufacturers'
role is to create a security target, and produce a product design evaluation.
measurement of integrity metrics of the software environment on the TCPA platform. In the long
term, we can learn what software is running on a machine and have confidence in the information
about the software environment and identity of a remote party, enabling higher levels of trust when
interacting with this party.