2.3 SERIES DE TIEMPO
2.4.6 MODELOS NO ESTACIONALES ARIMA
A small amount of NVRAM storage that has restricted access-control properties can be very useful in a PC. It can store keys that shouldn’t be available when the machine is off, give faster access to data than decryption using public/private key pairs can, and provide a mechanism to pass information back and forth between different parts of a system. NVRAM in TPMs can be configured to control read and write capabilities separately, which means some data can be provided to a user without worrying that it will be erased by accident or malicious intent. Additionally, you can use NVRAM to store keys that are used when the PC doesn’t have access to its main storage. This can happen early during the boot cycle or before a self-encrypting drive has been given its password, allowing it to be read.
Having NVRAM provides the following:
• Storage for root keys for certificate chains: These are public keys to
which everyone should have access—but it’s very important that they not be changed.
• Storage for an endorsement key (EK): An EK is stored by the
manufacturer and used to decrypt certificates and pass passwords into the TPM during provisioning. In spite of misleading statements made on the Internet, the EK was designed to be privacy sensitive.
• Storage for a representation of what the state of the machine ought to be: This is used by some Intel implementations using
TPMs and Intel Trusted Execution Technology (TXT), where
it’s called a launch control policy. Like the public root key used in Unified Extensible Firmware Interface (UEFI) secure-boot implementations, this is used by the system owner to specify the state they want the machine to be in when it goes through a controlled launch, usually of a hypervisor. The advantage over the UEFI secure-boot method is that with the TPM, the end user has full control over the contents of the NVRAM storage.
• Storage for decryption keys used before the hard disk is available: For
example, a key used for a self-encrypting drive.
Platform Configuration Registers
One unique thing about a TPM that can’t be guaranteed with smart cards is that it’s on the motherboard and available before the machine boots. As a result, it can be counted on as a place to store measurements taken during the boot process. Platform Configuration Registers (PCRs) are used for this purpose. They store hashes of measurements taken by external software, and the TPM can later report those measurements by signing them with a specified key. Later in the book, we describe how the registers work; for now, know that they have a one-way characteristic that prevents them from being spoofed. That is, if the registers provide a representation of trusted software that behaves as expected, then all the register values can be trusted.
A clever thing that’s done with these registers is to use them as a kind of
authentication signal. Just as, for example, a time lock won’t allow a bank vault to unlock unless the time is during business hours, you can create a key or other object in a TPM that can’t be used unless a PCR (or PCRs) is in a given state. Many interesting scenarios are enabled by this, including these:
A VPN may not allow a PC access to a network unless it can prove
•
it’s running approved IT software.
A file system may not obtain its encryption key unless its MBR has
•
not been disturbed and the hard disk is on the same system.
Privacy Enablement
The architects of the first TPM were very concerned about privacy. Privacy is of major importance to enterprises, because losing systems or data that contain personally identifiable information (PII) can cause an enormous loss of money. Laws in many states require enterprises to inform people whose private data has been lost; so, for example, if a laptop containing a database of Human Resources data is stolen, the enterprise is required to notify everyone whose data might have been compromised. This can cost millions of dollars. Before the advent of embedded security systems, encryption of private files was nearly impossible on a standard PC because there was no place to put the key. As a result, most encryption solutions either “hid” the key in a place that was easily found by the technically adept, or derived a key from a password. Passwords have a basic problem: if a person can remember it, a computer can figure it out. The best way to prevent this is to have hardware track when too many wrong attempts are made to guess a password and then cause a delay before another attempt is allowed. The TPM
specification requires this approach to be implemented, providing an enormous privacy advantage to those who use it.
The second privacy-related problem the architects tried to solve was much harder: providing a means to prove that a key was created and was protected by a TPM without the recipient of that proof knowing which TPM was the creator and protector of the key. Like many problems in computer science, this one was solved with a level of indirection. By making the EK a decryption-only key, as opposed to a signing key, it can’t be (directly) used to identify a particular TPM. Instead, a protocol is provided for making attestation
identity keys (AIKs), which are pseudo-identity keys for the platform. Providing a protocol
for using a privacy CA means the EKs can be used to prove that an AIK originated with a TPM without proving which TPM the AIK originated from. Because there can be an unlimited number of AIKs, you can destroy AIKs after creating and using them, or have multiple AIKs for different purposes. For instance, a person can have three different AIKs that prove they’re a senior citizen, rich, and live alone, rather than combining all three into one key and exposing extra information when proving one of their properties.
Additionally, some clever cryptographers at Intel, IBM, and HP came up with a protocol called direct anonymous attestation (DAA), which is based on group signatures and provides a very complicated method for proving that a key was created by a TPM without providing information as to which TPM created it. The advantage of this protocol is that it lets the AIK creator choose a variable amount of knowledge they want the privacy CA to have, ranging from perfect anonymity (when a certificate is created, the privacy CA is given proof that an AIK belongs to a TPM, but not which one) to perfect knowledge (the privacy CA knows which EK is associated with an AIK when it’s providing a
pseudonymous certificate for the AIK). The difference between the two is apparent when a TPM is broken and a particular EK’s private key is leaked to the Internet. At this point, a privacy CA can revoke certificates if it knows a certificate it created is associated with that particular EK, but can’t do so if it doesn’t know.
PCR sensitivity to small changes in design, implementation, and use of PCs makes PCRs for the most part irreversible. That is, knowing a PC’s PCR values provides almost no information about how the PC is set up. This is unfortunate for an IT organization that notices a change in PCR values and is trying to figure out why. It does provide privacy to end users, though.