|Veröffentlichungsdatum||23. Apr. 2009|
|Eingetragen||22. Sept. 2008|
|Prioritätsdatum||20. Sept. 2007|
|Auch veröffentlicht unter||WO2009051471A3|
|Veröffentlichungsnummer||PCT/2008/112, PCT/MY/2008/000112, PCT/MY/2008/00112, PCT/MY/8/000112, PCT/MY/8/00112, PCT/MY2008/000112, PCT/MY2008/00112, PCT/MY2008000112, PCT/MY200800112, PCT/MY8/000112, PCT/MY8/00112, PCT/MY8000112, PCT/MY800112, WO 2009/051471 A2, WO 2009051471 A2, WO 2009051471A2, WO-A2-2009051471, WO2009/051471A2, WO2009051471 A2, WO2009051471A2|
|Erfinder||Hau Keong Wong, Galoh Rashidah Haron, Fui Bee Tan, Chong Seak Sea, Kang Siong Ng, Talib Azhar Bin Abu|
|Zitat exportieren||BiBTeX, EndNote, RefMan|
|Patentzitate (4), Nichtpatentzitate (1), Referenziert von (10), Klassifizierungen (7), Juristische Ereignisse (3)|
|Externe Links: Patentscope, Espacenet|
TRUSTED COMPUTER PLATFORM METHOD AND SYSTEM WITHOUT TRUST
FIELD OF THE INVENTION This invention relates computer systems having embedded functionality to prevent or block unauthorized computer programs and applications from running within the computer system.
BACKGROUND OF THE INVENTION Attempts have been made in hardware and software applications by computer system designers and developers to secure computer systems to prevent or block unauthorized computer programs or applications from running within the computer system. One term used in the industry to define this attempt to secure computer systems in this manner is "trusted computing" (TC). The word "trusted" means that the computer is trusted by the software and system designers and developers that developed the computer system to ensure that unauthorized programs are blocked from running on the "trusted" computer. TC generally encompasses five key technology concepts, of which all are required for a fully trusted computer system: 1) endorsement key; 2) secure input and output; 3) memory curtaining / protected execution; 4) sealed storage; and 5) remote attestation.
One such effort of implementing TC into hardware has been from a group of software developers and semiconductor designers and manufacturers in the computer industry that have worked together in the Trusted Computing Group (TCG). At the heart of TCG's trusted computing implementation is a hardware module called Trusted Platform Module (TPM)1 which is the ultimate hardware system where the core "roof of trust in the platform must lie. Such a system 10 is shown in F(G. 1, where the TPM 12 is a hardware implementation that is designed by TCG to enhance platform security beyond the capabilities of current software-only solutions. The TPM chip is a secure key generator and key cache management component that supports industry-standard cryptographic application program interfaces (APIs) and operating system 14. TPM's generate, store, and manage cryptographic keys in hardware (within the TPM). This leverages the resources of the platform and allows hardening of the many applications (16i, 162, 163, ...,16n). TPM-capable products are built with the TPM chips soldered onto their printed circuit boards. The encryption keys and other critical security information are stored in non-volatile memory within the TPMs. The private keys stored in the TPM chips are also protected by the TPM even when in use, which provides secure key management. Protected key storage enables TPM-capable systems to support user authentication and platform attestation for secure local as well as remote access. The "root of trust" is based in hardware -the TPM- but can be extended to software. TPM-capable systems make storage of sensitive digital data (passwords, credit card numbers, digital signatures, etc.) more secure by protecting them from unauthorized use.
In other previous software based TC efforts, attempts have been made to rely on software implemented on existing "non-TC" platforms to achieve TC functionalities. These previous attempts rely solely on software encryption algorithms with keys. However, often the encryption algorithms with keys are stored in unsecured memory. In these instances, when security is provided by traditional, non-TC general-purpose central processing units (CPUs), encryption keys and related security information are stored in general system memory. Such use of system memory is no guarantee of secure key management, and provides system managers with a false sense of trust.
Therefore, there is a need for a software implementation that overcomes at least one of the problems associated with current TC systems. For example, an implementation that can proactively establish more trusted relationships for remote or local access through secure user authentication and machine attestation, protect encryption keys and digital signature keys to maintain data confidentiality and integrity, protect key operations and other security tasks that would otherwise be performed on unprotected interfaces in unprotected communications, and/or protect platform and user authentication information from software-based attacks.
In accordance with an aspect of the invention, a method for creating a virtual trusted computer platform with a trust credential comprises providing a trusted platform module on a first computer, wherein the trusted platform module is a hardware device dedicated to trusted computing that protects data from unauthorized use, accessing the trusted platform module on the first computer from a second computer unequipped with a trusted platform module, and replicating the trusted platform module on the second computer, thereby virtualizing a virtual trusted platform module in software on the second computer based on the trusted platform module on the first computer.
In an embodiment, the accessing the trusted platform module comprises providing a private key and a certificate from an authorized certification authority. Accessing the trusted platform module comprises sending to the second computer a virtual trusted computer proxy with a hash network boot protocol stack. The virtual trusted computer proxy may be signed with a network boot key and a network' boot certificate. An instance of the virtual trusted platform module may be created for the second computer, verifying the network boot certificate received from the second computer, and sending back to the hash network boot protocol stack a hash. An encryption key may be generated of the virtual trusted platform module based on a signature given by the trusted platform module. The trusted platform module may be defined by the Trusted Computing Group. The virtual trusted platform module may indicate to an operating system on the second computer that the second computer is equipped with a trusted platform module although the second computer remains unequipped with a trusted platform module. The trusted computing may require at least one of an endorsement key, secure input and output, memory curtaining and protected execution, sealed storage, and remote attestation. The second computer may lack a trust credential before, and obtains a trust credential by, replicating the trusted platform module to virtualize the virtual trusted platform module.
In accordance with an aspect of the invention, a system for creating a trusted computer platform with a trust credential, comprises a first computer installed with a trusted platform module, and a second computer in communication with the first computer, wherein the second computer is unequipped with a trusted platform module and accesses the trusted platform module on the first computer for replicating the trusted platform module on the second computer, thereby virtualizing a virtual trusted platform module on the second computer.
In an embodiment, the trusted platform module provides a private key and a certificate from an authorized certification authority for accessing the trusted platform module. The second computer sends a virtual trusted computer proxy with a hash network boot protocol stack for accessing the trusted platform module. The virtual trusted computer proxy may be signed with a network boot key and a network boot certificate. An instance of the virtual trusted platform module may be created for the second computer, for verifying the network boot certificate received from the second computer, and sending back to the hash network boot protocol stack a hash. An encryption key may be generated of the virtual trusted platform module based on a signature given by the trusted platform module. The trusted platform module may be defined by the Trusted Computing
Group. The virtual trusted platform module indicates to an operating system on the second computer that the second computer is equipped with a trusted platform module although the second computer remains unequipped with a trusted platform module. The trusted computing may require at least three of an endorsement key, secure input and output, memory curtaining and protected execution, sealed storage, and remote attestation. The second computer may lack a trust credential before, and obtains a trust credential by, replicating the trusted platform module to virtualize the virtual trusted platform module.
Advantageously, the trusted computer platform method and system provides a secure computer system without a trust credential. The trusted computer platform provides a secure or "trusted computing" (TC) environment to prevent or block unauthorized computer programs or applications from running within the computer system. The trusted computer platform also provides a fully trusted computer system having 1) endorsement key; 2) secure input and output; 3} memory curtaining / protected execution; 4) sealed storage; and 5) remote attestation. The trusted computer platform achieves a mechanism to proactively establish more trusted relationships for remote or local access through secure user authentication and machine attestation, protect' encryption keys and digital signature keys to maintain data confidentiality and integrity, protect key operations and other security tasks that would otherwise be performed on unprotected interfaces in unprotected communications, and/or protect platform and user authentication information from software-based attacks.
BRIEF DESCRIPTION OF THE INVENTION
In order that the present invention may be fully understood and readily put into practical effect, there shall now be described by way of non-limitative example only embodiments of the present invention, the description referring to the following illustrative drawings.
FlG. 1 shows a block diagram of a system in accordance with a previous prior art trusted computing system;
FlG. 2 shows a block diagram of a virtual trusted platform module (VTPM) in accordance with an embodiment of the invention;
FIG. 3 shows the architecture of a virtual machine in accordance with an embodiment of the invention;
FIG. 4 shows a trusted computing sequence in accordance with an embodiment of the invention;
FIG. 5 illustrates a process flow in accordance with an embodiment of the invention; FIG. 6 shows a flow chart of a method in accordance with an embodiment of the invention;
FIG. 7 shows a network boot as part of the trusted building block and trusted root of trust in accordance with an embodiment of the invention; and
FIG. 8 shows connection of the endorsement key of the virtual trusted platform module to the attestation identity key (AIK) of the trusted platform module in accordance with an embodiment of the invention.
A method and system for trusted computer platform with a trust credential is disclosed. An embodiment of the invention is shown in FIG. 2 of a system architecture 100 that can be incorporated in or implemented by the system 10. FIG. 1 and the following discussion are intended to provide a brief, general description of a suitable computing environment in which the present invention may be implemented. Although not required, the invention will be described in the general context of computer-executable instructions, such as program modules, being executed by a personal computer. Generally, program modules include routines, programs, characters, components, data structures, to perform particular tasks or implement particular abstract data types. As those skilled in the art will appreciate, the invention may be practiced with other computer system configurations, including hand-held devices, multiprocessor systems, microprocessor-based or programmable user electronics, network PCs, minicomputers, mainframe computers, and the like. The invention may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote memory storage devices.
In a normal scenario, a trusted platform module (TPM) will create a chain of trust. This chain of trust called the inductive trust is a process where the root of trust gives a trustworthy description of a second group of functions. Based on this description, an interested entity can determine the trust it is to place in this second group of functions. If the interested entity determines that the trust level of the second group of functions is acceptable, the trust boundary is extended from the root of trust to include the second group of functions. This is illustrated in FIG. 1. For a conventional computer such as a personal computer (PC) this chain of trust will start with a printed circuit board that is equipped with the proper BIOS and TPM and built inductive trust as the functionality goes up as shown in FIG, 4.
An embodiment of the invention creates this same inductive trust within a computer such as a PC that is not previously equipped with a TPM. Compared with a PC that is equipped with a TPM, a virtual TPM (VTPM) 100 is shown in FIG. 2. The software based VTPM will perform the same or substantially the same function as the TPM which is defined in the TPM Design Version 1.2 Part 1, 2, 3.
The architecture of the VTPM 100 is shown in the FIG. 2. The VTPM 100 comprises virtual input/output (I/O) 102 that receives and/or sends data as determined by the CPU of the computer. The virtual I/O 102 provides data via virtual bus 112 to virtual non-volatile storage 104, virtual platform configuration register (VPCR) 106, virtual attestation identity key (VAIK) 108, virtual program code 110, virtual random number generator 114, virtual SHA-1 engine 116, virtual key generation 118, virtual RSA engine 120, virtual opt-in 122, and virtual execution engine 124.
The entire virtual machine 136 is shown in FIG. 3 of the virtual non-trusted PC (VNTP). The VNPT is created because the operating system has complete control of the underlying resources and thus would know that the underlying hardware does not include the necessary TPM. The virtual machine creates the necessary illusion for the operating system that the TPM is present even though it is physically located elsewhere. The architecture of a platform 130 with the virtual machine 136m is shown in the FIG. 3. The virtual machine and TC are combined into a platform 130 for creating trust where some of the underlying architecture is not necessarily trustabie. The platform 130 shows a computer 132, such as personal computer, hyperviser 134, virtual machine 136i.n, and guest operating system and applications 138i.n. It will be appreciated that the number n of guest operating system and applications may differ from the number of virtual machines n.
In FIG. 5, system 140 includes two computers, one computetihat is trusted with a TPM hardware 12 shown in FIG. 1, and a virtualized non-trusted computer 130 having VTPM 100. The VTPM is created according to the number of insecure platforms that wish to use the facility. The functionality of the VTPM is not directly accessible VTNC. Instead, proxies negotiate the activity between virtual non-trusted computer and the trusted computer for the VTPM services. The VTPM reside on the virtual trusted computer because the virtual trusted computer can provide memory curtaining what is crucial to the VTPM activity. The virtual non-trusted computer 10 comprises TPM 12, hyperviser 20, client side TPM driver 22, virtual machine 24, virtual machine server side TPM driver 28, VTPM manager 26 and VTPM instance 28 and proxy 164. The virtual non-trusted computer 130 comprises hypervisor 134, virtual machine client side TPM' driver 142, virtual machine server side TPM driver, virtual machine 136, proxy 162 and application 138.
The two process flows P1 30,170 and P2 28,172 are indicated by non-dashed and dashed arrows, respectively. P1 non-dashed arrow occurs when the system first boots up. The boot up sequence in this architecture may boot from the network. Instead of network boot sequence (NBS), in this embodiment the boot image also contains a private key (PK) and a certificate (Cert) from an authorized certification authority (CA). The first action of the network boot protocol (NBP) is to send to the virtual trusted computer proxy with the hash network boot protocol stack and sign it with the network boot key and the network boot certificate (NBC), for example, (SIGN VPWT (HASH(NBTS)), NBC), where PWT is personal computer without trusted platform, PT is personal computer with trusted platform, VPWT is virtual personal computer without trusted platform, NBT is network boot protocol. Once the virtual trusted computer proxy is received the hash network boot protocol stack, for example (SIGN VPWT (HASH (NBTS)), NBC), the trusted virtual trusted computer 10 will then create an instance of VTPM for the non-trusted computer 130 and verify the network boot certificate, for example, SIGN PWT(HASH (NBTS)) and send back to the network boot protocol a hash of SIGNVTPMPWT(SlGN VPWT(HASH (NBTS)) and this stored by network boot protocol. This process occurs initially upon boot up.
FIG. 6 illustrates the flow of this process in accordance with an embodiment of the invention. The non-trusted computer 130 prepares hash of binary image or stack, and signs it with the private key (PK1) 222. The hash binary image or stack and private key is sent to proxy in trusted computer, hash signs with private key2 (PK2) and certificate2 (Cert2) 224. The non-trusted computer receives the signed with private key2 and certificate from the trusted computer 226, and the hash signed with private key2 and certificate is stored 228.
For the later the boot process, the NBT will only need to send, for example, SIGN VTPM
PWT (SIGNVPWT(HASH(NBTS)) , SIGNVPWT(HASH(NBTS)) and network boot certificate as shown in the process flow 240 of FIG. 7. The non-trusted computer receives the hash previously signed with the private key2 and private key1 242, and prepares hash signed with private key1 244. The two hashes are sent to proxy of trusted computer 246, and the trusted computer and non trusted computer receives a notification of trust 248.
Once network boot is established as part of the trusted building block (TBB) and trusted root of trust 202, the chain of trust is progressed using the normal TC sequence 200 as shown in FIG.4. From the CRTM code 204 to the next links in the chain, for example, the operating system loader code 206, the operating system code 208, the application code 210.
In another process flow P2, a trust model is created from the application on VPWT to the VTPM on VPT. The trust establishment in context is built upon the necessary information and keys on the TPM itself. The main keys and certificate for the VTPM is to provide a certificate for an endorsement key (EK) of a VTPM by connecting the endorsement key of the VTPM to the attestation identity key (AIK) of the TPM. This is shown in the process flow 260 in FIG. 8. The quote command and AlKTPM is used to generate a signature and send to VTPM 262. The encryption key of the VTPM is generated and the certificate base on the signature is given by the TPM with the proper metric 264. The AIK of the VTPM is generated 266, and the encryption key of the VTPM certificate is sent to the certificate authority 268. The AlK of the VTPM certificate is received from the CA 270, and the signature is stored in the non-volatile storage of the VTPM 272. In this embodiment the AIK of TPM and the TPM quote command is used to issue a signature over the current state of the platform configuration register (PCR) stored in the non-volatile storage of the TPM and a user provided 160 bit number. The SHA1 content of the endorsement key for VTPM (endorsement key VTPM) is the sign PCR and the 160 bit number. This links the endorsement key VTPM to the AIK of TPM (AIKTPM). The AIK of the VTPM (AIKVTPM) is then created by CA using the endorsement key VTPM.
As discussed, the process is shown in FIG. 5. Using this technology on an insecure platform builds a chain of trust to the application level using the trusted computing technology even though there is no trusted component on the system prior to boot up. It will be appreciated that the devices and subsystems of the exemplary methods and systems described with respect to the figures may communicate, for example, over a communication network, and may include any suitable servers, workstations, personal computers (PCs), laptop computers, handheld devices, with visual displays and/or monitors, telephones, cellular telephones, wireless devices, PDAs, Internet appliances, set top boxes, modems, other devices, and the like, capable of performing the processes of the disclosed exemplary embodiments. The devices and subsystems, for example, may communicate with each other using any suitable protocol and may be implemented using a general-purpose computer system and the like. One or more interface mechanisms may be employed, for example, including Internet access, telecommunications in any suitable form, such as voice, modem, and the like, wireless communications media, and the like. Accordingly, network may include, for example, wireless communications networks, cellular communications network, Public Switched Telephone Networks (PSTNs), Packet Data Networks (PDNs), the Internet, intranets, hybrid communications networks, combinations thereof, and the like.
It is to be understood that the embodiments, as described with respect to the figures, are for exemplary purposes, as many variations of the specific hardware used to implement the disclosed exemplary embodiments are possible. For example, the functionality of the devices and the subsystems of the embodiments may be implemented via one or more programmed computer system or devices. To implement such variations as well as other variations, a single computer system may be programmed to perform the functions of one or more of the devices and subsystems of the exemplary systems. On the other hand, two or more programmed computer systems or devices may be substituted for any one of the devices and subsystems of the exemplary systems. Accordingly, principles and advantages of distributed processing, such as redundancy, replication, and the like, also may be implemented, as desired, for example, to increase robustness and performance of the exemplary systems described with respect to the figures. *
The exemplary systems described with respect to the figures may be used to store information relating to various processes described herein. This information may be stored in one or more memories, such as hard disk, optical disk, magneto-optical disk, RAM, and the like, of the devices and sub-systems of the embodiments. One or more databases of the devices and subsystems may store the information used to implement the exemplary embodiments. The databases may be organized using data structures, such as records, tables, arrays, fields, graphs, trees, lists, and the like, included in one or more memories, such as the memories listed above.
All or a portion of the exemplary systems described with respect to figures may be conveniently implemented using one or more general-purpose computer systems, microprocessors, digital signal processors, micro-controllers, and the like, programmed according to the teachings of the disclosed exemplary embodiments. Appropriate software may be readily prepared by programmers of ordinary skill based on the teachings of the disclosed exemplary embodiments. In addition, the exemplary systems may be implemented by the preparation of application-specific integrated circuits or by interconnecting an appropriate network of component circuits.-
Whilst there has been described in the foregoing description preferred embodiments of the present invention, it will be understood by those skilled in the technology concerned that many variations or modifications in details of design or construction may be made without departing from the present invention.
|EP1484891A2 *||1. Juni 2004||8. Dez. 2004||Broadcom Corporation||Online trusted platform module|
|US6185678 *||2. Okt. 1998||6. Febr. 2001||Trustees Of The University Of Pennsylvania||Secure and reliable bootstrap architecture|
|US6408163 *||21. Jan. 1998||18. Juni 2002||Nortel Networks Limited||Method and apparatus for replicating operations on data|
|US7216369 *||28. Juni 2002||8. Mai 2007||Intel Corporation||Trusted platform apparatus, system, and method|
|1||*||SAILER ET AL.: 'The Role of TPM in Enterprise Security' IBM RESEARCH REPORT RC23363, [Online] 06 October 2004, pages 2 - 5 Retrieved from the Internet: <URL:http://domino.research.ibm.com/comm/re searchprojects.nsf/pages/ssd ima.index.html/$FILE/rc2 3363.pdf>|
|Zitiert von Patent||Eingetragen||Veröffentlichungsdatum||Antragsteller||Titel|
|WO2012084837A1 *||19. Dez. 2011||28. Juni 2012||International Business Machines Corporation||Virtual machine validation|
|CN102262599A *||2. Sept. 2011||30. Nov. 2011||南京博智软件科技有限公司||一种基于可信根的移动硬盘指纹认证方法|
|CN102262599B||2. Sept. 2011||20. Nov. 2013||江苏博智软件科技有限公司||Trusted root-based portable hard disk fingerprint identification method|
|CN103270518A *||19. Dez. 2011||28. Aug. 2013||国际商业机器公司||Virtual machine validation|
|US8396990||14. Apr. 2010||12. März 2013||Afilias Technologies Limited||Transcoding web resources|
|US8984601 *||22. Jan. 2013||17. März 2015||Gerard A. Gagliano||Enterprise security system|
|US9081600||19. Dez. 2011||14. Juli 2015||International Business Machines Corporation||Virtual machine validation|
|US9141724||19. Apr. 2010||22. Sept. 2015||Afilias Technologies Limited||Transcoder hinting|
|US9727740||30. Jan. 2012||8. Aug. 2017||Hewlett-Packard Development Company, L.P.||Secure information access over network|
|US20140033285 *||22. Jan. 2013||30. Jan. 2014||Gerard A. Gagliano||Enterprise security system|
|Internationale Klassifikation||G06F21/53, G06F21/57, G06F15/00|
|Europäische Klassifikation||G06F21/53, G06F21/57|
|17. Juni 2009||121||Ep: the epo has been informed by wipo that ep was designated in this application|
Ref document number: 08840662
Country of ref document: EP
Kind code of ref document: A2
|23. März 2010||NENP||Non-entry into the national phase in:|
Ref country code: DE
|3. Nov. 2010||122||Ep: pct application non-entry in european phase|
Ref document number: 08840662
Country of ref document: EP
Kind code of ref document: A2