Direct Anonymous Attestation

Last updated

Direct Anonymous Attestation (DAA) is a cryptographic primitive which enables remote authentication of a trusted computer whilst preserving privacy of the platform's user. The protocol has been adopted by the Trusted Computing Group (TCG) in the latest version of its Trusted Platform Module (TPM) specification [1] to address privacy concerns (see also Loss of Internet anonymity). ISO/IEC 20008 specifies DAA, as well, and Intel's Enhanced Privacy ID (EPID) 2.0 implementation for microprocessors is available for licensing RAND-Z along with an open source SDK.

Contents

Historical perspective

In principle the privacy issue could be resolved using any standard signature scheme (or public key encryption) and a single key pair. Manufacturers would embed the private key into every TPM produced and the public key would be published as a certificate. Signatures produced by the TPM must have originated from the private key, by the nature of the technology, and since all TPMs use the same private key they are indistinguishable ensuring the user's privacy. This rather naive solution relies upon the assumption that there exists a global secret. One only needs to look at the precedent of Content Scramble System (CSS), an encryption system for DVDs, to see that this assumption is fundamentally flawed. Furthermore, this approach fails to realize a secondary goal: the ability to detect rogue TPMs. A rogue TPM is a TPM that has been compromised and had its secrets extracted.

The solution first adopted by the TCG (TPM specification v1.1) required a trusted third-party, namely a privacy certificate authority (privacy CA). Each TPM has an embedded RSA key pair called an Endorsement Key (EK) which the privacy CA is assumed to know. In order to attest the TPM generates a second RSA key pair called an Attestation Identity Key (AIK). It sends the public AIK, signed by EK, to the privacy CA who checks its validity and issues a certificate for the AIK. (For this to work, either a) the privacy CA must know the TPM's public EK a priori, or b) the TPM's manufacturer must have provided an endorsement certificate.) The host/TPM is now able to authenticate itself with respect to the certificate. This approach permits two possibilities to detecting rogue TPMs: firstly the privacy CA should maintain a list of TPMs identified by their EK known to be rogue and reject requests from them, secondly if a privacy CA receives too many requests from a particular TPM it may reject them and blocklist the TPMs EK. The number of permitted requests should be subject to a risk management exercise. This solution is problematic since the privacy CA must take part in every transaction and thus must provide high availability whilst remaining secure. Furthermore, privacy requirements may be violated if the privacy CA and verifier collude. Although the latter issue can probably be resolved using blind signatures, the first remains.

The EPID 2.0 solution embeds the private key in the microprocessor when it is manufactured, inherently distributes the key with the physical device shipment, and has the key provisioned and ready for use with 1st power-on.

Overview

The DAA protocol is based on three entities and two different steps. The entities are the DAA Member (TPM platform or EPID-enabled microprocessor), the DAA Issuer and the DAA Verifier. The issuer is charged to verify the TPM platform during the Join step and to issue DAA credential to the platform. The platform (Member) uses the DAA credential with the Verifier during the Sign step. Through a zero-knowledge proof the Verifier can verify the credential without attempting to violate the platform's privacy. The protocol also supports a blocklisting capability so that Verifiers can identify attestations from TPMs that have been compromised.

Privacy properties

The protocol allows differing degrees of privacy. Interactions are always anonymous, but the Member/Verifier may negotiate as to whether the Verifier is able to link transactions. This would allow user profiling and/or the rejection of requests originating from a host which has made too many requests. The Member and Verifier can also elect to reveal additional information to accomplish non-anonymous interactions (just as you can choose to tell a stranger your full name, or not). Thus, known identity can be built on top of an anonymous start. (Contrast this with: if you start with known identity, you can never prove you un-know that identity to regress to anonymity.)

Implementations and attacks

The first Direct Anonymous Attestation scheme was due to Brickell, Camenisch, and Chen; [2] that scheme proved insecure and required a fix. [3] Brickell, Chen, and Li improved efficiency of that first scheme using symmetric pairings, rather than RSA. [4] And Chen, Morrissey, and Smart attempted to further improve efficiency by switching from a symmetric to an asymmetric setting; [5] [6] unfortunately, the asymmetric scheme was also insecure. [7] Chen, Page, and Smart proposed a new elliptic curve cryptography scheme using Barreto–Naehrig curves. [8] This scheme is implemented by both EPID 2.0 and the TPM 2.0 standard. It is recommended for TPMs in general [9] and required for TPMs that conform to the PC client profile. [10] In addition, the Intel EPID 2.0 implementation of ISO/IEC 20008 DAA and the available open source SDK [11] can be used for members and verifiers to do attestation. Since one of the DAA attestation methods in TPM 2.0 is identical to EPID 2.0, work is underway to make ISO/IEC 20008 DAA and TPM 2.0 DAA attestation read consistently with each other at the spec level.[ citation needed ]

See also

Related Research Articles

An authenticator is a means used to confirm a user's identity, that is, to perform digital authentication. A person authenticates to a computer system or application by demonstrating that he or she has possession and control of an authenticator. In the simplest case, the authenticator is a common password.

Trusted Computing (TC), also often referred to as Confidential Computing, is a technology developed and promoted by the Trusted Computing Group. The term is taken from the field of trusted systems and has a specialized meaning. The core idea of trusted computing is to give hardware manufacturers control over what software does and does not run on a system by refusing to run unsigned software. With Trusted Computing, the computer will consistently behave in expected ways, and those behaviors will be enforced by computer hardware and software. Enforcing this behavior is achieved by loading the hardware with a unique encryption key that is inaccessible to the rest of the system and the owner.

Digital signature Mathematical scheme for verifying the authenticity of digital documents

A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents. A valid digital signature, where the prerequisites are satisfied, gives a recipient very strong reason to believe that the message was created by a known sender (authenticity), and that the message was not altered in transit (integrity).

Public key infrastructure

A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. The purpose of a PKI is to facilitate the secure electronic transfer of information for a range of network activities such as e-commerce, internet banking and confidential email. It is required for activities where simple passwords are an inadequate authentication method and more rigorous proof is required to confirm the identity of the parties involved in the communication and to validate the information being transferred.

David Chaum American computer scientist and cryptographer

David Lee Chaum is an American computer scientist and cryptographer. He is known as a pioneer in cryptography and privacy-preserving technologies, and widely recognized as the inventor of digital cash. His 1982 dissertation "Computer Systems Established, Maintained, and Trusted by Mutually Suspicious Groups" is the first known proposal for a blockchain protocol. Complete with the code to implement the protocol, Chaum's dissertation proposed all but one element of the blockchain later detailed in the Bitcoin whitepaper.

In cryptography, a trusted third party (TTP) is an entity which facilitates interactions between two parties who both trust the third party; the Third Party reviews all critical transaction communications between the parties, based on the ease of creating fraudulent digital content. In TTP models, the relying parties use this trust to secure their own interactions. TTPs are common in any number of commercial transactions and in cryptographic digital transactions as well as cryptographic protocols, for example, a certificate authority (CA) would issue a digital certificate to one of the two parties in the next example. The CA then becomes the Trusted-Third-Party to that certificates issuance. Likewise transactions that need a third party recordation would also need a third-party repository service of some kind or another.

Proof of work (PoW) is a form of cryptographic proof in which one party proves to others that a certain amount of a specific computational effort has been expended. Verifiers can subsequently confirm this expenditure with minimal effort on their part. The concept was invented by Cynthia Dwork and Moni Naor in 1993 as a way to deter denial-of-service attacks and other service abuses such as spam on a network by requiring some work from a service requester, usually meaning processing time by a computer. The term "proof of work" was first coined and formalized in a 1999 paper by Markus Jakobsson and Ari Juels. Proof of work was later popularized by Bitcoin as a foundation for consensus in permissionless decentralized network, in which miners compete to append blocks and mint new currency, each miner experiencing a success probability proportional to the computational effort expended. PoW and PoS are the two best known Sybil deterrence mechanisms. In the context of cryptocurrencies they are the most common mechanisms.

Java Card is a software technology that allows Java-based applications (applets) to be run securely on smart cards and similar small memory footprint devices. Java Card is the tiniest of Java platforms targeted for embedded devices. Java Card gives the user the ability to program the devices and make them application specific. It is widely used in ATM cards. The first Java Card was introduced in 1996 by Schlumberger's card division which later merged with Gemplus to form Gemalto. Java Card products are based on the Java Card Platform specifications developed by Sun Microsystems. Many Java card products also rely on the GlobalPlatform specifications for the secure management of applications on the card.

Trusted Platform Module Standard for secure cryptoprocessors

Trusted Platform Module is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys. The term can also refer to a chip conforming to the standard.

Mutual authentication or two-way authentication refers to two parties authenticating each other at the same time in an authentication protocol. It is a default mode of authentication in some protocols and optional in others (TLS).

Digital credentials are the digital equivalent of paper-based credentials. Just as a paper-based credential could be a passport, a driver's license, a membership certificate or some kind of ticket to obtain some service, such as a cinema ticket or a public transport ticket, a digital credential is a proof of qualification, competence, or clearance that is attached to a person. Also, digital credentials prove something about their owner. Both types of credentials may contain personal information such as the person's name, birthplace, birthdate, and/or biometric information such as a picture or a finger print.

In cryptography, implicit certificates are a variant of public key certificate. A subject's public key is reconstructed from the data in an implicit certificate, and is then said to be "implicitly" verified. Tampering with the certificate will result in the reconstructed public key being invalid, in the sense that it is infeasible to find the matching private key value, as would be required to make use of the tampered certificate.

Privacy-enhancing technologies (PET) are technologies that embody fundamental data protection principles by minimizing personal data use, maximizing data security, and empowering individuals. PETs allow online users to protect the privacy of their personally identifiable information (PII) provided to and handled by services or applications. PETs use techniques to minimize possession of personal data without losing the functionality of an information system. Generally speaking, PETs can be categorized as hard and soft privacy technologies.

ProVerif is a software tool for automated reasoning about the security properties found in cryptographic protocols. The tool has been developed by Bruno Blanchet.

U-Prove is a free and open-source technology and accompanying SDK for user-centric identity management. The underlying cryptographic protocols were designed by Dr. Stefan Brands and further developed by Credentica and, subsequently, Microsoft. The technology was developed to allow internet users to disclose only the minimum amount of personal data when making electronic transactions as a way to reduce the likelihood of privacy violations. Security expert Bruce Schneier praised the cryptography behind U-Prove.

Signatures with efficient protocols are a form of digital signature invented by Jan Camenisch and Anna Lysyanskaya in 2001. In addition to being secure digital signatures, they need to allow for the efficient implementation of two protocols:

  1. A protocol for computing a digital signature in a secure two-party computation protocol.
  2. A protocol for proving knowledge of a digital signature in a zero-knowledge protocol.

Enhanced Privacy ID (EPID) is Intel Corporation's recommended algorithm for attestation of a trusted system while preserving privacy. It has been incorporated in several Intel chipsets since 2008 and Intel processors since 2011. At RSAC 2016 Intel disclosed that it has shipped over 2.4B EPID keys since 2008. EPID complies with international standards ISO/IEC 20008 / 20009, and the Trusted Computing Group (TCG) TPM 2.0 for authentication. Intel contributed EPID intellectual property to ISO/IEC under RAND-Z terms. Intel is recommending that EPID become the standard across the industry for use in authentication of devices in the Internet of Things (IoT) and in December 2014 announced that it was licensing the technology to third-party chip makers to broadly enable its use.

The ROCA vulnerability is a cryptographic weakness that allows the private key of a key pair to be recovered from the public key in keys generated by devices with the vulnerability. "ROCA" is an acronym for "Return of Coppersmith's attack". The vulnerability has been given the identifier CVE-2017-15361.

WebAuthn Public-key authentication standard

Web Authentication (WebAuthn) is a web standard published by the World Wide Web Consortium (W3C). WebAuthn is a core component of the FIDO2 Project under the guidance of the FIDO Alliance. The goal of the project is to standardize an interface for authenticating users to web-based applications and services using public-key cryptography.

Verifiable credentials

Verifiable credentials (VCs) are an open standard for digital credentials. They can represent information found in physical credentials, such as a passport or license, as well as new things that have no physical equivalent, such as ownership of a bank account. They have numerous advantages over physical credentials, most notably that they're digitally signed, which makes them tamper-resistant and instantaneously verifiable. Verifiable credentials can be issued by anyone, about anything, and can be presented to and verified by everyone. The entity that generates the credential is called the Issuer. The credential is then given to the Holder who stores it for later use. The Holder can then prove something about themselves by presenting their credentials to a Verifier.

References

  1. TPM Specification
  2. Brickell; Camenisch; Chen (2004). "Direct Anonymous Attestation" (PDF). ACM Conference on Computer and Communications Security: 132–145.
  3. Smyth; Ryan; Chen (2015). "Formal analysis of privacy in Direct Anonymous Attestation schemes" (PDF). Science of Computer Programming. 111 (2): 300–317. doi: 10.1016/j.scico.2015.04.004 .
  4. Brickell; Chen; Li (2009). "Simplified security notions of Direct Anonymous Attestation and a concrete scheme from pairings" (PDF). International Journal of Information Security. 8 (5): 315–330. doi:10.1007/s10207-009-0076-3. S2CID   16688581.
  5. Chen; Morrissey; Smart (2008). "On Proofs of Security for DAA Schemes". 3rd International Conference on Trust and Trustworthy Computing. 5324: 156–175.
  6. Chen; Morrissey; Smart (2008). "Pairings in Trusted Computing". 2nd International Conference on Pairing-Based Cryptography. 5209: 1–17.
  7. Chen; Li (2010). "A note on the Chen-Morrissey-Smart DAA scheme". Information Processing Letters. 110 (12–13): 485–488. doi:10.1016/j.ipl.2010.04.017.
  8. Chen; Page; Smart (2010). "On the Design and Implementation of an Efficient DAA Scheme" (PDF). 9th International Conference on Smart Card Research and Advanced Applications. 6035: 223–237.
  9. https://www.trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.16.pdf
  10. https://www.trustedcomputinggroup.org/wp-content/uploads/PC-Client-Specific-Platform-TPM-Profile-for-TPM-2-0-v43-150126.pdf
  11. EPID SDK
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.