Direct Anonymous Attestation

Last updated

Direct Anonymous Attestation (DAA) is a cryptographic primitive which enables remote authentication of a trusted computer whilst preserving privacy of the platform's user. The protocol has been adopted by the Trusted Computing Group (TCG) in the latest version of its Trusted Platform Module (TPM) specification [1] to address privacy concerns (see also Loss of Internet anonymity). ISO/IEC 20008 specifies DAA, as well, and Intel's Enhanced Privacy ID (EPID) 2.0 implementation for microprocessors is available for licensing RAND-Z along with an open source SDK.

Contents

Historical perspective

In principle the privacy issue could be resolved using any standard signature scheme (or public key encryption) and a single key pair. Manufacturers would embed the private key into every TPM produced and the public key would be published as a certificate. Signatures produced by the TPM must have originated from the private key, by the nature of the technology, and since all TPMs use the same private key they are indistinguishable ensuring the user's privacy. This rather naive solution relies upon the assumption that there exists a global secret. One only needs to look at the precedent of Content Scramble System (CSS), an encryption system for DVDs, to see that this assumption is fundamentally flawed. Furthermore, this approach fails to realize a secondary goal: the ability to detect rogue TPMs. A rogue TPM is a TPM that has been compromised and had its secrets extracted.

The solution first adopted by the TCG (TPM specification v1.1) required a trusted third-party, namely a privacy certificate authority (privacy CA). Each TPM has an embedded RSA key pair called an Endorsement Key (EK) which the privacy CA is assumed to know. In order to attest the TPM generates a second RSA key pair called an Attestation Identity Key (AIK). It sends the public AIK, signed by EK, to the privacy CA who checks its validity and issues a certificate for the AIK. (For this to work, either a) the privacy CA must know the TPM's public EK a priori, or b) the TPM's manufacturer must have provided an endorsement certificate.) The host/TPM is now able to authenticate itself with respect to the certificate. This approach permits two possibilities to detecting rogue TPMs: firstly the privacy CA should maintain a list of TPMs identified by their EK known to be rogue and reject requests from them, secondly if a privacy CA receives too many requests from a particular TPM it may reject them and blocklist the TPMs EK. The number of permitted requests should be subject to a risk management exercise. This solution is problematic since the privacy CA must take part in every transaction and thus must provide high availability whilst remaining secure. Furthermore, privacy requirements may be violated if the privacy CA and verifier collude. Although the latter issue can probably be resolved using blind signatures, the first remains.

The EPID 2.0 solution embeds the private key in the microprocessor when it is manufactured, inherently distributes the key with the physical device shipment, and has the key provisioned and ready for use with 1st power-on.

Overview

The DAA protocol is based on three entities and two different steps. The entities are the DAA Member (TPM platform or EPID-enabled microprocessor), the DAA Issuer and the DAA Verifier. The issuer is charged to verify the TPM platform during the Join step and to issue DAA credential to the platform. The platform (Member) uses the DAA credential with the Verifier during the Sign step. Through a zero-knowledge proof the Verifier can verify the credential without attempting to violate the platform's privacy. The protocol also supports a blocklisting capability so that Verifiers can identify attestations from TPMs that have been compromised.

Privacy properties

The protocol allows differing degrees of privacy. Interactions are always anonymous, but the Member/Verifier may negotiate as to whether the Verifier is able to link transactions. This would allow user profiling and/or the rejection of requests originating from a host which has made too many requests. The Member and Verifier can also elect to reveal additional information to accomplish non-anonymous interactions (just as you can choose to tell a stranger your full name, or not). Thus, known identity can be built on top of an anonymous start. (Contrast this with: if you start with known identity, you can never prove you un-know that identity to regress to anonymity.)

Implementations and attacks

The first Direct Anonymous Attestation scheme was due to Brickell, Camenisch, and Chen; [2] that scheme proved insecure and required a fix. [3] Brickell, Chen, and Li improved efficiency of that first scheme using symmetric pairings, rather than RSA. [4] And Chen, Morrissey, and Smart attempted to further improve efficiency by switching from a symmetric to an asymmetric setting; [5] [6] unfortunately, the asymmetric scheme was also insecure. [7] Chen, Page, and Smart proposed a new elliptic curve cryptography scheme using Barreto–Naehrig curves. [8] This scheme is implemented by both EPID 2.0 and the TPM 2.0 standard. It is recommended for TPMs in general [9] and required for TPMs that conform to the PC client profile. [10] In addition, the Intel EPID 2.0 implementation of ISO/IEC 20008 DAA and the available open source SDK [11] can be used for members and verifiers to do attestation. Since one of the DAA attestation methods in TPM 2.0 is identical to EPID 2.0, work is underway to make ISO/IEC 20008 DAA and TPM 2.0 DAA attestation read consistently with each other at the spec level.[ citation needed ]

See also

Related Research Articles

An authenticator is a means used to confirm a user's identity, that is, to perform digital authentication. A person authenticates to a computer system or application by demonstrating that he or she has possession and control of an authenticator. In the simplest case, the authenticator is a common password.

Trusted Computing (TC) is a technology developed and promoted by the Trusted Computing Group. The term is taken from the field of trusted systems and has a specialized meaning that is distinct from the field of confidential computing. With Trusted Computing, the computer will consistently behave in expected ways, and those behaviors will be enforced by computer hardware and software. Enforcing this behavior is achieved by loading the hardware with a unique encryption key that is inaccessible to the rest of the system and the owner.

<span class="mw-page-title-main">Digital signature</span> Mathematical scheme for verifying the authenticity of digital documents

A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents. A valid digital signature on a message gives a recipient confidence that the message came from a sender known to the recipient.

In cryptography, a key-agreement protocol is a protocol whereby two parties generate a cryptographic key as a function of information provided by each honest party so that no party can predetermine the resulting value. In particular, all honest participants influence the outcome. A key-agreement protocol is a specialisation of a key-exchange protocol.

<span class="mw-page-title-main">Public key infrastructure</span> System that can issue, distribute and verify digital certificates

A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption.

<span class="mw-page-title-main">David Chaum</span> American computer scientist and cryptographer (born 1955)

David Lee Chaum is an American computer scientist, cryptographer, and inventor. He is known as a pioneer in cryptography and privacy-preserving technologies, and widely recognized as the inventor of digital cash. His 1982 dissertation "Computer Systems Established, Maintained, and Trusted by Mutually Suspicious Groups" is the first known proposal for a blockchain protocol. Complete with the code to implement the protocol, Chaum's dissertation proposed all but one element of the blockchain later detailed in the Bitcoin whitepaper. He has been referred to as "the father of online anonymity", and "the godfather of cryptocurrency".

In cryptography, a trusted third party (TTP) is an entity which facilitates interactions between two parties who both trust the third party; the third party reviews all critical transaction communications between the parties, based on the ease of creating fraudulent digital content. In TTP models, the relying parties use this trust to secure their own interactions. TTPs are common in any number of commercial transactions and in cryptographic digital transactions as well as cryptographic protocols, for example, a certificate authority (CA) would issue a digital certificate to one of the two parties in the next example. The CA then becomes the TTP to that certificate's issuance. Likewise transactions that need a third party recordation would also need a third-party repository service of some kind.

<span class="mw-page-title-main">Trusted Platform Module</span> Standard for secure cryptoprocessors

Trusted Platform Module (TPM) is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys. The term can also refer to a chip conforming to the standard ISO/IEC 11889. Common uses are to verify platform integrity, and to store disk encryption keys.

Mutual authentication or two-way authentication refers to two parties authenticating each other at the same time in an authentication protocol. It is a default mode of authentication in some protocols and optional in others (TLS).

Intel Trusted Execution Technology is a computer hardware technology of which the primary goals are:

Digital credentials are the digital equivalent of paper-based credentials. Just as a paper-based credential could be a passport, a driver's license, a membership certificate or some kind of ticket to obtain some service, such as a cinema ticket or a public transport ticket, a digital credential is a proof of qualification, competence, or clearance that is attached to a person. Also, digital credentials prove something about their owner. Both types of credentials may contain personal information such as the person's name, birthplace, birthdate, and/or biometric information such as a picture or a finger print.

In cryptography, implicit certificates are a variant of public key certificate. A subject's public key is reconstructed from the data in an implicit certificate, and is then said to be "implicitly" verified. Tampering with the certificate will result in the reconstructed public key being invalid, in the sense that it is infeasible to find the matching private key value, as would be required to make use of the tampered certificate.

Non-interactive zero-knowledge proofs are cryptographic primitives, where information between a prover and a verifier can be authenticated by the prover, without revealing any of the specific information beyond the validity of the statement itself. This makes direct communication between the prover and verifier unnecessary, effectively removing any intermediaries.

Privacy-enhancing technologies (PET) are technologies that embody fundamental data protection principles by minimizing personal data use, maximizing data security, and empowering individuals. PETs allow online users to protect the privacy of their personally identifiable information (PII), which is often provided to and handled by services or applications. PETs use techniques to minimize an information system's possession of personal data without losing functionality. Generally speaking, PETs can be categorized as either hard or soft privacy technologies.

ProVerif is a software tool for automated reasoning about the security properties of cryptographic protocols. The tool has been developed by Bruno Blanchet and others.

Signatures with efficient protocols are a form of digital signature invented by Jan Camenisch and Anna Lysyanskaya in 2001. In addition to being secure digital signatures, they need to allow for the efficient implementation of two protocols:

  1. A protocol for computing a digital signature in a secure two-party computation protocol.
  2. A protocol for proving knowledge of a digital signature in a zero-knowledge protocol.

Enhanced Privacy ID (EPID) is Intel Corporation's recommended algorithm for attestation of a trusted system while preserving privacy. It has been incorporated in several Intel chipsets since 2008 and Intel processors since 2011. At RSAC 2016 Intel disclosed that it has shipped over 2.4B EPID keys since 2008. EPID complies with international standards ISO/IEC 20008 / 20009, and the Trusted Computing Group (TCG) TPM 2.0 for authentication. Intel contributed EPID intellectual property to ISO/IEC under RAND-Z terms. Intel is recommending that EPID become the standard across the industry for use in authentication of devices in the Internet of Things (IoT) and in December 2014 announced that it was licensing the technology to third-party chip makers to broadly enable its use.

The ROCA vulnerability is a cryptographic weakness that allows the private key of a key pair to be recovered from the public key in keys generated by devices with the vulnerability. "ROCA" is an acronym for "Return of Coppersmith's attack". The vulnerability has been given the identifier CVE-2017-15361.

Web Authentication (WebAuthn) is a web standard published by the World Wide Web Consortium (W3C). WebAuthn is a core component of the FIDO2 Project under the guidance of the FIDO Alliance. The goal of the project is to standardize an interface for authenticating users to web-based applications and services using public-key cryptography. WebAuthn credentials are sometimes referred to as passkeys.

<span class="mw-page-title-main">Verifiable credentials</span>

Verifiable credentials (VCs) are digital credentials which follow the relevant World Wide Web Consortium open standards. They can represent information found in physical credentials, such as a passport or license, as well as new things that have no physical equivalent, such as ownership of a bank account. They have numerous advantages over physical credentials, most notably that they're digitally signed, which makes them tamper-resistant and instantaneously verifiable.

References

  1. TPM Specification
  2. Brickell, Ernie; Camenisch, Jan; Chen, Liqun (2004). "Direct Anonymous Attestation" (PDF). ACM Conference on Computer and Communications Security: 132–145.
  3. Smyth, Ben; Ryan, Mark; Chen, Liqun (2015). "Formal analysis of privacy in Direct Anonymous Attestation schemes" (PDF). Science of Computer Programming. 111 (2): 300–317. doi: 10.1016/j.scico.2015.04.004 .
  4. Brickell, Ernie; Chen, Liqun; Li, Jiangtao (2009). "Simplified security notions of Direct Anonymous Attestation and a concrete scheme from pairings" (PDF). International Journal of Information Security. 8 (5): 315–330. doi:10.1007/s10207-009-0076-3. S2CID   16688581.
  5. Chen; Morrissey; Smart (2008). "On Proofs of Security for DAA Schemes". 3rd International Conference on Trust and Trustworthy Computing. 5324: 156–175.
  6. Chen; Morrissey; Smart (2008). "Pairings in Trusted Computing". 2nd International Conference on Pairing-Based Cryptography. 5209: 1–17.
  7. Chen; Li (2010). "A note on the Chen-Morrissey-Smart DAA scheme". Information Processing Letters. 110 (12–13): 485–488. doi:10.1016/j.ipl.2010.04.017.
  8. Chen; Page; Smart (2010). "On the Design and Implementation of an Efficient DAA Scheme" (PDF). 9th International Conference on Smart Card Research and Advanced Applications. 6035: 223–237.
  9. Trusted Platform Module Library. Part 1: Architecture. trustedcomputinggroup.org, Retrieved 25 June 2024
  10. TCG PC Client Platform. TPM Profile (PTP) Specification. trustedcomputinggroup.org, Retrieved 25 June 2024
  11. EPID SDK
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.