Notes - MCS
Secure Execution Environments
Notes - MCS
Secure Execution Environments
  • Secure Execution Environments
  • Introduction
    • Trusted Computing Base (TCB)
    • TEE (Trusted Execution Environment)
    • Can you trust the operating system?
  • Security in Operating Systems
    • Operating system
    • Virtual machines and hypervisors
    • Computational model
    • Access control
    • Protection with capabilities
    • Unix file protection ACLs
    • Windows NTFS file protection
    • Unix file protection ACLs
    • Privilege elevation
    • Privilege reduction
    • Linux login
  • Virtualization on Intel Processors
    • Modes of Operation
    • Virtual memory
    • How to put assembly instructions inside C code
    • A more elaborate example
    • Useful assembly instructions
  • Intel Software Guard Extensions
    • What is SGX (Software Guard eXtensions)?
    • SGX Enclave Memory
    • Guidelines for designing applications using SGX
    • Performance Overhead
    • SDK compilation modes
    • Writing Enclave Functions
  • ARM TrustZone
    • SoC and IP
    • ARM TrustZone
    • Worlds
    • Architecture
    • TrustZone bootstrap
  • Linux Kernel Namespaces
    • Namespaces
    • Advantages
    • Process Namespace
    • Network namespace
    • Mount namespace
    • UTS namespace
    • User namespace
  • LXC Linux Containers
    • Container
    • LXC containers
  • AppArmor
    • Purpose
    • Enforcement
    • Benefits
    • Attack prevention
    • Enforcement policies
    • Enforcement modes
    • Logging and auditing
    • Profiles
  • TPM (Trusted Platform Module)
    • Trusted Platform Module (TPM)
    • History
    • Cryptographic Concepts
    • Use cases
    • TPM Software Stack (TSS)
    • TPM concepts
    • Entities
    • Key management
    • Restrict signatures
    • Sessions
    • Authorization roles
  • Bootstrap security
    • AEGIS
    • Trusted computing
    • Root of Trust Measurements
    • Trusted Computing Platform Alliance (TCPA)
    • TPM-based attestation
    • Trusted Platform identity credentials
    • UEFI (Unified Extensible Firmware Interface)
    • NSA Boot Security
    • UEFI secure boot & TPM measurements
    • Intel Trusted Execution Technology (TXT)
    • Smartcards
      • Java Cards
      • OpenCard Framework (OCF)
      • Cryptographic services
Powered by GitBook
On this page
  • Hash (digest) extends
  • Tickets
  • Symmetric ciphers
  • Modes
  • Endorsement keys (EKs)
  1. TPM (Trusted Platform Module)

Cryptographic Concepts

Hash (digest) extends

Concept

  • X <- hash(original X||Y)

  • X is extended with the value of Y

Hash extends cannot be set to a chosen value.

  • Due to the properties of hash functions.

Use in TPM.

  • To implement PCRs (Platform Configuration Registers).

  • To create audit logs.

  • To create policies relatively to the TPM authentication.

Tickets

Data structure that contains an HMAC computed over some data.

Tickets are “signed” using an HMAC.

  • Computed with a key that only the TPM knows.

Tickets are information that the TPM can recognize latter as produced by itself.

  • Without having to store it.

Symmetric ciphers

Confidentiality of private TPM data. Using keys that only the TPM knows.

Confidentiality of communications. Using keys agreed with peers.

Ad hoc encryptions/decryptions. Using keys provided by requesters

Modes

Block modes: ECB, CBC. Data needs to be multiple of block size -> Padding.

Stream modes: CFB, OFB, CTR. To be used when data is not block aligned.

Integrated integrity control.

  • HMAC-based Encrypt-then-MAC.

  • HMACs computed with nonces for replay prevention.

Endorsement keys (EKs)

Key pairs that identify TPM devices.

  • They are certified by the TPM manufacturer.

  • Their X.509 certificate can highlight the TPM device features.

These keys can be used to certify other TPM keys.

  • Produced by the TPM.

  • Those certificates do not use X.509.

Last updated 11 months ago