Direct anonymous attestation

From Wikipedia, the free encyclopedia

The Direct Anonymous Attestation (DAA)[1] scheme enables the remote authentication of a trusted platform whilst preserving the platform's privacy. DAA was created for the Trusted Computing Group (TCG) and is incorporated in version 1.2 of the Trusted Platform Module (TPM) specification[2] as an alternative to the attestation scheme that employs a trusted third party, the Privacy Certificate Authority (Privacy CA).

Contents

[edit] Background

The first remote attestation solution adopted by the TCG (TPM Specification v1.1) utilized a trusted third party called a Privacy CA. The purpose of the Privacy CA scheme was to provide a TPM with a signed Attestation Identity Credential (AIC) that it could then use to authenticate its signature on a TPM Quote. Three principals are involved here: the TPM, the Privacy CA, and some Verifier wishing to have a remote attestation of the TPM's platform.

When a TPM wants to be able to sign a Quote, it generates an Attestation Identity Key (AIK). The job of the Privacy CA is to tie that AIK to the hardware Endorsement Key (EK) of the TPM. The Privacy CA will check that the TPM's hardware Endorsement Credential (EC) is signed by an entity trusted to manufacture TPMs.

If so, the AIC is created and signed by the Privacy CA and encrypted with the EK that is related to that EC. The TPM's ability to decrypt and present the AIC is proof that the TPM holds the secret half of EK, and therefore that the TPM is TCG-compliant. An adversarial TPM providing an EC from some other TPM would not be able to decrypt an AIC created for such an EC because it would not be able to decrypt things encrypted with EK.

The AIC is a statement by the Privacy CA that the TPM using the key AIK to sign Quotes is a TCG-compliant TPM. The Quote, signed with AIK, is a cryptographically authenticated report of the Platform Configuration Register (PCR) contents at the time that a Quote is requested. The AIC and Quote allow a Verifier to draw conclusions about the state of the components running on the TPM's platform.

Rogue TPMs can be detected by a Privacy CA in two ways: if the secret EK was extracted and published or if the Privacy CA gets an inordinate number of requests authenticated with respect to the same EK.

The Privacy CA scheme is problematic since the Privacy CA must take part in every transaction and thus must provide high availability whilst remaining secure. Furthermore anonymity may be undermined if the Privacy CA and Verifier(s) collude. Essentially, the Privacy CA is trusted by the TPM to preserve the TPM's anonymity.

[edit] DAA Overview

The Direct Anonymous Attestation scheme involves three principals.

  • a TPM and its host platform. (There is a division of labor between the TPM and its platform, with the platform handling any computations that do not require TPM secrets.)
  • a DAA Issuer
  • a Verifier

DAA is composed of two protocols[3]: the Join protocol and the Sign protocol.

The Join protocol results in a TPM receiving a DAA credential so it can authenticate its Quote signatures to Verifiers. This protocol occurs once for a TPM and has to happen before that TPM can meaningfully interact with Verifiers. Without an AIC or DAA credential to authenticate a TPM, a Verifier doesn't know whether a Quote came from a real, compliant TPM or an impostor. The fact that this protocol occurs once eliminates the need for a reliably online third party as in the Privacy CA case.

Before Join can take place, the Issuer must set up a DAA key pair. This key pair is generated according to the Camenisch-Lysyanskaya scheme. [4] This type of key is chosen because its structure allows for efficient discrete logarithm applications. The Issuer's public DAA key is published and authenticated by a long term RSA key.

A TPM wishing to acquire a DAA credential will generate a secret value, f, and use components of the Issuer's public DAA key to compute a value that is a commitment, U, to that secret. The TPM sends U, and other information including an Endorsement Credential (EC) signed by the TPM manufacturer to the Issuer. If the Issuer is satisfied with the signature on the EC, it will send the TPM a nonce encrypted with the TPM Endorsement Key (EK) that relates to that EC. The ability of the TPM to decrypt the nonce proves ability to use the secret EK. An adversary could not successfully use a stolen EC because it would not be able to decrypt the Issuer's nonce. The TPM sends the decrypted nonce back along with other information in the form of a Fiat-Shamir signature[5] as well as a value NI that is used for rogue detection by the Issuer. If everything checks out, the Issuer will issue a DAA credential with respect to the value U for the TPM.

The Sign protocol allows a Verifier to come to conclusions about the state of the TPM and its platform. Unlike with the AIC, the Verifier doesn't get to see the TPM's DAA credential; the Verifier gets a Zero-knowledge proof of the existence of the credential. When a Verifier requests a Quote, the TPM returns a Quote signed with an AIK as well as a proof that the TPM with the private AIK also has some DAA credential from a specific DAA Issuer.

Note that the TPM can use the same DAA credential for every different AIK because the credential is never revealed. Also, since the Issuer doesn't know which TPM has which DAA Credential, it can't collude with Verifiers to undermine anonymity. To prevent Verifiers from colluding with one another, the TPM must simply use a different AIK for each Verifier. This is similar to the Privacy CA scheme with the exception that a new credential not needed every time a TPM wishes to use a new AIK.

[edit] See also

[edit] References

  1. ^ E. Brickell, J. Camenisch, and L. Chen: Direct anonymous attestation.
  2. ^ TPM Main Specification
  3. ^ Trusted Computing Group Software Stack Specification (TSS)
  4. ^ J. Camenisch, A. Lysyanskaya: A Signature Scheme With Efficient Protocols.
  5. ^ Alfred J. Menezes, Paul C. Van Oorschot, Scott A. Vanstone: Handbook of Applied Cryptography.

[edit] External links

 This cryptography-related article is a stub. You can help Wikipedia by expanding it.
Languages