Direct Anonymous Attestation, Revisited

Direct Anonymous Attestation
Revisited
Jan Camenisch
IBM Research – Zurich
Joint work with Ernie Brickell, Liqun Chen, Manu Drivers, Anja Lehmann.
[email protected], @JanCamenisch, ibm.biz/jancamenisch
Direct Anonymous Attestation – What is it?
Protocol standardized by TCG (trusted computing group)
"
Attestation of computer state by TPM (root of trust)
"
TPM measures boot sequence
"
TPM attest boot sequence to third party
"
Attestation based on cryptographic keys
→ Strong authentication of TPM with privacy
Use cases apart from attestation:
"
secure access to networks, services, any resources of devices
"
can be extended to user of device
Direct Anonymous Attestation – Brief History
"
"
"
"
TCPA 0.44 – July 2000 until TCPA 1.1b – February 2002
"
w/out DAA, but used Privacy CA
"
Privacy groups criticized Privacy CA solution
TPM 1.2 – July 2003 until Aug 2009 (revision 116)
"
DAA introduced as alternative to Privacy CA, goal to make privacy groups happy
"
DAA based on RSA
"
Host part specified in TSS (Trusted Software Stack)
"
Implementation on chips very slow (arithmetic co-processor)
TPM 2.0 – October 2014
"
Elliptic curve-based DAA
"
ISO standard in 2015 (ISO/IEC 11889)
Today: Interest in TPM revived
"
Security of mobile devices
"
FIDO authentication
Attestation Scenario
Issuer
(TPM or Platform Manufacturer)
Problem: using traditional certificates, all
transactions of the same platform
become linkable :-(
Verifier
(Bank, eShop, Tax authority, …)
Security Requirements for Attestation
Unforgeability: No adversary can create signatures on messages that were
never signed by a certified TPM.
Non-frameability: One cannot create a signature on a message that links to an
honest platform’s signature when the platform never signed this message.
Anonymity: signatures by an honest platform are unlinkable (without basename
or different basenames).
Revocation: If a TPM is compromised, signatures from the compromised keys
must no longer be accepted.
Attestation – Privacy CA Solution (Traditional Credentials)
EK,CertE
Issuer
AIK,CertA
Problem: Privacy CA does not exist
Privacy CA
AIK, CertA, SigAIK(m)
operate 24/7
" security needs to be high – a contradiction to 24/7
" no business model (trust relationship w/ users and verifiers)
" can link transactions!
● other security requirements would be fulfilled
"
Verifier
Direct Anonymous Attestation (Brickell, Camenisch, Chen - 2003)
Issuer
DAA credentials are “randomizable”:
"
TPM can transform original credential into new credentials that “looks
like” a fresh credential
→ different randomize credentials cannot be linked (anonymity)
→ still credentials are unforgeable
Verifier
Direct Anonymous Attestation – Rogue TPMs
"
TPM has been broken and keys have leaked
"
Need to be able to distinguish those keys despite signatures are anonymous
"
Solution: Nym = f(DAA-secret) = ζ
"
DAA-secret
mod p, where
if ζ is random: published keys can be detected,
protocol is still anonymous
"
if ζ is fixed per verifier, e.g., derived from verifier's name (so-called basename):
verifier can also make frequency analysis
→ signature by the same platform w.r.t. same basename can be linked!
protocol is still pseudonymous
Realization of Direct Anonymous Attestation in TPM V1.2
Signature Scheme used to Issue Certificate to TPM
Public key of signer: RSA modulus n and ai, b, d Є QRn,
Secret key: factors of n
ℓ
To sign k messages m1, ..., mk Є {0,1} :
●
choose random prime 2ℓ+2 > e > 2ℓ+1 and integer s ≈ n
●
compute c :
c = (d / (a m1·...· a mk bs ))1/e mod n
1
●
k
signature is (c,e,s)
Verification:
mi Є {0,1}ℓ , e > 2ℓ+1 , and d = ce a m1·...· a mk bs mod n
1
k
Signature Scheme used to Issue Certificate to TPM
Observe:
d = ce a
1
m1
·...· a
mk
k
t
bs mod n
Let c' = c b mod n with randomly chosen t
then d = c'e a
m1
1
·...· a
mk
k
bs-et (mod n), i.e., (c',e, s* = s-et) is also signature on m1, ..., mk
To prove ownership of a signature (c',e, s*) on some on m1, ..., mk
●
●
randomize and provide c'
execute proof protocol PK{(ε, µ1,....µk, σ) : d := c'ε a µ1·...· a µk b σ ∧ µ Є {0,1}ℓ ∧ ε > 2ℓ+1 }
1
k
How the TPM signs – Schnorr Signatures
Given a group <g> and an element y Є <g> .
Prover wants to convince verifier that she knows x1, x2 s.t. y = gx1 hx2
such that verifier only learns y, g and h.
PK{(α,β): y = gα hβ }
Prover:
random r1,r2
r1
r2
t := g h
s1 := r1 – cx1
s2 := r2 - cx2
Verifier:
t
c
s1, s2
random c
t = yc gs1 hs2
How the TPM signs – Schnorr Signatures
From Protocol PK{(α): y = gα } to Signature SPK{(α): y = gα }(m):
Signing a message m:
- chose random r1,r2 Є Zq and
- compute (c,s1,s2) := (H(gr1 hr2||m), r1 - cx1 , r2 - cx2 )
Verifying a signature (c,s1,s2) on a message m:
- check c = H(ycgs1hs2||m) ?
Security:
- Discrete Logarithm Assumption holds
- Hash function H(.) behaves as a “random oracle.”
How the TPM and the Host Sign Jointly
PK{ (x, m) :y = gxhm (mod n) }
PK{ (x) : y' = gx}
How the TPM and the Host Sign Jointly
PK{ (x, m) :y = gxhm (mod n) }
PK{ (x) : y' = gx}
random r1
t' = g
r1
t'
random r2
r2
t = t'h
t
How the TPM and the Host Sign Jointly
PK{ (x, m) :y = gxhm (mod n) }
PK{ (x) : y' = gx}
random r1
t' = g
r1
t'
c
random r2
r2
t = t'h
t
c
random c
How the TPM and the Host Sign Jointly
PK{ (x, m) :y = gxhm (mod n) }
PK{ (x) : y' = gx}
random r1
t' = g
r1
s1= r1 - c x
t'
c
s1
random r2
r2
t = t'h
s2= r2 - c m
t
c
random c
s1, s2
t = ycgs1hs2 ?
How the TPM and the Host Sign Jointly
PK{ (x, m) :y = gxhm (mod n) }
PK{ (x) : y' = gx}
random r1
t' = g
r1
s1= r1 - c x
t'
c
s1
random r2
r2
t = t'h
s2= r2 - c m
t
c
random c
s1, s2
t = ycgs1hs2 ?
TPM spec
TSS spec
Direct Anonymous Attestation in TPM V2.0
Overview of Changes from TPM 1.2 to TPM 2.0
"
"
From RSA groups to elliptic curve groups (faster, smaller keys)
TPM V1.2 : DAA protocol spec is split between TPM and TSS (Trusted Software Stack) specs.
For TPM V2.0, there is not TSS spec.
PK{(x) : y' = gx}
"
On the positive side: supports many different credential signature schemes (CL, q-SDH, …)
"
On the negative side:
"
no full specification – Chen & Li 2013 paper hard to match to TPM spec
"
no security proof – Chen & Li 2013 security proof broken, current spec. not provable secure
Difficulty in Security Definitions and Proofs
"
"
"
4 parties & 4 protocols → complex protocol and thus security definition becomes complex
After initial DAA paper (Brickell et al. 2004), a number of improved security definitions
where published.
All of them have issues, some of them severe, allowing for insecure schemes :-(
→ Need for complete security model & provably secure schemes
Simulation-Based Security Definitions
Interaction
with environment
cryptographic protocols
are run between parties
secure if environment
cannot tell apart
Interaction
with environment
Functionality (ideal specification)
Existing Simulation-Based Models for DAA
Brickell, Camenisch, Chen (2004)
"
Does not output any signature values
"
Prohibits working with signature values in practice
Chen, Morrissey, Smart (2009)
"
Outputs signatures
"
Signature generation too simplistically modeled to be realizable
Property-Based Security Definitions
Interaction
with environment
cryptographic protocols
Defines security when interacting with cryptographic protocol
for each property separately.
E.g., Non-frameability: One cannot create a signature
on a message that links to an honest platform’s
signature when the platform never signed this
message.
Existing Property-Based Models for DAA
Brickell, Chen, Li (2009)
"
"
Unforgeability not captured: trivially forgeable scheme can be proven secure
No property for non-frameability
Chen (2010)
"
"
Extends BCL’09 with non-frameability
Same flaws as BCL’09
Bernard et al. (2013)
"
"
"
"
Discusses flaws in all previous models
TPM + Host one party
Does not cover honest TPM in corrupt Host
Security Proof of “Pre-DAA” does not work for full DAA
Do we need all these definitions?
(1, 1, 1, 1) is a valid credential on any key in Chen, Page, Smart 2010
"
ISO 20008 standardized!
TPM2 spec contains static DH oracle
"
Larger groups and keys required (Xi et al., 2014)
TPM2 should make zero-knowledge proof
"
Problem in hash computation
"
Proof not zero-knowledge
Comprehensive Model and Secure Protocol
Camenisch, Drijvers, Lehmann 2016 (ia.cr/2015/1246)
Comprehensive security model in UC framework
"
Allows composition by composition theorem
"
Signatures modeled as concrete values that are sent as output
"
TPM and Host separate parties
"
Extensive explanation on why this definition properly captures the security requirements
Provide scheme that realize the functionality
"
Provably secure instantiation (based on CL signatures, but q-SDH seems feasible, too)
"
As efficient as existing DAA schemes – essentially just doing a few details right
Next Steps
TPM 2.0
"
working on fixing security problems
"
trying to unify different schemes
"
spec of full schemes, i.e., also issuer, host, verifier parts.
FIDO anonymous authenticator spec
"
with our without TPM 2.0
"
reference implementation underway (aim at open sourcing it)
Conclusions
"
Device authentication more relevant than ever
"
Provably security matters – a number of standards have issues
"
It often takes far longer than one would expect & still not done
Thanks!
ia.cr/2015/1246
[email protected]
@JanCamenisch
Questions?
References
Bernhard, D., Fuchsbauer, G., Ghadafi, E., Smart, N., Warinschi, B.: Anonymous attestation with user-controlled
linkability. International Journal of Information Security 12(3), (2013)
Brickell, E., Camenisch, J., Chen, L.: Direct anonymous attestation. ACM CCS 2004.
Brickell, E., Chen, L., Li, J.: Simplified security notions of direct anonymous attestation and a concrete scheme from
pairings. International Journal of Information Security 8(5), (2009)
Camenisch, J., Lysyanskaya, A.: Signature schemes and anonymous credentials from bilinear maps. CRYPTO
2004.
Chen, L., Morrissey, P., Smart, N.: DAA: Fixing the pairing based protocols. ePrint Archive, Report 2009/198.
Chen, L.: A DAA scheme requiring less tpm resources. Information Security and Cryptology 2010.
Chen, L., Morrissey, P., Smart, N.: On proofs of security for DAA schemes. Provable Security 2008.
Chen, L., Page, D., Smart, N.: On the design and implementation of an efficient DAA scheme. Smart Card Research
and Advanced Application 2010.
Chen, L., Li, J.: Flexible and scalable digital signatures in TPM 2.0. ACM CCS 2013.
Lysyanskaya, A., Rivest, R.L., Sahai, A., Wolf, S.: Pseudonym systems. SAC 1999.
Xi, L., Yang, K., Zhang, Z., Feng, D.: DAA-related APIs in TPM 2.0 revisited. Trust and Trustworthy Computing 2014
Similar pages