Hardware-based Security for Virtual Trusted Platform Modules

Virtual Trusted Platform modules (TPMs) were proposed as a software-based alternative to the hardware-based TPMs to allow the use of their cryptographic functionalities in scenarios where multiple TPMs are required in a single platform, such as in virtualized environments. However, virtualizing TPMs, especially virutalizing the Platform Configuration Registers (PCRs), strikes against one of the core principles of Trusted Computing, namely the need for a hardware-based root of trust. In this paper we show how strength of hardware-based security can be gained in virtual PCRs by binding them to their corresponding hardware PCRs. We propose two approaches for such a binding. For this purpose, the first variant uses binary hash trees, whereas the other variant uses incremental hashing. In addition, we present an FPGA-based implementation of both variants and evaluate their performance.

[1]  Zhou Dexin,et al.  Hardware Implementation of Finite-field Arithmetic , 2003 .

[2]  Mohammad Umar Siddiqi,et al.  Incremental Hash Function Based on Pair Chaining & Modular Arithmetic Combining , 2001, INDOCRYPT.

[3]  Claire Vishik,et al.  TPM Virtualization: Building a General Framework , 2008 .

[4]  Francisco Rodríguez-Henríquez,et al.  Cryptographic Algorithms on Reconfigurable Hardware (Signals and Communication Technology) , 2006 .

[5]  Sorin A. Huss,et al.  TinyTPM: A lightweight module aimed to IP protection and trusted embedded platforms , 2011, 2011 IEEE International Symposium on Hardware-Oriented Security and Trust.

[6]  Srinivas Devadas,et al.  Offline untrusted storage with immediate detection of forking and replay attacks , 2007, STC '07.

[7]  Ralph C. Merkle,et al.  Secrecy, authentication, and public key systems , 1979 .

[8]  Ahmad-Reza Sadeghi,et al.  Reconfigurable trusted computing in hardware , 2007, STC '07.

[9]  Srinivas Devadas,et al.  Virtual monotonic counters and count-limited objects using a TPM without a trusted OS , 2006, STC '06.

[10]  Tolga Arul,et al.  A novel architecture for a secure update of cryptographic engines on trusted platform module , 2011, 2011 International Conference on Field-Programmable Technology.

[11]  Emin Gün Sirer,et al.  Optimal parameter selection for efficient memory integrity verification using Merkle hash trees , 2004, Third IEEE International Symposium on Network Computing and Applications, 2004. (NCA 2004). Proceedings..

[12]  Mihir Bellare,et al.  A New Paradigm for Collision-Free Hashing: Incrementality at Reduced Cost , 1997, EUROCRYPT.

[13]  Klaus D. Müller-Glaser,et al.  A System Architecture for Reconfigurable Trusted Platforms , 2008, 2008 Design, Automation and Test in Europe.

[14]  Andreas Leicher,et al.  Tree-formed verification data for trusted platforms , 2013, Comput. Secur..

[15]  Ahmad-Reza Sadeghi,et al.  Property-Based TPM Virtualization , 2008, ISC.