Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Direct Anonymous Attestation (DAA)
Liqun ChenTrusted Systems LaboratoryHewlett Packard Laboratories, Bristol
12 October 2005
The slides presented here were made for a DAA seminar last year
page 212/10/2005 Direct anonymous attestation – a signature scheme for TCG
outlineoutline
• what is DAA?• what is DAA for?• why DAA?• how does DAA work?
page 312/10/2005 Direct anonymous attestation – a signature scheme for TCG
outline
• what is DAA?• what is DAA for?• why DAA?• how does DAA work?
page 412/10/2005 Direct anonymous attestation – a signature scheme for TCG
DAA is a signature scheme
• DAA is a signature scheme designed for TCG– signer: TPM (trusted platform module)– verifier: an external partner
• the name of DAA is from– Direct proof – without a TTP involvement – Anonymous – do not disclose the identity of the signer – Attestation – statement/claim from a TPM
• DAA was adopted by TCG and specified in TCG TPM Specification Version 1.2, available at www.trustcomputinggroup.org
• designers: Ernie Brickell of Intel, Jan Camenisch of IBM and Liqun Chen of HP
page 512/10/2005 Direct anonymous attestation – a signature scheme for TCG
category of signature schemes – from a verifier’s point of view
• 1–out–1 signatures: ordinary signatures– a verifier is given an authenticated public key of a
signer• 1–out–n signatures: ring signatures, designated-
verifier signatures, concurrent signatures, ……– a verifier is given authenticated public keys of all
potential signers• 1–out–group signatures: group signatures, DAA
– a verifier is given an authenticated group public key
page 612/10/2005 Direct anonymous attestation – a signature scheme for TCG
group signatures and DAA
• a group signature has fixed-traceability and unlinkability– a group member certificate indicates an identity-disclosure
authority – the authority can recover the identity of the real signer
from a group signature• a DAA signature has flexible-traceability and flexible-
linkability– there is no identity-disclosure authority (a DAA signature
cannot be opened by any TTP)– a DAA signature provides the user-control link that can be
used to link some selected signatures from the same signer for the same verifier
page 712/10/2005 Direct anonymous attestation – a signature scheme for TCG
outline
• what is DAA?• what is DAA for? – for TCG• why DAA?• how does DAA work?
page 812/10/2005 Direct anonymous attestation – a signature scheme for TCG
goals of the TCG architecture
protect protect useruser’’s s informationinformation
protect userprotect user’’s s computing computing environmentenvironment
protect protect useruser’’s s privacyprivacy
ensure userensure user’’s s choice on use of choice on use of security security mechanismmechanism
page 912/10/2005 Direct anonymous attestation – a signature scheme for TCG
obstacle to achieving the goals of the TCG architecture
security might be fundamentally incompatible with privacy
page 1012/10/2005 Direct anonymous attestation – a signature scheme for TCG
obstacle to achieving the goals of the TCG architecture
security might be fundamentally incompatible with privacy
high security&
low privacy
page 1112/10/2005 Direct anonymous attestation – a signature scheme for TCG
obstacle to achieving the goals of the TCG architecture
security might be fundamentally incompatible with privacy
high security&
low privacy
high privacy&
low security
page 1212/10/2005 Direct anonymous attestation – a signature scheme for TCG
obstacle to achieving the goals of the TCG architecture
security might be fundamentally incompatible with privacy
high security&
low privacy
high privacy&
low security
what we want: deliver security and
provide user control of privacy
page 1312/10/2005 Direct anonymous attestation – a signature scheme for TCG
TPM (trusted platform module)
the TPM is the root of trust for reporting -– it offers smartcard-like security capability embedded into the
platform– it is trusted to operate as expected (conforms to the TCG spec)– it is uniquely bound to a single platform– its functions and storage are isolated from all other components
of the platform (e.g., the CPU)
page 1412/10/2005 Direct anonymous attestation – a signature scheme for TCG
TPM (trusted platform module)
the TPM is the root of trust for reporting -– it offers smartcard-like security capability embedded into the
platform– it is trusted to operate as expected (conforms to the TCG spec)– it is uniquely bound to a single platform– its functions and storage are isolated from all other components
of the platform (e.g., the CPU)
random numbergeneration
Non-volatileMemory
Processor Memory
asymmetric keygeneration
signing andencryption
power detectionclock/timer
I/O
HMAC
hash
page 1512/10/2005 Direct anonymous attestation – a signature scheme for TCG
platform attestation
• TCG requires a TPM to have an embedded “endorsement key (EK)”, to prove that a TPM is a particular genuine TPM
• EK is not a platform identity
• TCG lets a TPM control “multiple pseudonymous attestation identities” by using “attestation identity key (AIK)”
• AIK is a platform identity, to attest to platform properties
we need a link between EK and AIK
page 1612/10/2005 Direct anonymous attestation – a signature scheme for TCG
privacy issue
I want to know that AIK came
from a TPM
AIK
an external partner
I don’t want to disclose which TPM the AIK is
from
TPM – trusted platform moduleEK – endorsement key
AIK – attestation identity key
a user
page 1712/10/2005 Direct anonymous attestation – a signature scheme for TCG
privacy issue
I want to know that AIK came
from a TPM
AIK
an external partner
I don’t want to disclose which TPM the AIK is
from
TPM – trusted platform moduleEK – endorsement key
AIK – attestation identity key
a user
we seek a solution to convince an external party that an AIK is held in a TPM without identifying the TPM
page 1812/10/2005 Direct anonymous attestation – a signature scheme for TCG
outline
• what is DAA?• what is DAA for?• why DAA?• how does DAA work?
page 1912/10/2005 Direct anonymous attestation – a signature scheme for TCG
previous solution is not good enough
the previous solution (before TCG TPM spec. v1.2) -
• involves a TTP to issue certificates
• allows choice of any (different) certification authorities (privacy-CA) to certify each TPM identity
• can help prevent correlation, however anonymity is dependent upon the private-CA
page 2012/10/2005 Direct anonymous attestation – a signature scheme for TCG
our goal and solution
• our goal: a solution provides – anonymity without a TTP– authentication without a certificate
• our solution: – direct anonymous attestation (DAA)
direct proof replaces the TTP
page 2112/10/2005 Direct anonymous attestation – a signature scheme for TCG
a simple picture of DAA
TPMAIK #1AIK #2
EKDAA
page 2212/10/2005 Direct anonymous attestation – a signature scheme for TCG
a simple picture of DAA
stock broker verifier
medical clinic verifier
TPMAIK #1AIK #2
EKDAA
page 2312/10/2005 Direct anonymous attestation – a signature scheme for TCG
a simple picture of DAA
stock broker verifier
a DAA signature of
AIK #1
medical clinic verifier
a DAA signature of
AIK #2TPMAIK #1AIK #2
EKDAA
page 2412/10/2005 Direct anonymous attestation – a signature scheme for TCG
a simple picture of DAA
stock broker verifier
a DAA signature of
AIK #1
I know that AIK #1 came from a TPM,
but I don’t know which one.
medical clinic verifier
a DAA signature of
AIK #2
I know that AIK #2 came from a TPM,
but I don’t know which one.
TPMAIK #1AIK #2
EKDAA
page 2512/10/2005 Direct anonymous attestation – a signature scheme for TCG
a simple picture of DAA
stock broker verifier
a DAA signature of
AIK #1
I know that AIK #1 came from a TPM,
but I don’t know which one.
medical clinic verifier
a DAA signature of
AIK #2
I know that AIK #2 came from a TPM,
but I don’t know which one.
We can’t tell if Key #1 and Key #2 came from the same TPM or not.
we can’t tell if AIK #1 and AIK #2
came from the same TPM or not.
TPMAIK #1AIK #2
EKDAA
page 2612/10/2005 Direct anonymous attestation – a signature scheme for TCG
a simple picture of DAA
stock broker verifier
a DAA signature of
AIK #1
I know that AIK #1 came from a TPM,
but I don’t know which one.
medical clinic verifier
a DAA signature of
AIK #2
I know that AIK #2 came from a TPM,
but I don’t know which one.
We can’t tell if Key #1 and Key #2 came from the same TPM or not.
we can’t tell if AIK #1 and AIK #2
came from the same TPM or not.
butif the client behaves badly, I can stop him
to use my service
TPMAIK #1AIK #2
EKDAA
page 2712/10/2005 Direct anonymous attestation – a signature scheme for TCG
outline
• what is DAA?• what is DAA for?• why DAA?• how does DAA work?
page 2812/10/2005 Direct anonymous attestation – a signature scheme for TCG
the DAA scheme outline
• entities– DAA issuer: a DAA certificate issuer (e.g., a manufacturer
of TCG platforms)– DAA signer: a trusted platform module (TPM) with help
from a host platform– DAA verifier: an external partner (e.g.,a service provider)
• primitives– system and issuer setup– join protocol– signing algorithm– verifying algorithm– solution of restricted link – solution of revocation
page 2912/10/2005 Direct anonymous attestation – a signature scheme for TCG
setup
• Issuer public key: PKI = (hk, n, g’, g, h, S, Z, R0, R1, γ, Γ, ρ)– RSA parameters with
n – an RSA modulusg’ ∈ QRn
g, h ∈ ⟨g’ ⟩
S, Z ∈ ⟨h ⟩R0, R1 ∈ ⟨S ⟩
– a group of prime order withΓ - modulus (prime)ρ - order (prime, s.t. ρ|Γ - 1)γ - generator (γ ρ = 1 mod Γ )
– a hash functionHhk - a hash function of length hk
• private key: factorisation of n
a non-interactive proof of correctness of key generation (using the Fiat-Shamir heuristic)
page 3012/10/2005 Direct anonymous attestation – a signature scheme for TCG
join
entities: TPM, Host and Issuer
• DAA signing key (created by TPM):– f0, f1 (104-bit)
• DAA certificate (created with Issuer): – v (2536-bit)– A (2048-bit)– e (prime ∈R [2367, 2367 + 2119])
values R0, R1, S, Z, n are part of PKI
• TPM stores f0, f1, v, H(A||e||PKI)• Host stores A and e
)(mod1010 nZASRR evff =
page 3112/10/2005 Direct anonymous attestation – a signature scheme for TCG
joinjoin
entities: TPM, Host and Issuer
• DAA signing key (created by TPM):– f0, f1 (104-bit)
• DAA certificate (created with Issuer): – v (2536-bit)– A (2048-bit)– e (prime ∈R [2367, 2367 + 2119])
values R0, R1, S, Z, n are part of PKI
• TPM stores f0, f1, v, H(A||e||PKI)• Host stores A and e
)(mod1010 nZASRR evff =
an authentic channel between TPM and Issuer using the endorsement key (EK) of TPM
v is contributed by both TPM and Issuer
TPM proves to Issuer knowledge of f0, f1 and its contribution on v
Issuer proves to Host correctness of certificate generation
page 3212/10/2005 Direct anonymous attestation – a signature scheme for TCG
join
entities: TPM, Host and Issuer
• DAA signing key (created by TPM):– f0, f1 (104-bit)
• DAA certificate (created with Issuer): – v (2536-bit)– A (2048-bit)– e (prime ∈R [2367, 2367 + 2119])
values R0, R1, S, Z, n are part of PKI
• TPM stores f0, f1, v, H(A||e||PKI)• Host stores A and e
)(mod1010 nZASRR evff =
an authentic channel between TPM and Issuer using the endorsement key (EK) of TPM
v is contributed by both TPM and Issuer
TPM proves to Issuer knowledge of f0, f1 and its contribution on v
Issuer proves to Host correctness of certificate generation
TPM IssuerR1f0R2
f1Sv1
A, e, v2
with message authentication and correctness checking
page 3312/10/2005 Direct anonymous attestation – a signature scheme for TCG
join
entities: TPM, Host and Issuer
• DAA signing key (created by TPM):– f0, f1 (104-bit)
• DAA certificate (created with Issuer): – v (2536-bit)– A (2048-bit)– e (prime ∈R [2367, 2367 + 2119])
values R0, R1, S, Z, n are part of PKI
• TPM stores f0, f1, v, H(A||e||PKI)• Host stores A and e
)(mod1010 nZASRR evff =
an authentic channel between TPM and Issuer using the endorsement key (EK) of TPM
v is contributed by both TPM and Issuer
TPM proves to Issuer knowledge of f0, f1 and its contribution on v
Issuer proves to Host correctness of certificate generation
TPM IssuerR1f0R2
f1Sv1
A, e, v2
with message authentication and correctness checking
the Camenisch-Lysyanskaya signature scheme and based on
the strong RSA problem given n and zfind a and e
s.t. ae = z (mod n)
page 3412/10/2005 Direct anonymous attestation – a signature scheme for TCG
sign
signature
)(mod)(mod)'()(mod
name base the}1,0{,commitment
),,,,,,,,,',,( :keypublic )(mod satisfying : ecertificat
:key private
10410
10
2
21
10
10
Γ=
==−∈
Γ==
+ffv
reww
lR
I
evff
NnghgTnAhT
rw
ZSRRhggnhkPK n Z ASRRv,A,e,
, ff
ζ
ζ
ργ
Schnorrsignature
private/public key (x, y = gx)
signaturemsg - messager ∈R {0,1}l
t = g rc = H(t||msg) s = r + xcσ = (c, s)
verificationc ≡ H(gsy-c||msg)
DAA signature
msg, r, t, c, s, σ
page 3512/10/2005 Direct anonymous attestation – a signature scheme for TCG
sign
a DAA signature is presented by
msg, r, t, c, s, σ
page 3612/10/2005 Direct anonymous attestation – a signature scheme for TCG
sign
DAA signaturemsg = b||mb ∈ {0,1}m ∈ {AIK, other string}if b = 0,m = AIK - RSA keyif b = 1 m = other string
msg, r, t, c, s, σ
page 3712/10/2005 Direct anonymous attestation – a signature scheme for TCG
sign
DAA signaturemsg = b||mb ∈ {0,1}m ∈ {AIK, other string}if b = 0,m = AIK - RSA keyif b = 1 m = other string Hostby chosen are
,,,,,TPMby chosen are
,,,},,,,,
,,,,{
1021
1021
erewrweee
ffvv
erewrweee
ffvv
rrrrrr
rrrrrrrrrr
rrrrr =
msg, r, t, c, s, σ
page 3812/10/2005 Direct anonymous attestation – a signature scheme for TCG
sign
DAA signaturemsg = b||mb ∈ {0,1}m ∈ {AIK, other string}if b = 0,m = AIK - RSA keyif b = 1 m = other string Hostby chosen are
,,,,,TPMby chosen are
,,,},,,,,
,,,,{
1021
1021
erewrweee
ffvv
erewrweee
ffvv
rrrrrr
rrrrrrrrrr
rrrrr =
others computes Host
~ and
computes TPM)(mod~
)(mod''~),(mod'~
)(mod~}~,'~,~,~{
2110
10410
2110
10
2
22
2
1101
221
v
rrrr
rrv
rrrr
rrr
rrrrrr
v
N
SSRRN
nghgTT
nghgT
nhTSSRRT
NTTTt
vvff
ff
ereeewe
rew
ewevvff
Γ=
=
=
=
=
+
−
−
ζ
msg, r, t, c, s, σ
page 3912/10/2005 Direct anonymous attestation – a signature scheme for TCG
sign
DAA signaturemsg = b||mb ∈ {0,1}m ∈ {AIK, other string}if b = 0,m = AIK - RSA keyif b = 1 m = other string Hostby chosen are
,,,,,TPMby chosen are
,,,},,,,,
,,,,{
1021
1021
erewrweee
ffvv
erewrweee
ffvv
rrrrrr
rrrrrrrrrr
rrrrr =
others computes Host
~ and
computes TPM)(mod~
)(mod''~),(mod'~
)(mod~}~,'~,~,~{
2110
10410
2110
10
2
22
2
1101
221
v
rrrr
rrv
rrrr
rrr
rrrrrr
v
N
SSRRN
nghgTT
nghgT
nhTSSRRT
NTTTt
vvff
ff
ereeewe
rew
ewevvff
Γ=
=
=
=
=
+
−
−
ζ
c = {PKI||ζ||commitment||t||nv||nt||msg}
where nv and ntare nonce chosen by verifier & TPM respectively
msg, r, t, c, s, σ
page 4012/10/2005 Direct anonymous attestation – a signature scheme for TCG
sign
DAA signaturemsg = b||mb ∈ {0,1}m ∈ {AIK, other string}if b = 0,m = AIK - RSA keyif b = 1 m = other string Hostby chosen are
,,,,,TPMby chosen are
,,,},,,,,
,,,,{
1021
1021
erewrweee
ffvv
erewrweee
ffvv
rrrrrr
rrrrrrrrrr
rrrrr =
others computes Host
~ and
computes TPM)(mod~
)(mod''~),(mod'~
)(mod~}~,'~,~,~{
2110
10410
2110
10
2
22
2
1101
221
v
rrrr
rrv
rrrr
rrr
rrrrrr
v
N
SSRRN
nghgTT
nghgT
nhTSSRRT
NTTTt
vvff
ff
ereeewe
rew
ewevvff
Γ=
=
=
=
=
+
−
−
ζ
c = {PKI||ζ||commitment||t||nv||nt||msg}
where nv and ntare nonce chosen by verifier & TPM respectively cerrs
crrscewrs
crscersecrs
cvrscfrscfrs
erer
rr
ewew
www
eeee
ee
vv
ff
ff
+=+=
+=+=+=
−+=
+=+=
+=
2
367
1
0
)2(
11
00
msg, r, t, c, s, σ
page 4112/10/2005 Direct anonymous attestation – a signature scheme for TCG
sign
DAA signaturemsg = b||mb ∈ {0,1}m ∈ {AIK, other string}if b = 0,m = AIK - RSA keyif b = 1 m = other string Hostby chosen are
,,,,,TPMby chosen are
,,,},,,,,
,,,,{
1021
1021
erewrweee
ffvv
erewrweee
ffvv
rrrrrr
rrrrrrrrrr
rrrrr =
others computes Host
~ and
computes TPM)(mod~
)(mod''~),(mod'~
)(mod~}~,'~,~,~{
2110
10410
2110
10
2
22
2
1101
221
v
rrrr
rrv
rrrr
rrr
rrrrrr
v
N
SSRRN
nghgTT
nghgT
nhTSSRRT
NTTTt
vvff
ff
ereeewe
rew
ewevvff
Γ=
=
=
=
=
+
−
−
ζ
c = {PKI||ζ||commitment||t||nv||nt||msg}
where nv and ntare nonce chosen by verifier & TPM respectively cerrs
crrscewrs
crscersecrs
cvrscfrscfrs
erer
rr
ewew
www
eeee
ee
vv
ff
ff
+=+=
+=+=+=
−+=
+=+=
+=
2
367
1
0
)2(
11
00
),,,,,,,,,,,,,,(
),,,commitment,( :signature
10
21
erreww
eeeffv
tv
t
sssssssssncNTT
sncζζσ
==
msg, r, t, c, s, σ
page 4212/10/2005 Direct anonymous attestation – a signature scheme for TCG
verify
361345
/)1(
22121
2
)2(22
222
102
11
10
21
}1,0{}1,0{,
)(mod))||1((,)||||||||ˆ||'ˆ||ˆ||ˆ||||||||||(
-verify )(modˆ
)(mod)'('ˆ)(mod)'(ˆ
)(modˆ- compute
),,,,,,,,',,,(),,,,,,,,,,,,,,(,||
Issuer ofkey public and signature message,- input
10
10410
367
367
10367
10
∈∈
Γ=∈
≡
Γ=
=
=
=
Γ==
−ΓΓ
+−
+−
+−
−+−
eff
Rv
vtvvIhk
sscvv
ssscs
scssc
sssscsc
I
errewweeeffvtv
sss
bsnHNmbnnNTTTNTTPKHc
NN
nghgTT
nghgTT
nhSRRTZT
ZSRRhggnhkPKsssssssssncNTTmb
ff
ereeewe
rew
ewvffe
ρζγζ
ζ
ζ
ργζσ
page 4312/10/2005 Direct anonymous attestation – a signature scheme for TCG
restricted link for a verifier – named/random base in a DAA signature
secu
rity
sens
itivi
ty
low security&
high privacy
high security&
low privacy
priv
acy
sens
itivi
ty
page 4412/10/2005 Direct anonymous attestation – a signature scheme for TCG
restricted link for a verifier – named/random base in a DAA signature
named base
combined base
random base
secu
rity
sens
itivi
ty
low security&
high privacy
high security&
low privacy
priv
acy
sens
itivi
ty
page 4512/10/2005 Direct anonymous attestation – a signature scheme for TCG
restricted link for a verifier – named/random base in a DAA signature
named base
combined base
random base
secu
rity
sens
itivi
ty
low security&
high privacy
high security&
low privacy
priv
acy
sens
itivi
ty
a base: ζ∈R ⟨γ⟩ or ζ = (H(1||bsn))(Γ-1)/ρ (mod Γ)
named base – verifier can link two signatures from the same
TPM signed for the verifier
random base – no link
)(mod10410 2 Γ= +ff
vN ζ
page 4612/10/2005 Direct anonymous attestation – a signature scheme for TCG
revoking a certificate
• if f0 and f1 are known– put f0 and f1 on a certificate revocation list and check
the list in each verification process• if f0 and f1 are not known
– the name base solution can help a verifier to create his own certificate revocation list with
ζ = (H(1||bsn))(Γ-1)/ρ (mod Γ)
)(mod10410 2 Γ= + ff
vN ζ
page 4712/10/2005 Direct anonymous attestation – a signature scheme for TCG
security proof
• we prove the above DAA scheme is secure in the random oracle model under – the strong RSA assumption– the DDH assumption in QRn and– the DDH assumption in ⟨γ⟩
• By “the scheme is secure”, we mean– there exists no adversary that can adaptively run the join
protocol, ask for signature by other (i.e., honest) members, andthen output a signature containing a value Nv such that for all f0and f1 extracted from the adversary in the join protocol Nv does not match
)(mod10410 2 Γ= +ff
vN ζ
page 4812/10/2005 Direct anonymous attestation – a signature scheme for TCG
summary
DAA -§ is a signature scheme§ offers a zero knowledge proof of a key certificate§ provides a variety of balances between security and
privacy by choosing• random base – for privacy sensitive cases• named base – for non privacy-sensitive cases• combinations
§ has a security proof in the random oracle model based on:• the strong RSA assumption• the DDH assumption
page 4912/10/2005 Direct anonymous attestation – a signature scheme for TCG
future work
• more flexible privacy solutions• more flexible revocation solutions
page 5012/10/2005 Direct anonymous attestation – a signature scheme for TCG
further information
• TCG initiatives:http://www.trustedcomputing.org
• E. Brickell, J. Camenisch and L. Chen. Direct anonymous attestation. In Proc. 11th ACM Conference on Computer and Communications Security, pages 132-145, ACM press, 2004
• B. Balacheff, L. Chen, S. Pearson, D. Plaquin and G. Proudler, Trusted Computing Platforms: TCPA technology in context, Prentice Hall PTR, 2003
page 5112/10/2005 Direct anonymous attestation – a signature scheme for TCG
HP logo