Sign Nevada Terms of Use Agreement Secure

Document type sign terms of use agreement nevada secure

okay is the microts working so what I mean by rich authorization is authorizations that go way beyond simple things like like passwords and H Max or even asymmetric a digital signatures what I mean by a resource-constrained device is specifically very small amounts of memory talking about hundreds of bytes not kilobytes and certainly not megabytes the implementation of this some of you people know about TPM policies and TPM 2.0 that's an implementation of it if you're interested in that great even if you're not interested in TPM 2.0 I hope that this will trigger some thinking about what you can do as far as authorizations using very small amounts of memory a typical example of what you would authorize is a key like a public key or a symmetric use of a symmetric key but it goes way beyond that as well into clocks memory and non-volatile memory administrative commands and I'll try to give a lot of examples of it I'm gonna start with a few slides on the the mechanism how how it works underneath but then I want to go pretty quickly into use cases so this is an example of an immediate assertion where the entity over on the Left has a single policy digest represented by policy C in order to satisfy the policy you start a session the session has again a single session digest it starts at zero and then you send in a bunch of policy commands and here I show three commands if the commands verify correctly then the session digest gets extended in the in the TPM sense where you take the old digest you append some data to it you hash that and you get a new digest so these digests accumulate as the commands come in and it goes from A to B to C once you get to see you're ready to actually run the command that you've authorized at that time it's a simple mem compare of the digest that's in the policy of the entity to the digest that's in the session and in this case they match they're both C and the the authorization succeeds these are called immediate assertions because the validation is done when the policy command is sent in so there are these three commands and they're checked at the time the command is sent in not at the time you're running the actually not at the time that you're using the the key or the entity there's another concept called deferred authorizations here where you send in a policy command and it just updates the session State something could be checked at this time but typically it's deferred and then at runtime when you send in the command and the command parameters it's checked against the session state and so the validation is done at the time that you're using the entity and I will give examples of all of these so if I go back one slide if you think about the way a hash works this becomes an and function where you need all three of these commands to succeed if one of them fails and there's no way to get from a digest of zero to a digest of C so it becomes an and and you can accumulate in this case I show three but an unknown number of of commands and the there is still one single digest in the session so memory doesn't grow no matter how many policy commands you send in and then the obvious question would be well can I do an or and the answer of course is yes the way that in or works is the entity has a policy digest widget which is a hash of all the and policies so if you look over on the left there's an and policy C which was the one from the previous slide and then there's other and policies de and F they get hashed together to policy in the way that this is satisfied is you start a session you have a session digest starts at zero as before it progresses from A to B to C and at that time you send in this polish this special command called policy or with a list of digests and the list here is C D E and F the device will look for a match against one of them if one of them matches then we know everything is okay we replace the session digests C with a session digest end the hash of the list they match and everything is good you're good to go you're authorized so a summary there it there are immediate assertions which are done at the time that you send in the policy command deferred assertions are done at the time that you're actually trying to use the authorization there are an terms and there are or terms and I should say that you're not limited to a bunch of ands and then a single or you can do a series of war terms you can do a series of or terms and then more an terms to any complexity that you like and the key is that through all of this there's just one digest just as a level set the most complicated policies that I've seen have typically about three or four and terms and three or terms I haven't seen anything more complex than that but there's nothing in the design that limits this at all let's see okay each entity has one has a policy that is one fixed size digest something else that's very nice is that if we add more authentication types in the future if we add more policy commands the structure of the key doesn't change and the structure of the session doesn't change so everything is backward compatible you can add more features without changing any of the existing structures the session just has one fixed size state plus any deferred authorizations something else that might not be obvious is that the policy calculation the policy contains no secrets it might have public keys but it doesn't have private keys it doesn't have passwords or anything like that what this means is that you can pre calculate the policies offline and you might have an even in an entity you might have each platform has its own signing key each of the signing keys will be unique but if the business logic is the same they'll have they'll all have the same policy hash the the value of the policy will be the same okay some use cases the most easy to understand perhaps is policy command code this is an authorization that's linked to a particular command its deferred in that the policy command just says in the future you need to check that a certain command code is running some use cases of this so in the TCG world there's this thing called a quote which signed attestation but you can think of other signings or other commands so you can take a key and you can say I'm going to restrict this key to only certain types of signing only a quote you can take a symmetric key and you see you can say the policy for this command I can only use it to encrypt I can't use it to decrypt another very common use is for memory if you want to have certain policies for writing which you might be more restrictive and other policies for reading which are more liberal you would use this policy command code and you would have one or term for writes another or term for reads delegation so you might have some very highly privileged administrative tasks and you can say okay we will have an or term here for example for a firmware update and you'll say well okay here's the policy for firmware update and it might be more or less relaxed or certainly different than another administrative command like like rebooting or something like that so that's what you would use command code for authorization value and password are also fairly straightforward this is saying in order to authorize this you need a password or or an H Mac of the parameters a very common thing would be to combine that with policy command code which would say say to do our memory right you need a password to do a memory read you don't need a password so you would have those two are terms that's a very common use case okay now a more a more complicated one and I'm gonna put my glasses on for this one nope so this is this is an authorization tied to a digital signature it has parameters such as a nonce which would say I'm gonna sign this authorization but it can only be used once you can lock it to the command parameters so you could say I'm only going to I can I'm authorizing this but only for certain parameters policy reference I'll get to a second in a second and an expiration so you can say okay i'm i'm signing I'm authorizing you to use this key but only for the next half an hour or only for the weekend when I come back on Monday you lose your authorization use-cases authorization using a smart card so you can have a smart card or other HSM signing an authorization to do something you might have say your your device here is being used as a CA to sign some software but you don't want to allow anyone to use that CA so you can authorize the CA itself with a smart card something like that biometric if your biometric and do digital signatures you can authorize say with a fingerprint reader and this is where the policy reference comes along because you don't want to say anybody's fingerprint who matches works works you might want to say only Alice's fingerprint or only Bob's fingerprint so that's this policy reference and of course because you can have four terms you can say well Alice's authorized with just her fingerprint Bob needs a fingerprint and a password something like that authorization from a help desk or customer support so supposing a help desk want to do something on your system so they can or give you privilege to do something honest on your system they can give you a digital signature over at their IT support department to permit you to do something delegating your key during your absence so you might be able to use your key with password but you might give a signed authorization to someone to someone else to use it with their password just while you're at lunch firmware update is a typical example of how you would sign certain command parameters so supposing of a platform and you say I want to permit a firmware update but only this particular firmware update so then you would you would sign that I say a hash of that firmware update policy secret is a level of indirection this says you're not using the password tied to this entity you're using a password that's contained in some other entity a typical use case of this you would put the password as the password of an NV index and you would tell all of your keys don't don't use the key don't use the password associated with this key use the password that's in this NV index it permits you to have one password controlling a bunch of keys it also allows you to change the password for all these keys by changing one location and then you can also have have multiple users so you can say ok I need this password plus this other password a command parameter hash hopefully will seem totally useless to all of you this is a policy that says you can only use certain parameters so you can say I have a policy that for this key that can only sign a particular hash or I can only write a 42 to that NV index it seems totally useless I'm telling you that because obviously in a few slides you'll see that it's not useless policy PCR is perhaps the only one that is TPM specific this is what was in in 1.2 they called sealing - PC arse and the idea is that you can only use this key or this entity or whatever if the PCRs are in a certain value if there is a if the software is in a certain state and you can put a selection of PCRs you can say pcr 0 1 2 & 7 and you specify what digest is allowed policy and V so in policy secret the this the value was the password for the env index here the value was the data in an NV index and you can do compares you can do greater than less than equal to not equal bitwise operations typical use cases for this you can do key replications so you can have an NV index that's monotonically increasing and you can say I'm authorizing this set of keys until a certain value is exceeded and that that revokes the key for everyone because we have bitwise operations you can create a monotonic bitmap index and if you have 64 bits you can do individual revocation for each of 64 people entities whatever you can create an NV index that looks like a PCR in that it can extend and this gives you a PCR that perhaps has a different hash algorithm than your default or perhaps it has it requires its own authorisation you can put a password in env index and say you know is the password equal to this and then you can do an terms so you can have a range so you can say the count is greater than 3 and less than 15 so you can do ranges as well env written this this one is kind of subtle I think you can have a policy for the first right before an index is written and then you can have another policy for subsequent right and you would do that in our terms a typical use of this is that if you have some certain privileged application that's going to do the first right when you re later you can be assured that that privileged user initialized the index it prevents what we call a redefine attack where if you have an index that you that you trust someone could try to attack it by deleting the index and recreating the same index with a new with their own password instead of the password that should be there well that fails in this case because yes they can do the delete they can create the new index with their own password but they can't do that first right because they don't have the privilege to do that first right and because they can't do the first right they can't do subsequent rights counter timer if you have a system that has a clock a clock in this terminology is something that's power that's time powered time running when power is on let me try that again a clock that runs when power is on so it's wall time or time in this sense is time since a reboot and you can have policies that are linked to those two times or reboot count typical use cases if you have a service technician doing something on the system you might want to give them privilege but you want to make sure that when they walk out the door they don't still have that privilege so if you lock the the entity to a reboot count then they walk out you reboot the system and whatever authorizations that you gave them are gone you can authorize until a particular date and time so you can say this is authorized until Sunday because you have or terms you can say daytime only from 8:00 in the morning to 5:00 in the afternoon or you could say only on weekdays none on the weekends etc so some of the issues some of the above use cases require the policies to be created at runtime but you can't do that an entity once you create an entity with a password that's it there's no change the policy there's no change the policy command and the reason for that is you might want to certify a key including its policy and after you certify you don't want that policy to change and then we have these totally useless policies like writing specific data to an index signing a digest for the people in the TPM world there was this issue of what we called PCR brittleness where you seal something to PCRs Paul talked about this yesterday you seal something to PCRs and then your your pre OS firmware changes and all of a sudden the the unsealed breaks in the 1.2 world the way this was worked around was you had to read the secret all the way up at the application level and then you had to reseal it to new PC ours and then you have the problem of well what are the trusted PCR values is it is it just what I happened to be running - I trust whatever's running on my system now wasn't very nice but as in all software we solve it by a level of indirection and the command is called policy authorize in words it says the policy has a public key and the entity is authorized by whatever the authorizing private key says is valid so the authorizing key signs of policy and whatever the authorizing entity signs that's the correct policy in a flowchart it works like this so an entity has a policies I just just like before a single hash in this case the is the hash of the authorizing entities public key so it's represented here by P now in use the authorizing entity who has the private key calculates a session digest that they trust they sign that session digest with their private key and they send it over to the user now what the user does is as before they run their policy commands and they get the session digest s at that point they apply the policy authorized if so the the device now has the public key it has the signature and internally in the session it has the the digest so we c n do a signature verification if everything matches it replaces the session digest with this value P P P and you're good to go and of course good to go means maybe you're ready to authorize or you can have more in terms after that so how does how does it solve some of these weird things so writing fixed data to an env index doesn't work very well but I know of a use case where a platform and and this is I guess very common in big systems a platform is shipped with huge amounts of memory and lots of CPUs and then the user can buy for a certain amount of time use of five CPUs and then if there's a crunch where they need to use more CPUs they can purchase more CPUs so the way that would work here is the authorizer is whoever you're purchasing this the CPUs usage usage from they go you pay them they sign an authorization to update the NV index which holds your how many CPUs you can use they sign an authorization to update that index that says yes I can now use 12 CPUs for the next week and then you you run all your policy commands you apply that authorization and then you can write the index signing a specific digest isn't that useful but in this case you can go off to the authorizing entity and you can say I want to sign a particular digest the authorizing entity would say ok and send the authorization back to you I think this of this is kind of counter signing like if you go and get a bank check the teller might sign the bank check and then they need to go off and get the bank manager's signature if it's over a certain amount or maybe if it's not over a certain amount well this would be the same thing maybe you're a software development group and you have you have some new firmware and you want to sign that firmware hash but in order to sign the firmware hash you need authorization from management or authorization from your quality control group so it's kind of a counter counter signing you need one signer to approve the other signer and then in PCRs this is a way to solve the PCR brittleness problem what happens here is say you're a platform vendor or or a firmware vendor you have firmware that you know is is good you sign an authorization that says this is good firmware and you distribute it out to out to all the users of your platform and now when they want unseal they're not unsealing to specific PCRs that are set in the policy they're unsealing to whatever the platform manufacturer says our goods PCRs or whatever your IT department says their good pc ours so it solves the PCR brittleness problem without having to go through this unseal and reseal it also says you can do better than saying what is authorizes whatever I happened to have in my platform now what's authorized is what the software vendor says is authorized or what your IT department says is authorized one more level of indirection okay so so going back up so the problem with policy authorized is that it's linked to a public key and then at some point people came along and said well what happens if I want to change that public key what happens if the authorizer lost their private key or it expired or you're just switching to a different authorizer and you can never change a policy so later on in the design this was not in the original design but once people discovered this use case we added a new policy command and this shows an example of how you can add new policy commands and it's all backward compatible so nothing no existing software broke but if you have a device that implements this new command which is called policy authorized env then you can do additional things and what this says is that the policy is not well the policy knee in the index is not the policy the policy in the key or the policy entity is not the final policy the policy is whatever is in this envy index so it's a pointer to their actual policy in the envy index the trivially trivial use case is when you want to change a policy the very important use case is you can revoke a policy authorize public key by writing a different policy into this envy index or you of course have the issue of well what's the policy to write this in the index but that could be that could be a higher level policy so that's two use cases for policy authorized envy and to summary all this in a one dollar part which i think is pretty impressive there's only one digest per entity so for example for sha-256 it's just 32 bytes and I gave you some examples of some business processes but you can go on and on as complex as you like and it's still only 32 bytes the session is opaque you don't see the int the innards of the session context from outside so if we want to add more policy commands that again is backward compatible assuming that you already have crypto in your system hashing H Mac asymmetric and symmetric key operations then it slow software overhead if you look at the TPM source code and it's all open source yeah there's a lot of crypto that's shared by other things but the the softer to do one of these policy commands is actually very small what I mean by proving usefulness is we keep coming up with more and more use cases and you know I get email from people asking me how to do use cases and except for that one level of indirection which we which we added later everything that we've wanted to do we've been able to do and that's that's a testament to the to the people who originally designed this it was not me but the fact that it's been this flexible over this many years is I think very impressive and lastly it's not as hard as I thought the I don't know what you're thinking now but the first time I saw this I thought this is really complicated nobody's going to be able to get this or it's gonna take a long time for people to get it or the thing I have to read the documentation for ever and what I'm finding through mailing lists is that people are people are really getting it people who I never heard of a lot of them seem to be graduate students or even undergraduates at university so we're starting to play with TPMS they're coming to me with policies and they understand it and you know that I really feel good about that so that's the talk ready for questions anyone someone who's not hungry so you asked two questions when you had one last time does the policy authorize have rollback protection because it's only the key that's designed ah so it can if you want to or it doesn't have to so there were those nonces on some of the previous slides I showed that there is a nonce so you can you can do a signature that says it's only good for this one session oh I should say that also a session once it's authorized can only be used once if you if you want to do something again you have to start over at zero and satisfy it again if there are no nonces you can replay if there are nonsense involved when you reset the session there's a new nonce and I think that's what you mean by anti rollback or it's not no which is which example in the example that you described where vendor pre calculating the PC R's in case of firmware update and signing those PC are expected PC are values with the vendors private key I understand okay in that example so how do you does that have an element of basically versioning and to give the rollback protection okay so there is not I'll give you to it okay you you will we allow you to questions you have to allow me to answers so so the first answer is by itself there's no anti rollback but you can do things with say counters so you can say the policy says the policy that I'm authorizes sayings it says that the counter has to be less than three and greater than three so you so you start less than three you run the the policy command and then you increment to greater than 3 and it's satisfied but you can't use it again because once it's greater than three you can't get to less than three again so by itself there's no anti rollback but in combination like I said there's so much here that you can find a way to do things and that's the way you would do it so that's one answer the other answer is and when I first went to operating divisions and talked about this they just get in a cold sweat when they hear about no rollback because in a lot of places in the real world if you do some kind of firmware update and it doesn't work the people that are looking over your shoulder the first thing they're gonna say is I don't want you to debug it put it back the way it was get me back up and running and then go back home and figure out what went wrong ok so that's the two answers is yes you can do it in combination with these monotonic counters and there's probably other ways to do it as well whether you want to do it well you have talked to the people that are you know maintaining your systems you might not want them to or they might not want you to more questions so how do you create these policies I mean is there some tools or oh great question will you allow me three answers so so one if I can go way back here so when you start this session it starts off at zero and then as you send in these policy commands it updates there's a feature in the TPM that's called a trial policy and what the trial policy says is two things first all of these policy commands that comes in or not are not validated they're just trusted to be good so no signatures are check no pastors are check nothing but you can't use that policy that session at the end for authorization so you can actually use the TPM to calculate the policies and I've seen that I also have some very primitive tools where you're just cut and pasting hex ASCII they're not very good but people are actually using them I'm shocked that people are actually using them now in the TCG they have this vision of using JSON I was originally XML and I think it's JSON where you specify the policies in Jason there's somewhat human readable and then you have a tool to take that JSON and turn them into a hash it will be nice if there are tools to generate the JSON if you have to generate the JSON by hand I'm not sure that it's any better or much better than the really primitive tools that I open-source but if there are eventually GUI tools to generate that JSON that will be terrific the other thing about that JSON for better and it may or may not be useful we'll have to see is that you can imagine once you have the policy expressed in JSON it's not only good for calculating the policies but it's good at runtime where your software say suppose you have three policy or terms well your software can present to the user and say which of these three do you want me the software to satisfy and the user can say well I pick a policy B and it can run through that so that might be a very useful use of JSON what I've seen so far in these or terms is that the business logic for the software already knows what it's trying to do it doesn't have to come back to the user and say that but that doesn't mean that it won't be useful in the future if we there might be use cases where the business logic has a bunch of choices that it can do and remember you can have ores of wars of ores and in that case the JSON might turn out to be very useful so did that kind of answer your question three times yeah okay and you know by the way I don't know how we're doing on time but I'm here all day today and tomorrow it's we write on much time so oh okay no questions okay thanks Kim thank you [Applause]