Skip to main content
SpringerLink
Log in
Book cover

European Public Key Infrastructure Workshop

EuroPKI 2012: Public Key Infrastructures, Services and Applications pp 145–160Cite as

Waltzing the Bear, or: A Trusted Virtual Security Module

  • Conference paper

  • 544 Accesses

Part of the Lecture Notes in Computer Science book series (LNSC,volume 7868)

Abstract

Cryptographic key material needs to be protected. Currently, this is achieved by either pure software based solutions or by more expensive dedicated hardware security modules. We present a practical architecture to project the security provided by the Trusted Platform Module and Intel Trusted eXecution Technology on a virtual security module.

Our approach uses commodity personal computer hardware to offer integrity protection and strong isolation to a security module which implements a compact security API that has been fully verified. Performance results suggest that our approach offers an attractive balance between speed, security and cost.

Keywords

  • Trusted Computing
  • Hardware Security Module
  • Key Store
  • API Verification

This is a preview of subscription content, access via your institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   49.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. CryptoProvider of SIC Crypto Toolkit (February 23, 2011), http://jce.iaik.tugraz.at/sic/Products/Core-Crypto-Toolkits/JCA-JCE

  2. Advanced Micro Devices: AMD64 Virtualization: Secure Virtual Machine Architecture Reference Manual (May 2005)

    Google Scholar 

  3. Anderson, R., Bond, M., Clulow, J., Skorobogatov, S.: Cryptographic processors-a survey. Proceedings of the IEEE 94(2), 357–369 (2006), doi:10.1109/JPROC.2005.862423

    CrossRef  Google Scholar 

  4. Armando, A., Compagna, L.: SAT-based model-checking for security protocols analysis. Int. J. Inf. Secur. 7(1), 3–32 (2008)

    CrossRef  Google Scholar 

  5. Arnold, T.W., Doorn, L.P.V.: The IBM PCIXCC: a new cryptographic coprocessor for the IBM eServer. IBM J. Res. Dev. 48(3-4), 475–487 (2004)

    CrossRef  Google Scholar 

  6. Berger, S., Cáceres, R., Goldman, K.A., Perez, R., Sailer, R., van Doorn, L.: vTPM: virtualizing the trusted platform module. In: USENIX-SS 2006: Proceedings of the 15th Conference on USENIX Security Symposium, pp. 305–320 (2006)

    Google Scholar 

  7. Bortolozzo, M., Centenaro, M., Focardi, R., Steel, G.: Attacking and fixing PKCS#11 security tokens. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 260–269. ACM, Chicago (2010)

    CrossRef  Google Scholar 

  8. Chen, L., Ryan, M.: Attack, solution and verification for shared authorisation data in TCG TPM. In: Degano, P., Guttman, J.D. (eds.) FAST 2009. LNCS, vol. 5983, pp. 201–216. Springer, Heidelberg (2010)

    CrossRef  Google Scholar 

  9. Coker, G., Guttman, J., Loscocco, P., Sheehy, J., Sniffen, B.: Attestation: Evidence and trust. In: Chen, L., Ryan, M.D., Wang, G. (eds.) ICICS 2008. LNCS, vol. 5308, pp. 1–18. Springer, Heidelberg (2008)

    CrossRef  Google Scholar 

  10. Dolev, D., Yao, A.C.: On the security of public key protocols. IEEE Transactions on Information Theory (1981)

    Google Scholar 

  11. Dyer, J., Lindemann, M., Perez, R., Sailer, R., van Doorn, L., Smith, S.: Building the IBM 4758 secure coprocessor. Computer 34(10), 57–66 (2001)

    CrossRef  Google Scholar 

  12. EMSCB Project Consortium: The European Multilaterally Secure Computing Base (EMSCB) project (2004), http://www.emscb.org/

  13. Fröschle, S., Steel, G.: Analysing PKCS#11 key management aPIs with unbounded fresh data. In: Degano, P., Viganò, L. (eds.) ARSPA-WITS 2009. LNCS, vol. 5511, pp. 92–106. Springer, Heidelberg (2009)

    CrossRef  Google Scholar 

  14. Gajek, S., Löhr, H., Sadeghi, A.R., Winandy, M.: TruWallet: trustworthy and migratable wallet-based web authentication. In: Proceedings of the 2009 ACM Workshop on Scalable Trusted Computing, STC 2009, pp. 19–28. ACM, New York (2009), http://doi.acm.org/10.1145/1655108.1655112

    CrossRef  Google Scholar 

  15. Garfinkel, T., Pfaff, B., Chow, J., Rosenblum, M., Boneh, D.: Terra: A virtual machine-based platform for trusted computing. In: Proceedings of the 19th Symposium on Operating System Principles (SOSP 2003), pp. 193–206. ACM, New York (2003)

    Google Scholar 

  16. Gissing, M., Toegl, R., Pirker, M.: Secure and trust computing, data management, and applications (2011), http://dx.doi.org/10.1007/978-3-642-22365-5_17

  17. Grawrock, D.: Dynamics of a Trusted Platform: A Building Block Approach. Intel Press (February 2009) ISBN 978-1934053171

    Google Scholar 

  18. Gutmann, P.: An open-source cryptographic coprocessor. In: Proceedings of the 9th Conference on USENIX Security Symposium, vol. 9, p. 8. USENIX Association, Berkeley (2000)

    Google Scholar 

  19. Intel Corporation: Intel Trusted Execution Technology Software Development Guide (March 2011), http://download.intel.com/technology/security/downloads/315168.pdf

  20. Kwan, P.C.S., Durfee, G.: Practical uses of virtual machines for protection of sensitive user data. In: Dawson, E., Wong, D.S. (eds.) ISPEC 2007. LNCS, vol. 4464, pp. 145–161. Springer, Heidelberg (2007), http://portal.acm.org/citation.cfm?id=1759508.1759525

    CrossRef  Google Scholar 

  21. MacDonald, R., Smith, S., Marchesini, J., Wild, O.: Bear: An Open-Source Virtual Secure Coprocessor based on TCPA. Tech. Rep. TR2003-471, Dartmouth College (2003)

    Google Scholar 

  22. Marchesini, J., Smith, S., Wild, O., MacDonald, R.: Experimenting with TCPA/TCG Hardware, Or: How I Learned to Stop Worrying and Love The Bear. Tech. rep., Department of Computer Science/Dartmouth PKI Lab, Dartmouth College (2003)

    Google Scholar 

  23. McCune, J.M., Li, Y., Qu, N., Zhou, Z., Datta, A., Gligor, V., Perrig, A.: TrustVisor: Efficient TCB reduction and attestation. In: Proceedings of the IEEE Symposium on Security and Privacy (May 2010)

    Google Scholar 

  24. McCune, J.M., Parno, B.J., Perrig, A., Reiter, M.K., Isozaki, H.: Flicker: an execution infrastructure for TCB minimization. In: Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008, pp. 315–328. ACM, Glasgow (2008)

    CrossRef  Google Scholar 

  25. National Institute of Standards and Technology: Security requirements for cryptographic modules. FIPS PUB 140-3 (September 2009), draft

    Google Scholar 

  26. OpenTC Project Consortium: The Open Trusted Computing (OpenTC) project (2005-2009), http://www.opentc.net/

  27. Pfitzmann, B., Riordan, J., Stueble, C., Waidner, M., Weber, A., Saarlandes, U.D.: The perseus system architecture (2001)

    Google Scholar 

  28. Reimair, F.: Trusted virtual Security Module. Master’s thesis, Graz University of Technology (January 2011)

    Google Scholar 

  29. RSA Laboratories: PKCS #11 v2.20: Cryptographic Token Interface Standard. RSA Security Inc. Public-Key Cryptography Standards (PKCS) (June 2004)

    Google Scholar 

  30. Sailer, R., Zhang, X., Jaeger, T., van Doorn, L.: Design and implementation of a TCG-based integrity measurement architecture. In: Proceedings of the 13th USENIX Security Symposium. USENIX Association, San Diego (2004)

    Google Scholar 

  31. Schiffman, J., Moyer, T., Shal, C., Jaeger, T., McDaniel, P.: Justifying integrity using a virtual machine verifier. In: ACSAC 2009: Proceedings of the 2009 Annual Computer Security Applications Conference, pp. 83–92. IEEE Computer Society, Washington, DC (2009)

    CrossRef  Google Scholar 

  32. Shi, E., Perrig, A., Van Doorn, L.: Bind: a fine-grained attestation service for secure distributed systems. In: 2005 IEEE Symposium on Security and Privacy, pp. 154–168 (2005)

    Google Scholar 

  33. Singaravelu, L., Pu, C., Härtig, H., Helmuth, C.: Reducing TCB complexity for security-sensitive applications: three case studies. In: EuroSys 2006: Proceedings of the ACM SIGOPS/EuroSys European Conference on Computer Systems 2006, pp. 161–174. ACM, New York (2006)

    Google Scholar 

  34. Smith, S.W.: Trusted Computing Platforms: Design and Applications. Springer (2005)

    Google Scholar 

  35. Smith, S.W., Weingart, S.: Building a high-performance, programmable secure coprocessor. Comput. Netw. 31, 831–860 (1999)

    CrossRef  Google Scholar 

  36. Toegl, R., Pirker, M., Gissing, M.: acTvSM: A dynamic virtualization platform for enforcement of application integrity. In: Chen, L., Yung, M. (eds.) INTRUST 2010. LNCS, vol. 6802, pp. 326–345. Springer, Heidelberg (2011), http://dx.doi.org/10.1007/978-3-642-25283-9_22

    CrossRef  Google Scholar 

  37. Trusted Computing Group: TCG TPM specification version 1.2 revision 103 (2007)

    Google Scholar 

  38. Tygar, J., Yee, B.: Dyad: A system for using physically secure coprocessors. In: Technological Strategies for the Protection of Intellectual Property in the Networked Multimedia Environment, pp. 121–152. Interactive Multimedia Association (1994)

    Google Scholar 

  39. Winter, J., Dietrich, K.: A hijacker’s guide to the LPC bus. In: Petkova-Nikova, S., Pashalidis, A., Pernul, G. (eds.) EuroPKI 2011. LNCS, vol. 7163, pp. 176–193. Springer, Heidelberg (2012)

    CrossRef  Google Scholar 

  40. Youn, P., Adida, B., Bond, M., Clulow, J., Herzog, J., Lin, A., Rivest, R.L., Anderson, R.: Robbing the bank with a theorem prover. Tech. rep., University of Cambridge (2005)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology, Inffeldgasse 16a, A–8010, Graz, Austria

    Ronald Toegl, Florian Reimair & Martin Pirker

Authors
  1. Ronald Toegl
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Florian Reimair
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Martin Pirker
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Dipartimento de Informatica, Universita’ degli Studi de Milano, 26013, Crema, CR, Italy

    Sabrina De Capitani di Vimercati

  2. University of London, Royal Holloway, Egham, TW20 0EX, Surrey, UK

    Chris Mitchell

Rights and permissions

Reprints and Permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Toegl, R., Reimair, F., Pirker, M. (2013). Waltzing the Bear, or: A Trusted Virtual Security Module. In: De Capitani di Vimercati, S., Mitchell, C. (eds) Public Key Infrastructures, Services and Applications. EuroPKI 2012. Lecture Notes in Computer Science, vol 7868. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-40012-4_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-40012-4_10

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-40011-7

  • Online ISBN: 978-3-642-40012-4

  • eBook Packages: Computer ScienceComputer Science (R0)

search

Navigation