Changing mbr or os kernel will change pcr values data

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: t four hardware counters –  Increment rate: every 5 seconds for 7 years. •  Applica2ons: –  Provide 2me stamps on blobs. –  Supports “music will pay for 30 days” policy. Dan Boneh Trusted Compu2ng Using PCRs aHer boot Dan Boneh Using PCRs after boot Applica2on: encrypted (a.k.a sealed) storage. Setup step 1: TPM_TakeOwnership( OwnerPassword, … ) •  Creates 2048- bit RSA Storage Root Key (SRK) on TPM •  Cannot run TPM_TakeOwnership again without OwnerPwd: –  Ownership Enabled Flag ← False •  Done once by IT department or laptop owner. (op4onal) Step 2: TPM_CreateWrapKey / TPM_LoadKey •  Create more RSA keys on TPM protected by SRK •  Each key iden2fied by 32- bit keyhandle Dan Boneh Implementing Protected Storage TPM_Seal: Encrypt data using RSA key on TPM. (some) Arguments: –  keyhandle: which TPM key to encrypt with –  KeyAuth: Password for using key `keyhandle’ –  PcrValues: PCRs to embed in encrypted blob (named by PCR num.) –  data block: at most 256 bytes [e.g. an AES key] Returns encrypted blob. Main point: blob can only be decrypted with TPM_Unseal when PCR- reg- vals = PCR- vals in blob. TPM_Unseal fails othrwise Dan Boneh Protected Storage Embedding PCR values in blob ensures that only specific apps can decrypt data. –  Changing MBR or OS kernel will change PCR values ⇒ da...
View Full Document

This note was uploaded on 12/27/2013 for the course CS 159 taught by Professor Peterschmidt during the Fall '13 term at Stanford.

Ask a homework question - tutors are online