Dan boneh security kauer 2007 a3ack 1 reset tpm aher

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: ta cannot be decrypted Dan Boneh Sealed storage: applications Lock soHware on machine: •  Suppose OS and apps are sealed with MBRs PCR value •  Any changes to MBR will prevent sealed OS from loading •  Prevents modifying or inspec2ng OS (or loading other OS) Web server: seal server’s SSL private key •  Goal: only unmodified Apache can access SSL key •  Problem: updates to Apache or Apache config Dan Boneh Example: BitLocker drive encryption tpm.msc: utility to manage TPM (e.g TakeOwnership) •  Auto generates 160-bit OwnerPassword •  Stored on TPM and in file computer_name.tpm Volume Master Key (VMK) encrypts disk volume key •  VMK is sealed (encrypted) under TPM SRK using –  BIOS, extensions, and optional ROM (PCR 0 and 2) –  Master boot record (MBR) (PCR 4) –  NTFS Boot Sector and block (PCR 8 and 9) –  NTFS Boot Manager (PCR 10), and –  BitLocker Access Control (PCR 11) Dan Boneh BitLocker Many op2ons for VMK recovery: disk, USB, paper (enc. with pwd) •  Recovery needed aHer legi2mate system change: –  Moving disk to a new computer –  Replacing system board containing TPM –  Clearing TPM (with TPM_ForceClear) At system boot (before OS boot) •  Op2onal: OS loader requests PIN or USB key from user •  TPM unseals VMK, only if PCR and PIN are correct Dan Bone...
View Full Document

Ask a homework question - tutors are online