TPM is not secure enough without PIN or additional authentication mechanisms
Recently, I was involved in security testing of the device where TPM was used to store hard drive encryption key and authorize the platform before the key is unsealed from TPM to allow the OS loader or OS itself to decrypt hard drives.
As the device was a stand alone device without possibility of using of another authorization methods (such as PIN, password or another key stored i.e. on USB key or a smart card) I have identified a possible attack vector how to disclose the encryption key and decrypt the data stored on the protected partitions of the hard drive.
The idea was based on the fact the he TPM chip is usually connected to standardized and well documented LPC bus on the motherboard. On this bus the communication is not encrypted so it is possible to capture the traffic using a low-cost digital analyzer device and decode the LPC / TPM ACPI protocols later using the simple Java program.
It took about two days (including preparations and simple LPC/TPM ACPI decoder development) to disclose the key used for hard drive encryption and decrypt the data on the hard drive.
Conclusion:
If possible, never use the TPM without additional layer of security, such as PIN or another key. In this case it will not be possible to decrypt your data on stolen devices.
However, the risk still exists as if potential attacker with physical access to the device will be able to install a sniffing box small enough to fit the device cover. This device can be based on i.e. programmable gate array chips or single chip CPUs. In this case it is possible the attacker will capture complete set of information including the key access authorization data such as PIN, password or signed token but also all PCR value updates once the BIOS or OS will send / request this kind of information from the TPM.
Only the one possible protection is to use devices using the TPM technology but only in case the TPM is built in the chip which is performing the decryption, such as CPU. Another option is the TPM chip including the complete bus wiring is protected with some kind of the secure cover (similar to HSM) where it is ensured the key is destroyed when a physical break into a cover is detected.
This is nice show case why the key should never leave the device used for the encryption or decryption.
As the device was a stand alone device without possibility of using of another authorization methods (such as PIN, password or another key stored i.e. on USB key or a smart card) I have identified a possible attack vector how to disclose the encryption key and decrypt the data stored on the protected partitions of the hard drive.
The idea was based on the fact the he TPM chip is usually connected to standardized and well documented LPC bus on the motherboard. On this bus the communication is not encrypted so it is possible to capture the traffic using a low-cost digital analyzer device and decode the LPC / TPM ACPI protocols later using the simple Java program.
It took about two days (including preparations and simple LPC/TPM ACPI decoder development) to disclose the key used for hard drive encryption and decrypt the data on the hard drive.
Conclusion:
If possible, never use the TPM without additional layer of security, such as PIN or another key. In this case it will not be possible to decrypt your data on stolen devices.
However, the risk still exists as if potential attacker with physical access to the device will be able to install a sniffing box small enough to fit the device cover. This device can be based on i.e. programmable gate array chips or single chip CPUs. In this case it is possible the attacker will capture complete set of information including the key access authorization data such as PIN, password or signed token but also all PCR value updates once the BIOS or OS will send / request this kind of information from the TPM.
Only the one possible protection is to use devices using the TPM technology but only in case the TPM is built in the chip which is performing the decryption, such as CPU. Another option is the TPM chip including the complete bus wiring is protected with some kind of the secure cover (similar to HSM) where it is ensured the key is destroyed when a physical break into a cover is detected.
This is nice show case why the key should never leave the device used for the encryption or decryption.
Komentáře
Okomentovat