Direct anonymous attestation
Encyclopedia
The Direct Anonymous Attestation (DAA) is a cryptographic protocol which enables the remote authentication of a trusted platform whilst preserving the user's privacy. The protocol has been adopted by the Trusted Computing Group
(TCG) in the latest version of its Trusted Platform Module
(TPM) specification as a result of privacy concerns (see also Loss of Internet anonymity).
) and a single key pair. Manufacturers would embed the private key into every TPM produced and the public key would be published as a certificate. Signatures produced by the TPM must have originated from the private key, by the nature of the technology, and since all TPMs use the same private key they are indistinguishable ensuring the user's privacy. This rather naive solution relies upon the assumption that there exists a global secret. One only needs to look at the precedent of Content Scramble System
(CSS), an encryption system for DVD
s, to see that this assumption is fundamentally flawed. Furthermore this approach fails to realize a secondary goal: the ability to detect rogue TPMs. A rogue TPM is a TPM that has been compromised and had its secrets extracted.
The solution first adopted by the TCG (TPM specification v1.1) required a trusted third-party, namely a privacy certificate agency (privacy CA). Each TPM has an embedded RSA key pair called an Endorsement Key (EK) which the privacy CA is assumed to know. In order to attest the TPM generates a second RSA key pair called an Attestation Identity Key (AIK). It sends AIK, signed by EK, to the privacy CA who checks its validity and issues a certificate for the AIK. The host/TPM is now able to authenticate itself with respect to the certificate. This approach permits two possibilities to detecting rogue TPMs: firstly the privacy CA should maintain a list of TPMs identified by their EK known to be rogue and reject requests from them, secondly if a privacy CA receives too many requests from a particular TPM it may reject them and blacklist the TPMs EK. The number of permitted requests should be subject to a risk management exercise. This solution is problematic since the privacy CA must take part in every transaction and thus must provide high availability whilst remaining secure. Furthermore privacy requirements may be violated if the privacy CA and verifier collude. Although the latter issue can probably be resolved using blind signatures, the first remains.
the verifier can verify the credential without attempting to violate the platform's privacy. The protocol also supports a blacklisting capability so that verifiers can identify attestations from TPMs that have been compromised.
Trusted Computing Group
The Trusted Computing Group , successor to the Trusted Computing Platform Alliance , is an initiative started by AMD, Hewlett-Packard, IBM, Intel, and Microsoft to implement Trusted Computing...
(TCG) in the latest version of its Trusted Platform Module
Trusted Platform Module
In computing, Trusted Platform Module is both the name of a published specification detailing a secure cryptoprocessor that can store cryptographic keys that protect information, as well as the general name of implementations of that specification, often called the "TPM chip" or "TPM Security...
(TPM) specification as a result of privacy concerns (see also Loss of Internet anonymity).
Historical perspective
In principle the privacy issue could be resolved using any standard signature scheme (or public key encryptionPublic-key cryptography
Public-key cryptography refers to a cryptographic system requiring two separate keys, one to lock or encrypt the plaintext, and one to unlock or decrypt the cyphertext. Neither key will do both functions. One of these keys is published or public and the other is kept private...
) and a single key pair. Manufacturers would embed the private key into every TPM produced and the public key would be published as a certificate. Signatures produced by the TPM must have originated from the private key, by the nature of the technology, and since all TPMs use the same private key they are indistinguishable ensuring the user's privacy. This rather naive solution relies upon the assumption that there exists a global secret. One only needs to look at the precedent of Content Scramble System
Content Scramble System
Content Scramble System is a Digital Rights Management and encryption system employed on almost all commercially produced DVD-Video discs. CSS utilizes a proprietary 40-bit stream cipher algorithm...
(CSS), an encryption system for DVD
DVD
A DVD is an optical disc storage media format, invented and developed by Philips, Sony, Toshiba, and Panasonic in 1995. DVDs offer higher storage capacity than Compact Discs while having the same dimensions....
s, to see that this assumption is fundamentally flawed. Furthermore this approach fails to realize a secondary goal: the ability to detect rogue TPMs. A rogue TPM is a TPM that has been compromised and had its secrets extracted.
The solution first adopted by the TCG (TPM specification v1.1) required a trusted third-party, namely a privacy certificate agency (privacy CA). Each TPM has an embedded RSA key pair called an Endorsement Key (EK) which the privacy CA is assumed to know. In order to attest the TPM generates a second RSA key pair called an Attestation Identity Key (AIK). It sends AIK, signed by EK, to the privacy CA who checks its validity and issues a certificate for the AIK. The host/TPM is now able to authenticate itself with respect to the certificate. This approach permits two possibilities to detecting rogue TPMs: firstly the privacy CA should maintain a list of TPMs identified by their EK known to be rogue and reject requests from them, secondly if a privacy CA receives too many requests from a particular TPM it may reject them and blacklist the TPMs EK. The number of permitted requests should be subject to a risk management exercise. This solution is problematic since the privacy CA must take part in every transaction and thus must provide high availability whilst remaining secure. Furthermore privacy requirements may be violated if the privacy CA and verifier collude. Although the latter issue can probably be resolved using blind signatures, the first remains.
Overview
The DAA protocol is based on three entities and two different steps. The entities are the TPM platform, the DAA Issuer and the DAA verifier. The issuer is charged to verify the TPM platform during the Join step and to issue DAA credential to the platform. The platform uses the DAA credential with the verifier during the Sign step. Through a zero-knowledge proofZero-knowledge proof
In cryptography, a zero-knowledge proof or zero-knowledge protocol is an interactive method for one party to prove to another that a statement is true, without revealing anything other than the veracity of the statement....
the verifier can verify the credential without attempting to violate the platform's privacy. The protocol also supports a blacklisting capability so that verifiers can identify attestations from TPMs that have been compromised.
Privacy properties
The protocol allows differing degrees of privacy. Interactions are always anonymous, but the user/verifier may negotiate as to whether the verifier is able to link transactions. This would allow user profiling and/or the rejection of requests originating from a host which has made too many requests.See also
- Cryptographic protocolCryptographic protocolA security protocol is an abstract or concrete protocol that performs a security-related function and applies cryptographic methods.A protocol describes how the algorithms should be used...
- Digital credentialDigital credentialDigital credentials are the digital equivalent of paper-based credentials. Just as a paper-based credential could be a passport, a Driver's license, a membership certificate or some kind of ticket to obtain some service, such as a cinema ticket or a public transport ticket, a digital credential is...
- Trusted platform moduleTrusted Platform ModuleIn computing, Trusted Platform Module is both the name of a published specification detailing a secure cryptoprocessor that can store cryptographic keys that protect information, as well as the general name of implementations of that specification, often called the "TPM chip" or "TPM Security...
- Privacy enhancing technologiesPrivacy enhancing technologiesPrivacy enhancing technologies is a general term for a set of computer tools, applications and mechanisms which - when integrated in online services or applications, or when used in conjunction with such services or applications - allow online users to protect the privacy of their personally...
External links
- E. Brickell, J. Camenisch, and L. Chen: Direct anonymous attestation. In Proceedings of 11th ACM Conference on Computer and Communications Security, ACM Press, 2004. (PDF)
- E. Brickell, J. Camenisch, and L. Chen: Direct anonymous attestation . (http://eprint.iacr.org/2004/205.pdf)
- Interdomain User Authentication and Privacy by Andreas Pashalidis - section 6 provides a useful introduction to DAA
- IBM idemix (identity mixer) an 'anonymous credential system' under development by IBM
- Heiko Stamer - Implementing Direct Anonymous Attestation for the TPM Emulator Project