Last week I made a presentation to the GlobalPlatform TEE Conference, co-authored with Karen Lewison, on how to provide virtual tamper resistance for derived credentials and other data stored in a Trusted Execution Environment (TEE). I’ve put the slides online as an animated PowerPoint presentation with speaker notes.
An earlier post, also available on the conference blog, summarized the presentation. In this post I want to go over a technique for implementing virtual tamper resistance that we have not discussed before. The technique is illustrated with animation in slides 9 and 10. The speaker notes explain the animation steps.
Virtual tamper resistance is achieved by storing data in a device, encrypted under a data protection key that is entrusted to a key storage service and retrieved from the service after the device authenticates to the service using a device authentication credential, which is regenerated from a protocredential and a PIN. (Some other secret or combination of secrets not stored in the device can be used instead of a PIN, including biometric samples or outputs of physical unclonable functions.) The data protection key is called “credential encryption key” in the presentation, which focuses on the protection of derived credentials. The gist of the technique is that all PINs produce well-formed device authentication credentials, so that an adversary who physically captures the mobile device cannot mount an offline guessing attack that would easily crack the PIN, because there is no way to test guesses of the PIN offline. To test a PIN, the adversary must combine it with the protocredential to produce a credential, and test the credential by trying to authenticate online against the key storage service, which limits the number of attempts.
The device authentication credential consists of a key pair pertaining to a digital signature cryptosystem, plus a record ID that uniquely identifies a device record where the key storage service keeps the data protection key. The device record is created when the device registers with the key storage service. It also contains the public key component of the key pair, and a counter of consecutive authentication failures. Methods for regenerating a credential comprising a DSA, ECDSA or RSA key pair can be found in our paper on mobile authentication, and in our more recent paper providing an example of a derived credentials architecture.
In those papers we proposed retrieving the data protection key over a secure channel between the device and the key storage service, such as a TLS connection. But a TEE may not be equipped with TLS client software or other software for establishing a secure channel. It may not be practical to implement such software in a TEE due to memory constraints; and it may not be desirable to do so for security reasons, given that the security provided by a TEE depends to some extent on TEE software being kept simple and bug-free. This motivates the technique illustrated in the presentation, which does not rely on a secure channel.
The technique requires only one roundtrip, comprising two messages. The TEE generates an ephemeral symmetric key that the key storage service will use to encrypt the data protection key for transmission to the mobile device, and it signs the ephemeral key using the private key component of the digital signature key pair in the device authentication credential. In the first message, the TEE sends the signed key to the service along with the record ID in the credential. The TEE encrypts the first message with a public key of the key storage service, and the service decrypts it with the corresponding private key.
The service uses the record ID to locate the device record, and the public key that it finds in the record to verify the signature on the ephemeral key.
Signing the ephemeral key indirectly authenticates the mobile device, and more precisely the TEE within the device, to the key storage service. The signature tells the service that the ephemeral key originates from the TEE and can be used to encrypt the data protection key for transmission to the TEE. The service encrypts the data protection key and sends it to the TEE, which uses it to decrypt the data protected by virtual tamper resistance.
Instead of storing the public key component of the device authentication credential in the device record, it is possible to only store a hash of the public key. In that case the TEE sends the public key along with the record ID and the signed ephemeral key. This has several advantages: it saves space in the database of device records of the key storage service; it allows the service to verify the signature before accessing the database, which may be a good thing if database access is onerous; and as a matter of defense-in-depth, it might provide protection against a cryptanalytic attack that would exploit a weakness in the digital signature cryptosystem to recover the private key of the device authentication credential from the public key. On the other hand, sending the public key takes up substantial additional bandwidth.
