Trust Embedded Computing, Establishing a Root of Trust
As we mentioned earlier, with trusted hardware and graph computing, Trias intends to build a trusted computing ecosystem.
In today’s article, we will introduce trusted computing, including its emergence, definition, basic ideas, key technologies and application scenarios.
As early as 1983, the United States Department of Defense firstly established Trusted Computer System Evaluation Criteria (TCSEC). As a complement to TCSEC, in 1987 and 1991, respectively, the US Department of Defense (DOD) introduced Trusted Network Interpretation (TNI) and Trusted Database Interpretation (TDI).
These documents together constitute ‘Rainbow Series Information System Security Guidance Document’, it is the earliest set of trusted computing technology documents, which marks the emergence of trusted computing.
Due to the continuous development, there is no very accurate definition of trusted computing.
The first question urgently to answer ‘what is trusted’.
IEEE Computer Society Committee on Dependable Computing give a definition: trusted is the computer system provided by the services can be demonstrated that it is reliable. Trusted computing is a broad term that refers to technologies and proposals for resolving computer security problems through hardware enhancements and associated software modifications. Several major hardware manufacturers and software vendors, collectively known as the Trusted Computing Group (TCG), are cooperating in this venture and have come up with specific plans. The TCG develops and promotes specifications for the protection of computer resources from threats posed by malicious entities without infringing on the rights of end users.
Although the definition is not totally same, it is still can be concluded as following:
1) Emphasizing the anticipation of entity behavior;
2) Emphasizing the security and reliability of the system.
In the computer system, the first step is to build a trust root, then establish a trust chain, no matter from the trust root to the hardware platform, or to the operating system and application. The trust is extended to the entire computer system, thereby ensuring the credibility of the entire computer system.
Root of trust, Chain of trust:
Trust root is the basis of trusted computer system. According to TCG, a trusted computing platform must contain three ones:
Root of Trust for Measurement (RTM) is the first software that is executed when platform started.
Root of Trust for Storage (RTS) is a group of memory and Storage Root Key (SRK) in Trusted Platform Module (TPM) chip called Platform Configuration Register (PCR).
Root of Trust for Report (RTR) is the platform configuration register (PCR) and the Endorsement Key (EK) in the Trusted Platform Module (TPM) chip.
1.The endorsement key is a 2048-bit RSA public and private key pair that is created randomly on the chip at manufacture time and cannot be changed. This key is used to allow the execution of secure transactions
Memory curtaining extends common memory protection techniques to provide full isolation of sensitive areas of memory — for example, locations containing cryptographic keys. Even the operating system does not have full access to curtained memory. The exact implementation details are vendor specific.
3. Sealed storage
Sealed storage protects private information by binding it to platform configuration information including the software and hardware used. This means the data can be released only to a particular combination of software and hardware. Sealed storage can be used for DRM enforcement. For example, users who keep a song on their computer that has not been licensed to be listened will not be able to play it.
Remote attestation allows changes to the user’s computer to be detected by authorized parties. For example, software companies can identify unauthorized changes to software, including users tampering with their software to circumvent technological protection measures. It works by having the hardware generate a certificate stating what software is currently running. Remote attestation is usually combined with public-key encryption so that the information sent can only be read by the programs that presented and requested the attestation, and not by an eavesdropper.
At present, trusted computing mainly has the following application scenarios:
1) Digital rights management
Trusted Computing would allow companies to create a digital rights management (DRM) system which would be very hard to circumvent, though not impossible. An example is downloading a music file.
2) Identity protection, which can be achieved by means of authentication certificates to prevent identity theft.
3) Preventing cheating in online games
Trusted Computing could be used to combat cheating in online games. Some players modify their game copy in order to gain unfair advantages in the game; Remote attestation, secure I/O and memory curtaining could be used to determine that all players connected to a server were running an unmodified copy of the software.
4) System protection, through the digital signature of the software, the operating system can discover the application program with the spyware and protect its system.
5) Data protection, the biometric authentication equipment used for identity authentication can ensure trusted computing technology to protect data security;
6) Computation results, it is ensuring that the results returned by participants in the network computing system are not falsified
In addition to these areas, trusted computing can also be combined with blockchain technology to build a reliable software architecture.
The core of Leviatom network in the new generation public chain, Trias is a set of heterogeneous consensus graph algorithm (HCGraph). The HCGraph based on Trusted Exectuion Environment in heterogeneous TEE and small-world network, which are combined to further implement the trusted execution of arbitrary native code.