Root of Trust - The foundation of device security

At NDC in Oslo last week, I got the chance to introduce what a Root-of-trust is, and some pitfalls.

~~While waiting for the video to come online,~~

Edit: If you prefer to read, with some additional thoughts:
For modern devices, there is no security without Root of Trust (RoT).
I am carrying around two Roots of Trust: The SIM card in my telephone, which manages my credentials with my telephone operator, and the Root of Trust of the iPhone itself, which is at the foundation of all iOS security.

Your PC has it’s Trusted Platform Module (TPM), and you hard drive may have even have its own.

So what is a Root of Trust?

Imagine a computer as a building.

Starting at the top, we have all the applications. If one or more applications need to protect some data, such as a password, it will typically ask the OS to protect the password somehow.

In our model, the OS is in the basement, under ground, but still in the soft earth (the software).

The OS typically supports some encrypted filestore. Great! Our password is stored in an encrypted file. The app is now happy.

But the OS has a problem: It now has the key to the encrypted file. The key needs to be protected.

The OS typically has multiple layers of secure storage, so the password for the encrypted file is stored along with passwords of other encrypted file... in a new file. Which needs to be encrypted... with a new key.

So is it encrypted files "all the way down"? Of course not: Modern systems, such as smart phones, turn to the Root of Trust, the security foundation which is "dug" into the bedrock - the hardware.

Just like the a building foundation in bedrock cannot practically be moved or damaged, even if the soli is washed away, a properhardware Root of Trust cannot be modified, deleted, or compromised by any software.

So what is in the "foundation"?

A full Root of Trust has:

One or more root keys to protect all the keys above - and the mechanism to encrypt and decrypt using that key. This way, the root key is never exposed to the levels above
One or more root verification keys to verify all signatures above - and the mechanism to verify the signature of the very first step above
A unique identity that cannot be changed

(also nice to have; a random generator for creating keys)

Software Verification - The most important security tool in device security

You might think that the most important job of a Root of Trust is to keep things secret, as in encryption. But to keep things secret, you first have to know who can read your secrets. In other words, which software is running on your machine. Is there malware on your system?

-How would you know if the app you just downloaded is not malicious?
-Well, Apple checked it before they put it on the app store.
-How can you trust the app store?
-Well, all apps are signed and my OS verified the signature before installing.
...and so it goes all the way down to some master certificate store protected by the RoT.
but....

How do you know the OS is performing the signature verification correctly?

Apple A12 - By Henriok - Own work, CC0, https://commons.wikimedia.org/w/index.php?curid=73008829

The OS itself needs to be trusted. The solution to this, is that inside every Apple processor sits a Boot ROM, which cannot be modified by software. When the system boots, the Boot ROM is the first code to run. There is no way to run anything before the Boot Rom (as long as Apple has designed their chip correctly) The Boot ROM verifies the next step, the Low level Boot. The Low Level Boot cannot start until it has been verified by the Boot ROM!
The Low Level Boot then starts, and does the next verification on the iBoot, and eventually the OS itself is verified and loaded. The OS can now be trusted to verify any downloaded apps.This way we have a chain of trust, all the way from the hardware up to the application level.

Can you make a Root of Trust in software?

Allow me to introduce Brugata 5, in the Vaterland district of downtown Oslo (bear with me). Erected sometime between 1870 and 1890, it is a typical building for the period, 4 stories high and has a nicely decorated facade (the rear of these buildings are particularly ugly, but that's a whole other story). What is interesting about Brugata 5 and other old buildings in this part of Oslo is the foundation. The ground here is basically old seabed with various debris on top. It's basically mud, with the water table just below the basement., and it's a long way down to bedrock. Much to expensive to dig out with 19th century manual equipment. So what did the builders do?

They built a log raft for the foundation.

Hand drawing of a house with a foundation built on top of an underground log raft.

Yes, a large part of Oslo is floating on underground log rafts. And this worked, for several decades. But if you ever walk around in the Vaterland area, look closely up at the buildings, and you will see what the test of time does to a "software" foundation:

The foundation is clearly not solid anymore, although it still sort of works. The building (along with lots of other buildings like in Oslo), is still standing, considered safe to use by the authorities. But a lot of patching has been done on the "application layer" to compensate for weaknesses in the foundation.

So how does this transfer to a software Root of Trust?

If you want to make a software Root of Trust, you have to compensate for the paradox that software cannot be trusted. This means you have to build yourself a security raft: Code that verifies itself, code that is obfuscated and where all sort of software security tricks are used to hide data "in plain sight".

Short version: A software Root of Trust should be a last resort, if you have to retrofit security onto a hardware platform where no hardware Root of Trust is available. Do not try to design one yourself, get help!

Things to remember

Management - The secrets in a Root of Trust needs to be deployed and managed by someone. For iOS this is clearly Apple, for your SIM it is the phone company.

Do you trust the end user?

The secrets in your phone's Root of Trust do not belong to you, the end user. They belong to Apple.
Apple has to take into account that as an end user, you could be

Malicious (you want to steal Apple secrets)
Opportunistic (you want to avoid paying for Apple services)
Ignorant or reckless (If you had control of the data in the Root of Trust you could inadvertently leak them to some third party)

Therefore, Root of Trust manufacturers such as Apple does not trust the end user, even when the end user owns the hardware.

You own the device, but you do not own the secrets on the device.

It is paradoxes like this that historically has caused some users to be skeptical to some Roots of Trust, particularly the TPM (Trusted Platform module) in PCs.

Typical types of Roots of Trust

Trusted Platform Module

The TPM is defined by the Trusted Computing Group, and its main purpose is to secure the boot sequence of the PC.

Custom Roots of Trust for System-on-Chips (SoC)

SoCs designed for a specific purpose, such as TV or Set-Top-Box chips, typically have one or more Roots Of Trust designed in. These are used to provide a secure booth sequence, but are also used the DRM systems such as PlayReady or Conax, to provide a secure identity and a to store keys and certificates to protect playback licenses.

As previously mentioned, Apple's "A" Processors have a built-in Root of Trust to protect the boot sequence.

Subscriber Identification Modules

By Telefónica O₂ EuropeScan by User:Mattes - Own scan — Hewlett-Packard Photosmart C 5280 Image scanner, million colors, Public Domain, https://commons.wikimedia.org/w/index.php?curid=18487446

Dating back to the early 90's, SIMs are one of the oldest RoTs in use by consumers. Interestingly, the device manufacturers and telcos are leaning towards eSims, which are downloadable SIMs. For this to work securely, the operator needs to trust whoever made the eSIM hardware - and therefore the downloadable SIM is no longer the Root, or foundation, since there is another level of trust beneath it.

Third party Roots of Trust

The advent of IoT has caused some security providers, such as the Kudelski group (www.kudelski-iot.com) to provide full IoT security solutions, including Roots of Trust, that can be integrated into devices. These are embedded in hardware (or as protected software RoTs where suitable hardware is not available). Full disclosure: I have previously been employed at the Kudelski Group.

Final words

I believe the Internet of Things will make us more dependent on Roots of Trust than ever before. Since IoT devices are often let alone for months, maybe years at a time, we have to be able to trust the software running on them - and the only way to properly secure this is is to have a bootloader mechanism based on a Root of Trust.

Sufficient Engineering

Search This Blog