The TPM 2.0 specification has been designed to support a new family of Elliptic Curve (EC) based ... more The TPM 2.0 specification has been designed to support a new family of Elliptic Curve (EC) based Direct Anonymous Attestation (DAA) protocols. DAA protocols are limited to anonymous or pseudonymous attestations. But often a more flexible attestation would be needed. For instance, attesting that the platform is a certain model from a certain vendor. Such an attestation would require to bind the attributes “model"and “vendor" to the TPM.
The Trusted Platform Module (TPM) is an international standard for a security chip that can be us... more The Trusted Platform Module (TPM) is an international standard for a security chip that can be used for the management of cryptographic keys and for remote attestation. The specification of the most recent TPM 2.0 interfaces for direct anonymous attestation unfortunately has a number of severe shortcomings. First of all, they do not allow for security proofs (indeed, the published proofs are incorrect). Second, they provide a Diffie-Hellman oracle w.r.t. the secret key of the TPM, weakening the security and preventing forward anonymity of attestations. Fixes to these problems have been proposed, but they create new issues: they enable a fraudulent TPM to encode information into an attestation signature, which could be used to break anonymity or to leak the secret key. Furthermore, all proposed ways to remove the Diffie-Hellman oracle either strongly limit the functionality of the TPM or would require significant changes to the TPM 2.0 interfaces. In this paper we provide a better specification of the TPM 2.0 interfaces that addresses these problems and requires only minimal changes to the current TPM 2.0 commands. We then show how to use the revised interfaces to build q-SDH-and LRSW-based anonymous attestation schemes, and prove their security. We finally discuss how to obtain other schemes addressing different use cases such as key-binding for U-Prove and e-cash.
In einem Verfahren zum Bereitstellen von Antwortdaten im Rahmen eines ortsbezogenen Dienstes (20)... more In einem Verfahren zum Bereitstellen von Antwortdaten im Rahmen eines ortsbezogenen Dienstes (20) extrahiert ein Anfragesteller (10) aus bereitgestellten Ortsinformationen (32) die Anfrage ortlich definierende Anfrageortsinformationen. Weiter verknupft der Anfragesteller (10) die Anfrageortsinformationen mit die Anfrage hinsichtlich des angefragten Angebots definierenden Anfrageangebotsinformationen (AAS) zu einem Anfragedatensatz (24). Der Anfragedatensatz (24) wird dann an einen Anfrageempfanger (20) gesendet. Der Anfrageempfanger (20), dem Angebotsinformationen (22) lediglich in verschlusselter Form vorliegen, durchsucht die Angebotsinformationen (22) auf Basis des von dem Anfragesteller (10) empfangenen Anfragedatensatzes (20). Suchergebnisse dieser Suche, falls vorhanden, werden dem Anfragesteller (10) durch den Anfrageempfanger (20) als Antwortdaten auf die Anfrage bereitgestellt (T5).
Die Erfindung schafft ein Verfahren zur Authentisierung eines elektronischen Authentisierungstoke... more Die Erfindung schafft ein Verfahren zur Authentisierung eines elektronischen Authentisierungstoken (10) gegenuber einem Prufsystem (20). Jedes Authentisierungstoken enthalt Datengruppen und einen individuellen geheimen kryptographischen Parameter (x1). Die Datengruppen werden in veroffentlichte (D) und geheimgehaltene (U) Datengruppen aufgeteilt. Die veroffentlichten Datengruppen werden an das Prufsystem (20) ubertragen. Die Datengruppen (DG1, ... DGn) werden mittels eines Zero-Knowledge-Beweises authentisiert werden, ohne dass die geheimgehaltenen Datengruppen selbst oder Information, die Ruckschlusse auf die Datengruppen ermoglicht, an das Prufsystem (20) ubertragen werden. Der offentliche kryptographische Parameter (y) ist fur eine Mehrzahl von Authentisierungstoken identisch, so dass innerhalb der Mehrzahl von Authentisierungstoken, Authentisierungstoken, die identische veroffentlichte Datengruppen enthalten, fur das Prufsystem (20) voneinander ununterscheidbar sind.
Die Erfindung betrifft ein System mit wenigstens einem Endgerat (1) und mehreren tragbren Datentr... more Die Erfindung betrifft ein System mit wenigstens einem Endgerat (1) und mehreren tragbren Datentragern (2, 3), die im Rahmen einer kontaktlosen Kommunikation mit dem Endgerat (1) einzeln adressierbar sind und vom Endgerat (1) ubermittelte Kommandos abarbeiten. Die Besonderheit des erfindungsgemasen Systems besteht darin, dass die Kommunikation zwischen dem Endgerat (1) und den tragbaren Datentragern (2, 3) wenigstens zeitweise als eine Parallelkommunikation ausgebildet ist, gemas der noch vor der vollstandigen Abarbeitung eines vom Endgerat (1) ubermittelten Kommandos durch einen ersten tragbaren Datentrager (2) vom Endgerat (1) ein weiteres Kommando an einen zweiten tragbaren Datentrager (3) gesendet wird.
The invention relates to a method for access to a machine-readable document (E), in particular an... more The invention relates to a method for access to a machine-readable document (E), in particular an electronic document with an included identification data (ID) by a reader (L). A with the reader (L) standing in communication link token (T) performs an authentication process with respect to the electronic document (E) via the reader (L). The token (T) reading after successful authentication of the document (E) by means of the reading device, the identification data item (ID) of the document (E), or causes the read-out by the reading device (L). The token (T) checks whether the read-out identification data (ID) with a in the token (T) stored reference data (RD) match. In the case of a match of said identification data (ID) and the reference data (RD) leaves the token (T) a readout of data of the document (E) via the reader (L) to or reads it from itself. In the case of non-agreement of the identification data (ID) and the reference data (RD) prevents the token (T) the reading of data ...
System mit wenigstens einem Endgerat (1) und mehreren tragbaren Datentragern (2, 3), die im Rahme... more System mit wenigstens einem Endgerat (1) und mehreren tragbaren Datentragern (2, 3), die im Rahmen einer kontaktlosen Kommunikation mit dem Endgerat (1) einzeln adressierbar sind und vom Endgerat (1) ubermittelte Kommandos abarbeiten, dadurch gekennzeichnet, dass die Kommunikation zwischen dem Endgerat (1) und den tragbaren Datentragern (2, 3) wenigstens zeitweise als eine Parallelkommunikation ausgebildet ist, gemas der noch vor der vollstandigen Abarbeitung eines vom Endgerat (1) ubermittelten Kommandos durch einen ersten tragbaren Datentrager (2) vom Endgerat (1) ein weiteres Kommando an einen zweiten tragbaren Datentrager (3) gesendet wird.
By means of a combination of the CA protocol with the RI protocol is provided a pseudonymous Diff... more By means of a combination of the CA protocol with the RI protocol is provided a pseudonymous Diffie-Hellman protocol. According to the invention, determining the pseudonym from the RI protocol and the forming of the secure communication channel from the CA protocol on an essentially parallel. According to the invention, a group key for the CA part of the protocol according to the invention is also used. Due to the design of the protocol according to the invention is in contrast to the known protocols an attacker who should be possible to identify the group key of a portable data storage device according to the invention, not possible to generate the pseudonym of another user.
2017 IEEE Symposium on Security and Privacy (SP), 2017
The Trusted Platform Module (TPM) is an international standard for a security chip that can be us... more The Trusted Platform Module (TPM) is an international standard for a security chip that can be used for the management of cryptographic keys and for remote attestation. The specification of the most recent TPM 2.0 interfaces for direct anonymous attestation unfortunately has a number of severe shortcomings. First of all, they do not allow for security proofs (indeed, the published proofs are incorrect). Second, they provide a Diffie-Hellman oracle w.r.t. the secret key of the TPM, weakening the security and preventing forward anonymity of attestations. Fixes to these problems have been proposed, but they create new issues: they enable a fraudulent TPM to encode information into an attestation signature, which could be used to break anonymity or to leak the secret key. Furthermore, all proposed ways to remove the Diffie-Hellman oracle either strongly limit the functionality of the TPM or would require significant changes to the TPM 2.0 interfaces. In this paper we provide a better specification of the TPM 2.0 interfaces that addresses these problems and requires only minimal changes to the current TPM 2.0 commands. We then show how to use the revised interfaces to build q-SDHand LRSW-based anonymous attestation schemes, and prove their security. We finally discuss how to obtain other schemes addressing different use cases such as key-binding for U-Prove and e-cash.
The TPM 2.0 specification has been designed to support a number of Elliptic Curve Cryptographic (... more The TPM 2.0 specification has been designed to support a number of Elliptic Curve Cryptographic (ECC) primitives, such as key exchange, digital signatures and Direct Anonymous Attestation (DAA). In order to meet the requirement that di↵erent TPM users may favor di↵erent cryptographic algorithms, each primitive can be implemented from multiple algorithms. This feature is called Algorithm Agility. For the purpose of performance e ciency, multiple algorithms share a small set of TPM commands. In this paper, we review all the TPM 2.0 ECC functionalities, and discuss on whether the existing TPM commands can be used to implement new cryptographic algorithms which have not yet been addressed in the specification. We demonstrate that four asymmetric encryption schemes specified in ISO/IEC 18033-2 can be implemented using a TPM 2.0 chip, and we also show on some ECDSA variants that the coverage of algorithm agility from TPM 2.0 is limited. Security analysis of algorithm agility is a challenge, which is not responded in this paper. However, we believe that this paper will help future researchers analyze TPM 2.0 in more comprehensive methods than it has been done so far.
The TPM 2.0 specification has been designed to support a new family of Elliptic Curve (EC) based ... more The TPM 2.0 specification has been designed to support a new family of Elliptic Curve (EC) based Direct Anonymous Attestation (DAA) protocols. DAA protocols are limited to anonymous or pseudonymous attestations. But often a more flexible attestation would be needed. For instance, attesting that the platform is a certain model from a certain vendor. Such an attestation would require to bind the attributes “model"and “vendor" to the TPM.
The TPM 2.0 specification has been designed to support a new family of Elliptic Curve (EC) based ... more The TPM 2.0 specification has been designed to support a new family of Elliptic Curve (EC) based Direct Anonymous Attestation (DAA) protocols. DAA protocols are limited to anonymous or pseudonymous attestations. But often a more flexible attestation would be needed. For instance, attesting that the platform is a certain model from a certain vendor. Such an attestation would require to bind the attributes “model"and “vendor" to the TPM.
The Trusted Platform Module (TPM) is an international standard for a security chip that can be us... more The Trusted Platform Module (TPM) is an international standard for a security chip that can be used for the management of cryptographic keys and for remote attestation. The specification of the most recent TPM 2.0 interfaces for direct anonymous attestation unfortunately has a number of severe shortcomings. First of all, they do not allow for security proofs (indeed, the published proofs are incorrect). Second, they provide a Diffie-Hellman oracle w.r.t. the secret key of the TPM, weakening the security and preventing forward anonymity of attestations. Fixes to these problems have been proposed, but they create new issues: they enable a fraudulent TPM to encode information into an attestation signature, which could be used to break anonymity or to leak the secret key. Furthermore, all proposed ways to remove the Diffie-Hellman oracle either strongly limit the functionality of the TPM or would require significant changes to the TPM 2.0 interfaces. In this paper we provide a better specification of the TPM 2.0 interfaces that addresses these problems and requires only minimal changes to the current TPM 2.0 commands. We then show how to use the revised interfaces to build q-SDH-and LRSW-based anonymous attestation schemes, and prove their security. We finally discuss how to obtain other schemes addressing different use cases such as key-binding for U-Prove and e-cash.
In einem Verfahren zum Bereitstellen von Antwortdaten im Rahmen eines ortsbezogenen Dienstes (20)... more In einem Verfahren zum Bereitstellen von Antwortdaten im Rahmen eines ortsbezogenen Dienstes (20) extrahiert ein Anfragesteller (10) aus bereitgestellten Ortsinformationen (32) die Anfrage ortlich definierende Anfrageortsinformationen. Weiter verknupft der Anfragesteller (10) die Anfrageortsinformationen mit die Anfrage hinsichtlich des angefragten Angebots definierenden Anfrageangebotsinformationen (AAS) zu einem Anfragedatensatz (24). Der Anfragedatensatz (24) wird dann an einen Anfrageempfanger (20) gesendet. Der Anfrageempfanger (20), dem Angebotsinformationen (22) lediglich in verschlusselter Form vorliegen, durchsucht die Angebotsinformationen (22) auf Basis des von dem Anfragesteller (10) empfangenen Anfragedatensatzes (20). Suchergebnisse dieser Suche, falls vorhanden, werden dem Anfragesteller (10) durch den Anfrageempfanger (20) als Antwortdaten auf die Anfrage bereitgestellt (T5).
Die Erfindung schafft ein Verfahren zur Authentisierung eines elektronischen Authentisierungstoke... more Die Erfindung schafft ein Verfahren zur Authentisierung eines elektronischen Authentisierungstoken (10) gegenuber einem Prufsystem (20). Jedes Authentisierungstoken enthalt Datengruppen und einen individuellen geheimen kryptographischen Parameter (x1). Die Datengruppen werden in veroffentlichte (D) und geheimgehaltene (U) Datengruppen aufgeteilt. Die veroffentlichten Datengruppen werden an das Prufsystem (20) ubertragen. Die Datengruppen (DG1, ... DGn) werden mittels eines Zero-Knowledge-Beweises authentisiert werden, ohne dass die geheimgehaltenen Datengruppen selbst oder Information, die Ruckschlusse auf die Datengruppen ermoglicht, an das Prufsystem (20) ubertragen werden. Der offentliche kryptographische Parameter (y) ist fur eine Mehrzahl von Authentisierungstoken identisch, so dass innerhalb der Mehrzahl von Authentisierungstoken, Authentisierungstoken, die identische veroffentlichte Datengruppen enthalten, fur das Prufsystem (20) voneinander ununterscheidbar sind.
Die Erfindung betrifft ein System mit wenigstens einem Endgerat (1) und mehreren tragbren Datentr... more Die Erfindung betrifft ein System mit wenigstens einem Endgerat (1) und mehreren tragbren Datentragern (2, 3), die im Rahmen einer kontaktlosen Kommunikation mit dem Endgerat (1) einzeln adressierbar sind und vom Endgerat (1) ubermittelte Kommandos abarbeiten. Die Besonderheit des erfindungsgemasen Systems besteht darin, dass die Kommunikation zwischen dem Endgerat (1) und den tragbaren Datentragern (2, 3) wenigstens zeitweise als eine Parallelkommunikation ausgebildet ist, gemas der noch vor der vollstandigen Abarbeitung eines vom Endgerat (1) ubermittelten Kommandos durch einen ersten tragbaren Datentrager (2) vom Endgerat (1) ein weiteres Kommando an einen zweiten tragbaren Datentrager (3) gesendet wird.
The invention relates to a method for access to a machine-readable document (E), in particular an... more The invention relates to a method for access to a machine-readable document (E), in particular an electronic document with an included identification data (ID) by a reader (L). A with the reader (L) standing in communication link token (T) performs an authentication process with respect to the electronic document (E) via the reader (L). The token (T) reading after successful authentication of the document (E) by means of the reading device, the identification data item (ID) of the document (E), or causes the read-out by the reading device (L). The token (T) checks whether the read-out identification data (ID) with a in the token (T) stored reference data (RD) match. In the case of a match of said identification data (ID) and the reference data (RD) leaves the token (T) a readout of data of the document (E) via the reader (L) to or reads it from itself. In the case of non-agreement of the identification data (ID) and the reference data (RD) prevents the token (T) the reading of data ...
System mit wenigstens einem Endgerat (1) und mehreren tragbaren Datentragern (2, 3), die im Rahme... more System mit wenigstens einem Endgerat (1) und mehreren tragbaren Datentragern (2, 3), die im Rahmen einer kontaktlosen Kommunikation mit dem Endgerat (1) einzeln adressierbar sind und vom Endgerat (1) ubermittelte Kommandos abarbeiten, dadurch gekennzeichnet, dass die Kommunikation zwischen dem Endgerat (1) und den tragbaren Datentragern (2, 3) wenigstens zeitweise als eine Parallelkommunikation ausgebildet ist, gemas der noch vor der vollstandigen Abarbeitung eines vom Endgerat (1) ubermittelten Kommandos durch einen ersten tragbaren Datentrager (2) vom Endgerat (1) ein weiteres Kommando an einen zweiten tragbaren Datentrager (3) gesendet wird.
By means of a combination of the CA protocol with the RI protocol is provided a pseudonymous Diff... more By means of a combination of the CA protocol with the RI protocol is provided a pseudonymous Diffie-Hellman protocol. According to the invention, determining the pseudonym from the RI protocol and the forming of the secure communication channel from the CA protocol on an essentially parallel. According to the invention, a group key for the CA part of the protocol according to the invention is also used. Due to the design of the protocol according to the invention is in contrast to the known protocols an attacker who should be possible to identify the group key of a portable data storage device according to the invention, not possible to generate the pseudonym of another user.
2017 IEEE Symposium on Security and Privacy (SP), 2017
The Trusted Platform Module (TPM) is an international standard for a security chip that can be us... more The Trusted Platform Module (TPM) is an international standard for a security chip that can be used for the management of cryptographic keys and for remote attestation. The specification of the most recent TPM 2.0 interfaces for direct anonymous attestation unfortunately has a number of severe shortcomings. First of all, they do not allow for security proofs (indeed, the published proofs are incorrect). Second, they provide a Diffie-Hellman oracle w.r.t. the secret key of the TPM, weakening the security and preventing forward anonymity of attestations. Fixes to these problems have been proposed, but they create new issues: they enable a fraudulent TPM to encode information into an attestation signature, which could be used to break anonymity or to leak the secret key. Furthermore, all proposed ways to remove the Diffie-Hellman oracle either strongly limit the functionality of the TPM or would require significant changes to the TPM 2.0 interfaces. In this paper we provide a better specification of the TPM 2.0 interfaces that addresses these problems and requires only minimal changes to the current TPM 2.0 commands. We then show how to use the revised interfaces to build q-SDHand LRSW-based anonymous attestation schemes, and prove their security. We finally discuss how to obtain other schemes addressing different use cases such as key-binding for U-Prove and e-cash.
The TPM 2.0 specification has been designed to support a number of Elliptic Curve Cryptographic (... more The TPM 2.0 specification has been designed to support a number of Elliptic Curve Cryptographic (ECC) primitives, such as key exchange, digital signatures and Direct Anonymous Attestation (DAA). In order to meet the requirement that di↵erent TPM users may favor di↵erent cryptographic algorithms, each primitive can be implemented from multiple algorithms. This feature is called Algorithm Agility. For the purpose of performance e ciency, multiple algorithms share a small set of TPM commands. In this paper, we review all the TPM 2.0 ECC functionalities, and discuss on whether the existing TPM commands can be used to implement new cryptographic algorithms which have not yet been addressed in the specification. We demonstrate that four asymmetric encryption schemes specified in ISO/IEC 18033-2 can be implemented using a TPM 2.0 chip, and we also show on some ECDSA variants that the coverage of algorithm agility from TPM 2.0 is limited. Security analysis of algorithm agility is a challenge, which is not responded in this paper. However, we believe that this paper will help future researchers analyze TPM 2.0 in more comprehensive methods than it has been done so far.
The TPM 2.0 specification has been designed to support a new family of Elliptic Curve (EC) based ... more The TPM 2.0 specification has been designed to support a new family of Elliptic Curve (EC) based Direct Anonymous Attestation (DAA) protocols. DAA protocols are limited to anonymous or pseudonymous attestations. But often a more flexible attestation would be needed. For instance, attesting that the platform is a certain model from a certain vendor. Such an attestation would require to bind the attributes “model"and “vendor" to the TPM.
Uploads
Papers by Rainer Urian