This thesis deals with the analysis and design of trusted computing platforms. Trusted computing technology is a relatively new enabling technology to improve the trustworthiness of computing platforms. With minor changes to the boot process and the addition of a new hardware security component, called TPM (Trusted Platform Module), trusted computing platforms offer the possibility to verifiably report their integrity to external parties (i.e., remote attestation) and to bind information to a specific platform (i.e., sealed storage).
The first part of this thesis mainly focuses on the analysis of existing trusted computing platforms. We analyze the functionality provided by the specifications of the TCG (Trusted Computing Group) and purely software-based alternatives. Based on this analysis we present an improvement to a software-based attestation scheme: we propose to measure the execution time of a memory checksum function locally (with the time stamping functionality of the TPM) instead of remotely (over the network).
We also study the resilience of trusted computing platforms against hardware attacks. We describe how attacks on the communication interface of the TPM can circumvent the measured boot process. The feasibility of these attacks is investigated in practice. Additionally we explore which operations should be targeted with a side channel attack to extracts the secret keys of a TPM.
The second part of this thesis addresses some of the challenges to implement trusted computing technology on embedded and reconfigurable devices. One of the main problems when integrating a TPM into a system-on-chip design, is the lack of on-chip reprogrammable non volatile memory. We develop schemes to securely externalize the non-volatile storage of a TPM. One scheme relies a new security primitive, called a reconfigurable physical unclonable function, and another extends the security perimeter of the TPM to the external memory with a cryptographic protocol.
We propose a new architecture to reset the trust boundary to a much smaller scale, thus allowing for simpler and more flexible TPM implementations. The architecture has two distinctive features: the program code is stored outside the coprocessor and only gets loaded in RAM memory when needed, and the architecture is open by allowing to execute arbitrary programs in remotely verifiable manner.
Finally, we study how the TPM can be implemented securely on reconfigurable hardware. This type of implementation is beneficial because it allows for updates of the software as well as of the hardware of the TPM (e.g., the cryptographic coprocessor) in the field. We examine the implementation options on reconfigurable hardware that is currently available commercially. Next, we propose a novel architecture that can measure and report the integrity of configuration bitstreams.