A Formal Analysis of Authentication in the TPM

The Trusted Platform Module (TPM) is a hardware chip designed to enable commodity computers to achieve greater levels of security than is possible in software alone. To this end, the TPM provides a way to store cryptographic keys and other sensitive data in its shielded memory. Through its API, one can use those keys to achieve some security goals. There are 300 million TPMs currently in existence, mostly in high-end laptops, but now increasingly in desktops and servers. The TPM specification is an industry standard [11] and an ISO/IEC standard [9] (more than 700 pages) coordinated by the Trusted Computing Group. Several papers have appeared describing systems that leverage the TPM to create secure applications, but most of these assume that the TPM API behaves correctly and provides the high-level security properties required [6, 7]. Lower level analyses of the TPM API also exist and several vulnerabilities in the TPM API have been discovered: offline dictionary attacks on the passwords or ‘authdata’ used to secure access to keys [5], attacks exploiting the fact that the same authdata can be shared between users [4], an attacker can also in some circumstances illegitimately obtain a certificate on a TPM key of his choice [8], . . . These attacks highlight the necessity of formal analysis of the API specification. We perform such an analysis in this work, focusing on the mechanisms for authentication and authorisation.