A Novel Architecture for a Secure Update of Cryptographic Engines on Trusted Platform Module Sunil Malipatlolla ∗† , Thomas Feller ∗† , Abdulhadi Shoufan ∗‡ , Tolga Arul ∗† , and Sorin A. Huss ∗† ∗ Center for Advanced Security Research Darmstadt, CASED, Germany {sunil.malipatlolla, thomas.feller, tolga.arul} @cased.de † Integrated Circuits and Systems Lab, Technische Universit¨ at Darmstadt, Germany huss@iss.tu-darmstadt.de ‡ Khalifa University of Science, Technology and Research, Abu Dhabi, UAE abdulhadi.shoufan@kustar.ac.ae Abstract—Trusted computing is gaining an increasing accep- tance in the industry and finding its way to cloud computing. With this penetration, the question arises whether the concept of hard-wired security modules will cope with the increasing sophistication and security requirements of future IT systems and the ever expanding threats and violations. So far, embed- ding cryptographic hardware engines into the Trusted Platform Module (TPM) has been regarded as a security feature. However, new developments in cryptanalysis, side-channel analysis, and the emergence of novel powerful computing systems, such as quantum computers, can render this approach useless. Given that, the question arises: Do we have to throw away all TPMs and loose the data protected by them, if someday a cryptographic engine on the TPM becomes insecure? To address this question, we present a novel architecture called Sustainable Trusted Plat- form Module (STPM), which guarantees a secure update of the TPM cryptographic engines without compromising the system’s trustworthiness. The STPM architecture has been implemented as a proof-of-concept on top of a Xilinx Virtex-5 FPGA platform, demonstrating a test case with an update of the fundamental hash engine of the TPM. Keywords-Field Programmable Gate Arrays, Cryptography, Secure Update, Trusted Platform Module, Trustworthiness I. I NTRODUCTION AND RELATED WORK Trusted Computing is an emerging technology, developed and promoted by the Trusted Computing Group (TCG), which aims at building trustworthy computing platforms. The Trusted Platform Module (TPM) is one such specification of the TCG, which forms the root-of-trust while executing critical security functions such as integrity measurement, remote attestation, binding, and sealing. Today’s TPMs are micro- controller based chips with hard-wired engines for various cryptographic schemes such as RSA, SHA-1, and HMAC as specified in TPM component architecture by TCG [1]. Using hard-wired cryptographic engines, storing cryptographic root keys on hardware, and tying itself to the motherboard, the TPM provides hardware-based security to the system artifacts such as data, certificates, passwords and other cryptographic keys. For example, in a personal computer (PC) without TPM, encrypted data and encryption keys are usually stored on the same hard drive. In contrast, a TPM-based PC stores the Cryptographic Engines Cryptographic Memory Units I/O Block Execution Engine (CPU) RAM ROM Key Generator RSA Engine SHA-1 Engine HMAC Engine Non-Volatile Storage (e.g. EK, AIK) Volatile Storage (e.g. PCRs) Opt-in RNG TPM Fig. 1: Conventional TPM Architecture encryption keys on the TPM and prevents an unauthorized access to the data. Although the TPM is predominantly used in workstations and servers [2], some approaches already exist to map the specification to embedded systems, reconfigurable architectures, and mobile devices [3]–[5]. TCG also publishes platform specific profiles used as a common yard stick for evaluating devices that incorporate TCG technology. Threats to TPM However, it is well-known that crypto- graphic schemes, also those embedded in TPMs, have always been subject to persistent cryptanalysis and recently to side- channel analysis either by malicious attackers or by the research community. For instance, Wang et al. [6] showed the collision search attacks for the SHA-1 algorithm and Finke et al. [7] conducted a side-channel attack on the RSA key generator. Further, in [8], Bruschi et al. have presented a replay attack during the execution of the TPM authorization protocol that compromises the correct behavior of the trusted platform. Also, Sadeghi et al. have tested several TPM chips for compliance to TCG specifications and were able to find weaknesses with those chips as described in [9]. Considering these and other threats and violations, and following the general recommendation regarding the necessity of updating cryptographic algorithms, e.g., those published by NIST [10], the idea of hard-wiring the TPM security engines began to be questioned. This can be seen from the specification of the next generation TPM (called TPM.next) by TCG, which allows the replacement of cryptographic algorithms in case 978-1-4577-1740-6/11/$26.00 c  2011 IEEE