Facilitating the Use of TPM Technologies through S&D Patterns Sigrid G¨ urgens Carsten Rudolph Fraunhofer - Institute for Secure Information Technology SIT Rheinstrasse 75, 64295 Darmstadt, Germany {guergens,rudolphc}@sit.fraunhofer.de Antonio Ma˜ na Antonio Mu˜ noz Computer Science Department University of M´ alaga, Spain {amg,anto}@lcc.uma.es Abstract Trusted platform modules (TPMs) can provide a variety of security functionalities. However, the TPM specification is highly complex and the deployment of TPM-based solu- tions is a difficult and delicate task. In this paper we pro- pose the use of security patterns to specify TPM-based se- curity solutions. The refined notion of security patterns de- veloped in the SERENITY research project allows us to pro- duce precise specifications of TPM-based solutions for par- ticular security goals. This approach makes TPM technol- ogy available to system engineers without in-depth knowl- edge of trusted computing specifications. 1 Introduction Security patterns have successfully been used to describe security solutions in a way that these solutions are made available to system engineers not being experts on security engineering [1, 2, 5, 6, 7, 8, 10]. Such security patterns are usually informally described using either plain text or use semi-formal languages enhanced with graphical visualisa- tions. Recently, in the SERENITY research project [9], the notion of security patterns was extended to exact specifica- tions of re-usable security mechanisms for AmI (ambient intelligence) systems. These security patterns also include information on the properties satisfied by the solution and on the context conditions to be fulfilled. This type of security patterns has shown to be particu- larly useful for the description of security solutions relying on the trusted computing platform (TPM) as specified by the Trusted Computing Group [3]. Considering the com- plexity of the TPM standard it is obvious that only experts on trusted computing are able to develop TPM-based solu- tions for any non-trivial requirement. Therefore, in order to make TPM-based solutions available for wide-scale use in software development, one possible way is to describe re-usable solutions in terms of security patterns. High-level patterns using plain text are less suitable because most of the complexity lies in the choice of TPM commands and the details of the calls for a particular security service. This paper uses a relatively simple example of a TPM- based security solution to demonstrate and motivate the re- fined notion of security patterns developed in SERENITY. More complex security patterns based on TPM technology are developed in SERENITY. Among others, solutions are explored that use certified migration keys to control the mi- gration of data between a set of platforms. 2 An example Let us consider the following scenario. A Medical Cen- tre takes care of some of their patients who, although not yet completely cured, can live at home. Let us consider pa- tient Bob who, after having been visited by a doctor, needs assistance for getting him some medication the doctor has prescribed. The doctor issues an electronic prescription and sends it to the medical centre. Here the social worker Ali- son takes over the actual task of getting the medication at a pharmacy and delivering it to Bob. For this, the electronic prescription is stored on Alison’s PDA (note: we use the term personal digital assistant (PDA) to denote any type of portable device suitable for the tasks described in the sce- nario), and then the PDA is connected to the pharmacy’s PC in order to transfer the prescription. Patient data needs to be confidential, only authorized persons are allowed to access. In our example only the is- suing doctor, some staff of the medical centre, Alison and the pharmacist are allowed access to Bob’s prescription. For data transfer via the internet there are various different mechanisms in place today to protect data confidentiality. However, the requirement has to be met even in the case where Alison looses her PDA or gets it stolen along with Bob’s prescription. Possible mechanisms to protect the confidentiality of data stored on a device are