1
00:00:02,300 --> 00:00:07,100
How should we then store the key how to generate the keys.

2
00:00:07,130 --> 00:00:08,490
There are two problems.

3
00:00:10,520 --> 00:00:18,770
The first problem is randomness and the second is the secure storage of keys when speaking of TPM modules.

4
00:00:18,920 --> 00:00:20,930
Let's imagine them as smart cards.

5
00:00:23,000 --> 00:00:31,150
Why are smart cards called Smart What tasks do smart cards fulfill the store the key.

6
00:00:31,150 --> 00:00:35,010
However the key can safely be stored on a floppy disk or a flash drive.

7
00:00:36,410 --> 00:00:41,290
Smart cards which simply store keys are certainly not smart.

8
00:00:41,310 --> 00:00:43,430
These are definitely dumb cards.

9
00:00:45,050 --> 00:00:49,920
You can also buy them and in the past we're extremely popular since they were fairly cheap.

10
00:00:51,250 --> 00:00:56,230
The intelligence of the cards depends on the fact that they not only store the key but also protected

11
00:00:56,670 --> 00:00:59,070
by not making it available on the outside.

12
00:01:01,490 --> 00:01:06,830
This card is to generate that key otherwise it would have to download it from the outside which it shouldn't

13
00:01:06,830 --> 00:01:07,480
do.

14
00:01:09,010 --> 00:01:17,470
In addition to this it must also carry out operations using this key for example decrypt data.

15
00:01:17,480 --> 00:01:22,910
It does this so that the key would never have to be made available on the outside if it fulfills these

16
00:01:22,910 --> 00:01:23,720
conditions.

17
00:01:23,870 --> 00:01:27,450
We can say that it is a smart card.

18
00:01:27,460 --> 00:01:32,080
The problem is however that this is quite simple and it should be a fairly cheap device.

19
00:01:32,730 --> 00:01:36,080
To ecard may try to physically get the data or destroy it.

20
00:01:38,090 --> 00:01:43,350
These types of attacks are confirmed and have occurred many times.

21
00:01:43,460 --> 00:01:45,740
Bearing in mind what we said about smartcards.

22
00:01:45,950 --> 00:01:53,480
Let's look at the TPM module TPM modules example seen above where standard equipment and most likely

23
00:01:53,510 --> 00:02:00,790
all contemporary portable computers and servers.

24
00:02:00,980 --> 00:02:05,180
The task of the TPM modules is implementing certain algorithms.

25
00:02:05,220 --> 00:02:11,100
There are different algorithms according to the manufacturer and type of module.

26
00:02:11,110 --> 00:02:17,720
In addition these modules generate and safely store keys defacto do the same as smartcards but we did

27
00:02:17,720 --> 00:02:22,110
not connect them to the computer from the outside because they're soldered to the board.

28
00:02:23,400 --> 00:02:29,260
They're relatively safe they're of course you can try to remove the housing of the TPM module and connect

29
00:02:29,260 --> 00:02:38,200
a probe directly to its modules conducting an analysis of performance time and power.

30
00:02:38,440 --> 00:02:44,110
The TPM module and bit Locker's not used only to generate and store keys but also to verify the integrity

31
00:02:44,110 --> 00:02:47,070
of the computer.

32
00:02:47,080 --> 00:02:53,410
The point is that the TPM module calculates the signature of the computer's process registers.

33
00:02:53,530 --> 00:03:00,450
The first thing the computer launches is the old biosystem this system saves certain information and

34
00:03:00,450 --> 00:03:01,950
storage registers.

35
00:03:02,250 --> 00:03:03,830
Well take a look at that in the moment.

36
00:03:06,310 --> 00:03:12,250
The TPM module reads this information it compares its hash to the hash that was previously saved.

37
00:03:12,250 --> 00:03:17,590
This means that a change to the integrity of the computer for example a connection to a new hard disk

38
00:03:17,980 --> 00:03:23,720
or even a connection to a USP drive will cause that the integrity of the computer will not be confirmed

39
00:03:26,390 --> 00:03:30,000
the checksum will not agree.

40
00:03:30,000 --> 00:03:35,340
This means for the TPM module that the bit lock keys stored on it is to be blocked and not made available

41
00:03:35,340 --> 00:03:43,940
to the outside.

42
00:03:43,940 --> 00:03:52,550
Let's take a look then at which storage registers are used by bit longer registers 4 8 9 10 and 11 are

43
00:03:52,550 --> 00:03:54,910
used by default.

44
00:03:54,980 --> 00:04:02,310
We can also ask for an additional check of the runtime registers we can for example check the raw memory

45
00:04:02,310 --> 00:04:06,790
register then risk that in the event to any changes of the memory.

46
00:04:06,790 --> 00:04:11,980
The checksum will not agree.

47
00:04:12,020 --> 00:04:18,260
We can also check the runtime register connected with the biosystem This in turn would cause a situation

48
00:04:18,260 --> 00:04:24,020
that when we want to update the biosystem we would first have to turn off the bit lock or encryption.

49
00:04:24,020 --> 00:04:31,120
If we do not we don't encrypt the disk.

50
00:04:31,220 --> 00:04:37,590
We have some information which clearly confirms the authenticity and integrity of the computer it checks

51
00:04:37,590 --> 00:04:39,480
whether or not it's the same computer.

52
00:04:39,720 --> 00:04:46,290
If it's trying to run it from a CD or a USP drive if someone is not connected a disk drive to it or

53
00:04:46,290 --> 00:04:50,050
whether someone has taken out a disk and connected it to another computer.

54
00:04:50,550 --> 00:04:54,960
As we mentioned this information is vital to make a decision on whether or not the keys stored in the

55
00:04:54,960 --> 00:04:56,940
TPM module will be decrypted.

56
00:05:02,250 --> 00:05:04,570
Let's now look at the keys in their hierarchy.

57
00:05:06,160 --> 00:05:10,810
We already know that encryption consists of encrypting individual disk sectors.

58
00:05:10,810 --> 00:05:14,680
The ABS algorithm operating in CBC mode.

59
00:05:14,680 --> 00:05:18,940
This is a mode in which the encryption key to the next sector is derived from the previous encrypted

60
00:05:18,940 --> 00:05:19,670
sector.

61
00:05:22,790 --> 00:05:26,630
Encrypted data are diffused by elephant.

62
00:05:26,650 --> 00:05:28,070
Let's go to keys now.

63
00:05:29,690 --> 00:05:32,100
We have this storage route key.

64
00:05:32,120 --> 00:05:37,600
It's called as r.k it's safely stored in the TPM module.

65
00:05:38,330 --> 00:05:48,220
The volume master key DMK is encrypted using as r.k the VM caky pre-text bit Locker's full volume encryption

66
00:05:48,220 --> 00:05:53,800
key as Jack.

67
00:05:53,820 --> 00:05:58,320
The point is that we need to be able to change the key without having to decrypt the entire disk with

68
00:05:58,320 --> 00:06:01,030
the old key and re-encrypt it with the new key

69
00:06:03,860 --> 00:06:05,660
for such a solution to be possible.

70
00:06:05,690 --> 00:06:12,680
There must be an intermediate element we'll be able to decrypt with an intermediate key and encrypt

71
00:06:12,680 --> 00:06:14,710
with the new key.

72
00:06:14,710 --> 00:06:19,640
This however will continue to be the same intermediate key which will decrypt the entire disk.

73
00:06:21,740 --> 00:06:27,730
Enabling and disabling bit longer can be done very fast regardless of how the disk is protected.

74
00:06:30,940 --> 00:06:38,470
Additionally a copy of the VM KCi is password protected which we must provide an enabling bit locker.

75
00:06:38,470 --> 00:06:44,890
If something terrible happened to our TPM module we need to be able to return to our data at this point.

76
00:06:44,900 --> 00:06:49,400
We can open the VM cakey with a password which we have saved or printed

77
00:06:53,400 --> 00:06:57,860
the VM cakey can additionally be protected by a smartcard.

78
00:06:57,960 --> 00:07:00,670
Then you need to connect it when turning on your computer.

79
00:07:04,100 --> 00:07:10,370
Protection of the VM may also be a combination of all these modes.

80
00:07:10,400 --> 00:07:15,080
The most commonly used mode though is the TPM module in this mode.

81
00:07:15,100 --> 00:07:17,710
The mechanism of action is as follows.

82
00:07:19,220 --> 00:07:23,690
The biosystem records the values of the PCR registers.

83
00:07:23,710 --> 00:07:25,420
It does this every time it's run

84
00:07:28,070 --> 00:07:37,040
based on selected PCR registers the SRK kids generated if the cake is valid if the checksum was correct

85
00:07:37,670 --> 00:07:40,150
it allows decrypting of the volume master key.

86
00:07:41,790 --> 00:07:46,660
In turn this key decrypts the key already saved on the disk.

87
00:07:48,390 --> 00:07:52,790
The ethic key is the primary key which allows decrypting other disk sectors.