With the pervasive growth of the wireless industry, the emergence of wireless communications devices, which provide multi-functionality, is expected to grow. The smart phone market is in its early stages of adoption and provides many features such as access to corporate information systems (email and intranet access) and connectivity to intern& based services. Many of these features require storage of sensitive corporate and personal information on the device itself. Additionally, the growth of content based services such as digital rights management (DRM) imposes additional requirements on these devices to ensure that the content stored on the device is accessed by authorized users and according to the terms of the content provider. Typically, the content is delivered over a wireless network and may be accessed at times when the connection to the network is not present. Thus, there is a growing need to ensure that the content is being accessed in a trusted manner and in accordance with the usage rules which may include date and time based limits. In order to rely on time based trust mechanisms, an accurate and secure source of time is needed.
In the prior art, the mechanism to validate time information has been through verification by trusted third parties in the case of secure transactions, and through inherent trust in the device capability to supply time information, for resident applications. Recently, trusted computing techniques have appeared in literature and in products under the technical umbrella of the Trusted Computing Group (TCG).
The TCG has defined a Trusted Platform Module (TPM) for carrying out trusted computing operations. The TPM is a microcontroller that stores keys, passwords, performs ciphering and hashing functions, and forms the basis of a root of trust mechanism. It potentially can be used in any computing device or platform that requires these functions, particularly a wireless transmit/receive unit (WTRU). The nature of the TPM ensures that the information stored and processed there is made more secure from external software attack and physical theft. Security processes, such as authentication, signing and key exchange, are protected through the secure TCG subsystem in the TPM. Access to data and secrets in a TPM and the device it resides on could be denied if the boot sequence is not as expected. Critical applications and capabilities such as secure email, secure web access and local protection of data are thereby made much more secure with the TPM.
A TPM can perform several functions useful in carrying out trusted computing and wireless communications. For example, a TPM can secure binding of the TPM to the platform it resides on via the use of endorsement key (EK) and attestation identity keys (AIKs). Additionally, a TPM may secure binding, sealing and signing of data to secure keys protected by the TPM itself. A TPM may also perform privacy-protected authentication and attestation of the platform as well as remote attestation of the state of the platform through comparative verification of the contents of the platform configuration registers (PCRs) and the hash of stored memory logs (SMLs). Finally, a TPM may perform verification, control, and knowledge-transfer of the integrity, or the ‘trustworthiness’, of the platform (on which the TPM sits) and its software (SW), including the boot-up codes, the operating system (OS), drivers and applications.
A platform that has a TPM bound on it can be used to provide many useful “secure” applications. Some of the uses that have been identified by the TCG for a mobile phone with a TPM device on it include: secure boot, device authentication, robust DRM, device personalization, secure software download, mobile ticketing and payment, platform integrity checking and remote attestation, and user data confidentiality and privacy protection. However, some of these potential applications rely on obtaining a secure time from an external secure time component.
FIG. 1 shows a typical architecture for a Secure Time Component (STC). An STC is generally defined as a timing device that can present an unequivocal, non-alterable and non-repudiatable certificate of the current time—also known as a signed time certificate. The STC is also configured to resist external attempts to compromise the device's internal operations, internal records, or the signed time certificate outputs given by the device.
The generation of a valid signed time certificate by an STC is a two step process. First, the STC must produce the signed certificate, and then an outside source must verify the validity of the signed certificate.
The operations of a generic STC to produce a signed certificate are described as follows. First, a request for a signed time certificate is input and buffered into the STC. Next, a cryptographic one-way hash (such as SHA-1, MDS, SHA-256, etc.) is generated from the buffered data. Then the current date and time, preferably in a Universal Time Coordinate (UTC) format is read from a real-time clock (RTC) securely (i.e., In a tamper-evident and/or tamper-resistant way) within the device. Finally, a certificate is generated containing the hash, current date and time, and optionally a device serial number and any other audit logs. The certificate is signed using a private key stored within the device. The signature is appended to the certificate and presented as a combined output. It should be noted that the real-time clock will need an externally provided time re-synchronization input. The Internet Engineering Task Force (IETF) secure Network Time Protocol (NTP) is an example of a well known method whereby such re-synching signals can be distributed and processed over an IP-based network.
Verification of the signed time certificate by an outside ‘verifier’ of the time certificate includes two verification steps. First, the signed time certificate is verified using the device's public key. If the signature does not match, then the certificate is deemed invalid. Second, a hash stored in the certificate is verified by calculating a new hash from the data. If the two hash values do not match, then the verifier can assume that either (1) the certificate does not belong to that particular data file, or (2) the data file has been altered. In either case, the verifier must deem the certificate as being invalid. If both verifications succeed, then the date and time is read from the certificate and assumed to be trustworthy.
The STC itself may be secure, but its output, i.e. the time of the event, will no longer be secure once it is outside the STC. It may, for example, be altered by an unsecured program or tampered while stored in unsecured memory. Therefore, the use of hashing and signing to verify a signed time certificate secures the time information output, after it is provided by the STC. Either symmetric keys or a public-private key pair may be utilized by the secure time component depending upon the application.
One of the most important features of an STC is non-repudiation. A signed time certificate is understood to be an undeniable proof of the date and time that the data was notarized, and the specific secure time device (as identified by its unique serial number, etc.) that was used to perform the time certification.
Several techniques have been proposed in the prior art in order to strengthen the security of the operations of the STC and to ensure the non-repudiation of the time certificate and the ID of the used STC. These techniques include using cryptographic digital signature algorithms, using clocks with software executed in a protected environment, using techniques for tamper resistance to the clock, using clock device identification that is cryptographically protected, protecting HW of keys used in signing the time certificates, and using the secure time servers for re-synching the time on the device clock.
A secure time server is defined herein as a network-based server that, upon request by a client on the network, securely provides a reference time to the requesting client over the network. A secure time server will typically use a secure network-based time synchronization protocol such as the Secure NTP.
Within phones that are compliant with the third generation partnership project (3GPP) standards, the user services identity module (USIM) UICC may provide authentication services to the network or service provider. It would be desirable to combine the platform security functionalities of a TPM, the secure authentication functions of a USIM module, a real time clock (RTC) and time measuring, reporting and stamping software in a secure common package. Further, It would be desirable to improve the 3GPP authentication protocols to include time information and hence provide an opportunity for the local time to be verified or synchronized with the network time.
A similar need for secured time and TPM capabilities exists in DRM devices. The Open Mobile Alliance (OMA) DRM 2.0 specification assumes the existence of a reliable time source that will provide the DRM Time. Practical DRM devices are typically only equipped with inexpensive, real-time clocks which are typically not very accurate, and are not protected or tamper-resistant. Another problem is that the current OMA DRM protocol leaves room for improvements in time-information processing for the DRM application. First, how existing time-related information covered by the DRM application is defined, processed, and communicated with, can be improved. Secondly, there are also areas where new definitions of time-related information can be utilized to enable more reliable and secure DRM processing.
Another problem is that DRM devices that are connected devices have the capability to re-synchronize their local clock, and they will use the resultant DRM time as a reference time supplied by the RI, even though it may have originated from an online certificate status protocol (OCSP) service responder. Since OCSP responders are trusted entities in the OMA DRM schemes, at least these connected DRM devices can re-calibrate their time information correctly. However, even here there are issues. Currently, the OCSP response takes place only when the RI ‘ decides’ that the device's DRM time is not correctly synchronized. If a malignant entity compromises the DRM SW, the RI cannot find out about the compromise in DRM Time on the device, and the OCSP response may not even take place.
Another problem is that clocks within DRM devices could also be synchronized separately from DRM processing. For example the clocks could be synchronized by a communication with a network timing source that is separate from the RI through a time resynchronization protocol such as the IETF NTP. However, although there are securitized network timing protocols, such as the IETF Secure NTP protocol, timing information thus obtained ensuing a secure NTP protocol could subsequently be compromised once it is stored in the DRM device. This can potentially lead to unauthorized use and re-distribution of DRM content.
Another problem is that even if the DRM SW (the DRM UA on the Device, the RI's DRM SW) is secure and uncompromised, other, malicious or compromised SW applications could access such time-related resources or their outputs and mis-use them.
It should be noted here that the problem of “integrity maintenance” of the time information can be somewhat ameliorated by a straightforward use of the prior art of trusted computing techniques. Some work in the prior art has looked at such straightforward application of TPM to general problems of SW integrity checking and permission of the application to run only after the SW's integrity is checked using the TPM. For example, in the context of mobile phone devices there is a possible application of a TPM-equipped mobile phone device to make the DRM application more robust by exploiting TCG techniques, including methods that use the procedure of the ‘TPM sealing’ and the memory ‘blobs’ to securely store DRM-related data, after ROAP protocol processing, using TCG keys, and in TPM and storage areas with key protection.
However, a straightforward application of TCG techniques of the prior art has not addressed methods that specifically and systematically increase the confidentiality and integrity of DRM time on a device that has a TPM, nor any methods securitizing the time information on a RI that is equipped with a TPM.
For all of the above stated reasons, a method for providing secured time functionality to WTRUs or other user devices with, and without, DRM capabilities is needed.