On the Root of Trust Identification Problem

TL;DR

This paper introduces a biometric-based protocol for securely identifying the root of trust in physical devices, addressing challenges posed by local and cuckoo adversaries, and demonstrates its feasibility through a prototype.

Contribution

It formalizes the RTI problem, proposes a novel biometric challenge protocol, and extends it with a proxy RTI mechanism for remote verification.

Findings

The protocol is secure against local and cuckoo adversaries.

Prototype implementation confirms practicality and feasibility.

The approach does not require biometric enrollment or persistent storage.

Abstract

Root of Trust Identification (RTI) refers to determining whether a given security service or task is being performed by the particular root of trust (e.g., a TEE) within a specific physical device. Despite its importance, this problem has been mostly overlooked. We formalize the RTI problem and argue that security of RTI protocols is especially challenging due to local adversaries, cuckoo adversaries, and the combination thereof. To cope with this problem we propose a simple and effective protocol based on biometrics. Unlike biometric-based user authentication, our approach is not concerned with verifying user identity, and requires neither pre-enrollment nor persistent storage for biometric templates. Instead, it takes advantage of the difficulty of cloning a biometric in real-time to securely identify the root of trust of a given physical device, by using the biometric as a challenge. Security of the proposed protocol is analyzed in the combined Local and Cuckoo adversarial model. Also, a prototype implementation is used to demonstrate the protocol's feasibility and practicality. We further propose a Proxy RTI protocol, wherein a previously identified RoT assists a remote verifier in identifying new RoTs.